The attacks on the Sony PlayStation Network, which potentially compromised 70m users’ personal details and credit cards, showed that even the most tech-aware companies are potential victims of cyber attack.
The immediate popular response was to question Sony’s security systems and procedures, with concerns rightly raised about customer identity theft. The UK’s Information Commissioner soon started an investigation and, if Sony’s security was found wanting, could impose significant fines. There was also the risk of subsequent civil claims.
Once again, the attack shows that in today’s environment where organisations are increasing linked to cyberspace, hacking attacks are more than just a security and technology issue. Organisations across industries are facing multiple attacks from different simultaneous directions: hacking, denial of services, media campaigns, online protests, patent claims, demonstrations, consumer boycotts and unhappy employees acting as an insider threat.
A new way of planning and responding in this environment is required, so what can leaders do to reduce their risks?
The rules of the game have changed
Leaders now have minutes and hours rather than days to make decisions and respond to a cyber incident. Their teams need to be prepared to respond in a joint way that does not waste their limited time. To maximise time available, joint planning is necessary, bringing together technical and business units to consider options, prepare responses and rehearse actions before they are needed. The military has been using this approach successfully in recent conflicts to combine cyber and military power, and it is a technique that industry leaders can learn from, whether they are starting a new business initiative or considering contingency responses.
A good joint action plan focuses leadership on keeping the business thriving in times of disruption, not just surviving an attack
Multiple threats require multiple responses, but good leaders combine those responses into a greater whole. Unless coached and led to perform differently, individual business areas will act in their own best interests during a crisis, and only consider the wider business when things are calmer.
In 2009, a US manufacturer became victim to a sophisticated hacking attack that sought to extract key data. Even after detection, data continued to be extracted. Eventually, the decision was made to switch off critical systems, but approval for the switch off took time to achieve due to it being an unexpected request, even though data continued to be lost. Good preparation and leadership can ensure that business units are prepared and ready to work together and thrive together during the unexpected.
Leaders and their teams must continually share lessons and concerns to act jointly
Lessons are not just relevant to individual business units. A technical defence that constantly updates its security must collaborate with the business teams to minimise user disruption. The aggressive pursuit of attackers requires good system administration, forensic capture during an attack and a legal response prepared in advance. Taking an intelligence-led approach to security, where attacks are pre-emptively identified, will require careful media handling if adopted or discovered. Each department has to share their ideas in advance to prevent surprises undermining another’s carefully built plans. Importantly, organisations need to keep their defences agile. Drawing on the military concept that a moving target is much harder to hit, a dynamic defence, where components of the IT architecture are regularly changed, denies an attacker both time and certainty in their attempts to penetrate a system.
The impact of a cyber event is not only the cost and inconvenience of restoring or rebuilding the system or service. An organisation’s reputation can be diminished, customer trust destroyed and revenue jeopardised. Leaders can develop an effective strategy by introducing joint planning, maintaining focus on the business objectives, ensuring that their teams act together and creating an agile defence.
To speak to one of our experts about how we can help your organisation develop an effective cyber security strategy, please contact us now.