This article was first published by Legend Business and is an extract from Managing Cybersecurity Risk: Case Studies and Solutions, edited by Jonathan Reuvid.
Effective cybersecurity is not a new business issue. It has been high on the board agenda of many large companies for some time. There have been enough high profile incidents in recent years to mean that senior leaders are well aware of the risks, and the costs, of any failure to manage them effectively. Yet, too often, that awareness is not translated into a real understanding of the threat they face.
Part of the problem is that cybersecurity is complex; the threats and technology are constantly evolving and business models are always being transformed to meet shifting customer expectations. However, instead of trying to understand that complexity, many organisations look for oversimplified solutions. There is a tendency to take a one dimensional approach to cybersecurity and assume that the problem is a technical one and so can be solved by technical applications. This is simply not the case. To build truly effective cyber defences requires a whole range of human and organisational responses, alongside the technical ones.
Companies should not assume that because they are spending a lot on cyber security products they are well protected. Instead, they should develop more holistic approaches based on a detailed understanding of how their business generates value and how to protect the elements that are critical to success.
Understand the dependencies
Organisations should start by identifying the critical parts of their operations that depend on IT. From corner shops with digital cash registers, to airlines with online check-in and baggage management systems, it is hard to think of any modern organisation that is not highly dependent on IT systems. Yet many of them continue to lack understanding of the risks this brings, or fail to communicate those risks across the organisation.
The starting point of any cybersecurity plan has to be effective identification of risk, and there are plenty of tools available to support this work. Value chain mapping, which helps commercial organisations identify all the activities necessary to generate revenue, and therefore what needs to be protected. Fault tree analysis is another helpful tool that works backwards from a worst case scenario to understand how it could have happened. While event tree analysis works the other way round by looking at minor events and their potential consequences.
These relatively simple processes can be used to help identify which functions are critical to what the organisation does and the effect of any failure on that activity. It is important to recognise that each will have a different kind of value to protect. For a supermarket, a failure that results in an inability to process payments at the cash registers would remove their ability to generate revenue and destroy value if it took time to restore the service. In contrast, in an organisation that held sensitive personal data, a lack of availability of the service for a short time would be less damaging than losing the data and compromising customers’ privacy.
Timing also matters. Losing access to HR systems would normally just be inconvenient. However, losing access to payroll data when staff were about to be paid might cause significant problems, reducing employees’ confidence in their employer and causing financial hardship.
Any value chain analysis should also develop an understanding of the interdependencies between the different parts of the organisation. The collapse of British Airway’s IT systems in May 2017 is a powerful example of the damage that can be caused by not identifying and reducing interdependencies. An accidental unplugging of the power supply in the data centre brought down the airline’s entire online check-in, baggage handling and customer contact systems. This resulted in 700 flights being cancelled and cost BA £80 million, along with significant reputational damage reaching far beyond the 75,000 passengers affected directly. Had they understood the interdependency of these systems, followed industry best practice, and taken action to mitigate the risks, the impact of the problem would have been much less severe.
Mark Barmby is a defence and security expert expert at PA Consulting Group