Picture a scenario where a nation’s patient records are locked out in a ransomware attack. Operations are cancelled. The public, already critical of their government, begin a series of strikes. But your back office is based in that country, and now it grinds to a halt. Invoices are not processed, and you have a cashflow crisis.
The health system’s problem has morphed into a social problem – and also one for your organization. In an interconnected world, business leaders must look at risk holistically and build resilience within their organizations to the impact of a cyber-attack on critical infrastructure.
The Global Risks Report (GRR), published by the World Economic Forum (WEF) in collaboration with leading institutions such as Zurich Insurance Group, identifies cyber-attacks and data fraud/theft are two of the five main risks facing business in terms of perceived likelihood this year. The report also warns that the growing interconnectedness of the world means that what were once distant problems can now escalate and reach our doorsteps extremely quickly.
A frightening example of connectivity lifting cyber risk to a new level occurred in May 2017, when the WannaCry ransomware attack froze 300,000 computers in more than 150 countries. Hospitals and general practices in the UK’s National Health Service (NHS) were impacted, locking patient records and ultimately leading to 6,900 appointments cancelled.
Lori Bailey, Global Head of Cyber Risk, Commercial Insurance at Zurich Insurance Group, calls this a “pivotal point” for cyber-based claims because of its high cost – and the type of claims we might see in the future.
“What made WannaCry so unusual was that it didn’t affect just one industry or one specific size of company; it actually exploited a vulnerability in an operating system that many different companies used,” she says.
Paige H. Adams, Group Chief Information Security Officer, Global Information Security, Zurich Insurance Group, says that increasing cyber dependency globally coupled with the ease of access to sophisticated hacking tools is a dangerous mix.
“This accessibility, combined with the low risk of getting caught or prosecuted for cybercrime activity, results in a low risk/high reward scenario for cybercriminals, which is serving to increase the frequency of these activities. The effectiveness of cyber risk policing is hindered by a lack of international agreements and legal frameworks on global crime,” Adams says.
Although no NHS medical records were compromised by WannaCry, ransomware presents a particular concern to healthcare and financial institutions because of the sheer volume of sensitive personal data they hold. Crucially, the attack highlights the dependency and fragility of critical infrastructure to any organization’s operations.
"The increasing connectivity among objects, systems and people is behind the rise of the cyber-attack."
WannaCry illustrated a growing trend to use cyber-attacks to target critical infrastructure and strategic industrial sectors, raising fears that in a worst-case scenario attackers could trigger a breakdown in the systems that keep societies functioning, according to the GRR.
But despite the media attention on WannaCry and other high-profile cyber incidents in 2017, we didn't see a significant response to these attacks by business leaders or government officials, according to Fred B. Schneider, a professor of computer science at Cornell University who specializes in cybersecurity issues.
"I'm somewhat surprised at how little reaction there has been, in terms of either investment or government facilitating those investments," Schneider says, "On one hand, it looked like a teachable moment, and on the other hand it seems like it didn't have that effect."
As society becomes more dependent on technology, cyber-attacks are more capable of delivering widespread harm, according to Schneider.
"I think we're quite vulnerable," Schneider says. "Although the folks who run the power grid have been talking about issues of cybersecurity, they're way behind relative to what we know about possible attacks and defenses. I think that's a big problem. The air traffic control system, also, is not very robust."
The pace of change for all types of organization to keep up with the "next threat" is getting tougher, according to Adams.
“The pace of technological change in building defenses and resilience mechanisms into many organizations lags behind the increased sophistication of the threat due to costs and time requirements of modernizing often complex, legacy IT systems and networks, combined with an increasingly wider cyber skills gap,” Adams says.
"A public-private partnership can be particularly helpful in the event of a massive cyber-attack, because the government can actually step in and help companies to respond."
Broader collaboration between private companies and governments could offer a solution. “Cyber Resilience: Playbook for Public-Private Collaboration,” a recent paper published by the WEF and the Boston Consulting Group, proposes a framework to help governments and businesses work together more closely to manage the threats they face.
“A public-private partnership can be particularly helpful in the event of a massive cyber-attack, because the government can actually step in and help companies to respond to events they might not otherwise be equipped to handle,” explains Zurich’s Lori Bailey. But an effective collaboration of this type would entail first establishing clear protocols for what data can be shared between private- and public-sector organizations and how it can be used – and who should be held accountable in the event of a breach.
This type of data-sharing poses a reputational risk, as it can reveal the problems that a business may be experiencing. It also raises a question about control: who should be setting your firm’s cybersecurity strategy in this context?
“The private sector is more resistant to the idea because it doesn’t want to share a lot of information with a third party,” Bailey says. “Firms don’t want another entity telling them what to do or what type of cybersecurity they need.”
However, the trade-off is information flow in both directions, and American and European businesses are coming around to the idea, according to Bailey.
“There’s a greater awareness about these massive cyber incidents – and public-private partnerships are starting to be looked at more closely as a way to increase resilience,” she says.
"Any organisation that builds a strong reputation for IT resilience will accumulate goodwill in it's market."
For Schneider, one of the main goals of public-private partnerships should be creating rewards for companies that develop and use strong cybersecurity measures.
"There needs to be incentives for deploying solutions," Schneider says. "The whole structure that would incentivize people to do the right thing is missing."
Another missing piece that could be filled in by a public-private partnership is education. Schneider points to the US Forest Service's "Smokey Bear" advertising campaign as a successful effort that changed people's behavior and reduced forest fires. A "Smokey Bear" to promote best cybersecurity practices could have a similar effect.
Collaborating with the government is only one aspect of an effective cybersecurity plan, of course. “It’s also about making sure that everyone at every point in your company has an awareness about potential cyber-attacks and vulnerabilities,” she stresses. “Training is, therefore, an important way to increase resilience.”
Sharing best practices more widely could help firms to reinforce their supply chains too, Bailey argues. And technology itself is coming to their aid: the latest artificial intelligence tools are able to detect cyber threats much more quickly than humans can, for example.
Any organization that builds a strong reputation for IT resilience will accumulate goodwill in its market, predicts Bailey, who believes that this will make the firm more attractive as a potential business partner. “It increases confidence around a given entity’s cybersecurity, such that other companies will want to work more with it,” she says. “This can be viewed as a real strength.”
- Broaden your business’ consideration of cyber risk beyond its physical and digital walls. Consider the cascading effect of cyber breaches in an interconnected world; what impact would disruption to critical public infrastructure such as utilities or even the internet have on the running of your organization?
- There are barriers to sharing IT security data and strategies with other organizations, particularly if they’re likely to reach the public domain. Make the move carefully, but don’t lose sight of the potential for public-private collaboration to create a more coherent and robust defense against cyber threats.
- While artificial intelligence and machine learning technology is making great strides in fending off like cyber threats, don’t forget people, training, and processes. Robust scenario planning exercises must be undertaken and learned from.
- Ultimately, an organization with a robust cyber strategy will, by definition, be helping their supply chain be equally as strong. This helps do better business – and makes all those organizations more attractive to potential new partners and clients.