
Strategic energy sourcing in the modern business environment
The energy landscape has evolved into a complex network of choices and implications for business. What should companies consider when selecting their energy sources? ...
by Öykü Işık Published 2 May 2022 in Technology • 6 min read
Executives know that the IT they need for their operations is a double-edged sword. Already in the first months of 2022, two polls tell the story: PwC’s latest CEO Survey found that leaders considered cyber-risks the chief threat to growth; in a separate KPMG study, 77% of senior executives believed that these cyber-risks would grow during 2022.
We can see that business leaders recognize the risk, but they frequently misunderstand it. First, they are unlikely to need to worry about a teenage hacker sitting in their basement probing systems for vulnerabilities, like in the movie War Games. The real danger comes from sophisticated criminal gangs taking a multifaceted approach. Think Ocean’s 13, where the thieves’ solution is to create an earthquake, not break through invincible technological defenses.
A typical ransomware attack shows the extent of cyberattackers’ planning. Before they strike, the fraudsters learn about the target victims in depth. They gain access to information in company systems, often via phishing attacks.
Then, they take their time to study the corporate picture: the amount of money that a company’s resources make it realistic to demand; the maximum pain threshold below which executives are more likely to pay up than to resist; even the extent to which a business’s cyber insurance covers ransomware payouts. Only after this kind of analysis do they launch their endgame.
Second, these gangs do not have to function in isolation, because they can rely on an advanced criminal supply chain. Some organizations specialize in the social engineering aspects of hacking, some in creating back doors, others in creating software to carry out attacks, and others in keeping a database of unresolved security risks that affect major commercial software. And these organizations have access to the same advanced technologies, such as artificial intelligence, as well-financed corporates. Put it all together, and this cyberattack supply chain makes companies’ detection and prevention methods less effective.
The third aspect of cyber-risks that business leaders tend to miss is that physical security and cybersecurity are no longer distinct. For example, if someone enters an office with a badge, that location’s security depends on the recognition software. Similarly, an attacker who gets into a network can create a physical security threat. Every organization has an interface between these two kinds of security.
Faced with such a sophisticated set of threats, what can companies do?
“The real danger comes from sophisticated criminal gangs taking a multifaceted approach”
They should start by throwing out the old rule book. The traditional approach is a reactive one that involves building high technological walls around the organization. Over the past decade, it has become clear that once attackers breach that barrier even a single time, and through whatever means, they can do almost whatever they want.
In a world where many employees work from home and use a multitude of connected devices, it no longer makes sense to focus exclusively on an increasingly indistinct perimeter. Proactive security, on the other hand, assumes that a breach of corporate IT systems is inevitable. It then works out how to minimize the related damage and continue with business as usual while dealing with the incident.
As the name suggests, proactive security also involves ongoing preparation. As a starting point, businesses need up to date expert threat intelligence about the nature of attacks that those in their sector and country are particularly exposed to. For example, some businesses are especially likely to be hit by ransomware while others are more likely to experience a denial-of-service attack. Knowing how you might be targeted enables you to prepare accordingly.
Many companies have plans in case of incidents, but too often these just sit there. Instead, businesses need to practice executing their contingency arrangements – including for recovery. They need to:
Sound preparation requires rigorously keeping up to date with upgrades and patches. It may sound simple, but many businesses miss upgrades or do them too late for fear that it will disrupt operations. The reality is that the downtime caused by upgrades is negligible, especially compared with the disruption that a cyber-attack could cause.
Even if upgrades and patches are executed in a timely manner, some systems are naturally more vulnerable than others. Documenting weak spots can help mitigate the fallout from a breach because it gives IT teams a head start in identifying the system that was originally compromised.
In addition, companies must probe actively for vulnerabilities, including by employing ethical hackers to test for weak spots both in corporate systems and in how employees interact with it. Digital transformation has made the attack area much bigger, which means that no organization has the time to find everything that could go wrong. So-called white hat hackers can step in here to find the most dangerous gaps in security.
When a major cyber event occurs, an incident-response team needs to assemble rapidly that can identify the source of the problem, direct action to get key systems back up and running and communicate to the public. This team must therefore include the Chief Information Security Officer, if one exists, an IT director that has knowledge of the business’ IT architecture, a PR director that can draft communications to customers, and a legal director. The latter is vital because there are certain regulatory reporting obligations that need to be met if personally identifiable information has been breached. It’s also vital for a C-level executive such as the CEO or CIO to be part of this group so that they can update the board.
A fundamental question that will need to be answered very quickly in the event of an attack is whether the ransom will be paid. And to answer this, businesses need to know whether they are insured against a ransomware attack and what the Terms & Conditions are. They also need to understand their financial exposure to the disruption, and whether this eclipses the size of the ransom. Understanding the legal implications is also critical as paying ransoms to certain organizations could result in criminal proceedings according to US law. Multiple factors need to be weighed up when determining whether to pay, so those making these decisions need to have this information at their fingertips.
Ransomware demands are extremely challenging to respond to. It is therefore also vital to plan how you will respond in advance. This means determining who will negotiate on behalf of the business, and whether this should be an internal employee or an outside negotiation expert.
Although the majority of businesses ultimately pay up, some do not. For example, Norwegian renewable energy company Norsk Hydro received acclamation for its refusal to pay and its swift and effective response after being hit by a major ransomware attack. Very soon after suffering an attack, the business consulted external experts and took the decision to be completely transparent about the impact of the breach.
On its own, however, this new approach will not provide enough protection. Organizations also need to make a cultural change, and that includes the corporate leaders themselves. Cybersecurity can no longer be seen in isolation, and the people responsible for IT and physical security need to work closely together – at a minimum.
More generally, Chief Information Security Officers are too often given a mandate to provide security but gain no visibility in the boardroom. Instead, they typically report to CFOs, where it is often a struggle to demonstrate any return on investment. This can make it a thankless job, where success is achieved when nothing happens. CISOs could get better at communicating their challenges, but to do that they also need an audience that is ready to listen. When cyber-risk is growing this rapidly, security must become a board-level issue.
Professor of Digital Strategy and Cybersecurity at IMD
Öykü Işık is Professor of Digital Strategy and Cybersecurity at IMD, where she leads the Cybersecurity Risk and Strategy program. She is an expert on digital resilience and the ways in which disruptive technologies challenge our society and organizations. Named on the Thinkers50 Radar 2022 list of up-and-coming global thought leaders, she helps businesses to tackle cybersecurity, data privacy, and digital ethics challenges, and enables CEOs and other executives to understand these issues.
4 December 2023 • by Salvatore Cantale, Andrea Cantobelli in Technology
The energy landscape has evolved into a complex network of choices and implications for business. What should companies consider when selecting their energy sources? ...
24 November 2023 • by Michael R. Wade, Amit M. Joshi in Technology
Mike and Amit discuss how big tech can mitigate ethical problems in AI and what role regulation will play in this rapidly growing industry....
23 November 2023 • by Arturo Bris in Technology
Artificial intelligence is set to transform the world – but who stands to benefit and who will lose? Arturo Bris, Director of the IMD World Competitiveness Center, considers how previous technological advances...
23 November 2023 • by Michael R. Wade, David Bach in Technology
The ongoing saga at the tech company highlights the urgent need for proper governance and regulation of the development of AI. Is it time for governments to step in? ...
Explore first person business intelligence from top minds curated for a global executive audience