Cyber security is rightly a top agenda item for businesses today. Failure to defend adequately against cyberattacks would be negligent to say the least. However, defence on its own is not enough. Dani Michaux, KPMG’s Head of Cyber, points out that cyber resilience - a business’s ability to withstand an attack and continue to serve its customers, is equally if not more important.
“Cyber resilience is a very tricky and tough topic”, she says. “It’s a tough discussion to have in an organisation. People tend to look at technology threats and risks and associated cyber risks as a comparatively new thing, possibly because of the number of large-scale attacks which have happened in the last three years. Even the recent drone attacks on oil installations represent an example of a technological threat.”
These high profile attacks have led more people to realise just how serious the threat is, she adds. “Black swan events and the once unimaginable one off events that come as a surprise and have a major impact are not too difficult to imagine any more. They are making people think about how resilient their organisations are both from a cyber and an operational perspective.”
In this age consumer expectation is that services are always on and available when needed. It’s all about consumer trust.
This was traditionally viewed from a business recovery standpoint, but this is changing. “If you look back to the Y2K bug in 2000, organisations asked if they could recover if the worst happened”, Michaux notes. “But it’s not just about recovery anymore. If an event is happening, the organisation has to be able to sustain and continue doing business in a seamless way with their consumers. That’s resilience.”
Indeed, the topic is not confined to the cyber area. “Organisations tend to talk about cyber resilience because so many of the risks they face are related to cyber events”, she explains. “They understand that such events are likely to happen and have to be handled appropriately for all the business to continue. They know that if they are subject to a ransomware attack or large scale targeted attack, they have to be able to continue with the core business and serve customers. In this age consumer expectation is that services are always on and available when needed. It’s all about consumer trust. If they can do this, their cyber resilience level is good. But resilience is broader than just cyber.”
Financial services organisations and regulators around the world are talking about the broader issue of operational resilience, she points out. “Digitalisation is linking organisations along supply chains in different and more complex ways than ever before. They have to think about what happens if key a supplier goes down. What happens if a couple of key suppliers were simultaneously targeted, do we understand how this would impact our services. We have seen services of global providers being affected globally and unavailability of services impacting business operations. What would happen if a major global cloud provider went down or if a few of their datacentres were attacked? What impact would that have on your ability to continue doing business?”
This requires organisations to rethink their approach to resilience. “They must identify the core business needs, what they really need to have up and running to withstand an attack, and fully understand the supply chain and its role in supporting the business during such event. That means looking at the worst case scenarios and linking them back to the business. What systems can you do without and what can you leave behind? The business doesn’t have to be running at 100 per cent but just enough to serve the customers. Those are the sort of issues executives should be focusing on.”
Assumptions can derail any resiliency plan.
Theory is fine but practice is much better. Michaux argues that organisations must test their resilience by running simulations and learn from those exercises. “If they don’t do that we will never know how resilient they are until an event actually happens.”
This also helps prevent organisations from falling prey to false assumptions. “When people run large businesses, they tend to forget the amount of assumptions they make. But every single assumption is equal to 10 per cent plan failure. I assume that my supplier will be there, I assume that service level agreements will continue to work, I assume that the attack will not happen at the weekend or at midnight. That’s a lot of assumptions already that can derail any resiliency plan.”
Nothing should be taken for granted. “Have they ever checked those assumptions?” she asks. “Does the plan assume that telecommunications will be available? People can’t imagine that they would ever be without a phone, but it could happen. You can use simulations to prepare for the unexpected. Resilience is about going back and looking at all assumptions. Everything is so interconnected that events in one company can lead to another going down.”
There can also be an over-reliance on large companies for critical services. “In America, they are now beginning to question if some companies haven’t become too large”, Michaux notes. “There is an assumption that companies are so large they can’t fail, but we heard that before in the financial crisis. And who would ever have thought that 6 per cent of the world’s petrol production could be knocked out by a drone attack? No one could imagine that before it happened, but it did.”
She also points to a recent coordinated cyberattack on the State of Texas recently where 23 cities and government agencies were disrupted, once their systems were held at ransom. “This was hugely disruptive for citizens and certainly did not look good for the government of Texas. People rightly said they should have had plans in place to be able to continue services during such an attack.”
No matter what event happens, you have to be able to continue in business while things are getting fixed in the background.
Lessons can be learned from sectors like oil and gas, where human safety is on top of executive agendas. “Assumptions are constantly challenged there. It starts from the proposition that you can’t assume that anything will work in the event of an explosion. For example, they might have procedures in place to pre-book hospital beds for casualties but what happens if the hospital doesn’t have a burns unit? What happens if the ambulances can’t get to the site of the explosion? All of these things have to be planned for in advance.”
That’s the type of culture of resilience which should be in place in all organisations. “It is a question of broad operational resilience, not just of IT systems. The IT department gets the technology up and running and the people involved there will have their own priorities about which should be done first. But the executives in the wider organisation will know what needs to be done to ensure the business continues to operate and serve its customers. That is essential to the plan and the culture – identifying what are the core business processes and functions and then mapping them back to the systems, that are vital to the core business and what are not. No matter what event happens, you have to be able to continue in business while things are getting fixed in the background.”
And that will be critically important to business success in future, Michaux concludes. “We are living in a world where consumer expectations are far higher than ever before. They expect organisations to utilise digital technology to be able to manage multiple suppliers to ensure continuity of service in the event of a cyberattack. They will lose trust in businesses that are not able to do that. There could even be class actions on behalf of customers and citizens affected by such events. That will turn cyber resilience into a shareholder and governance issue.”
This article first appeared in the Irish Examiner and is reproduced here with their kind permission.