I became quite interested in cybersecurity around a year ago, given the growing threats of cyberattacks by criminal groups and adversarial governments. I then joined CAMS, MIT’s interdisciplinary cybersecurity consortium and started attending its online weekly seminars. A few weeks ago I attended a CAMS seminar on cyber resilience by Manuel Hepfer, a research affiliate at Oxford University and a research analyst at ISTARI, a cyber risk management company.
What is cyber resilience? While cybersecurity is the practice of protecting critical systems and sensitive information from digital attacks, cyber resilience is the ability to prepare for, withstand, and recover rapidly from any major disruption, whether an intentional cyberattack or a natural disaster.
The seminar was based on a study by Hepfer and colleagues of the 2017 NotPetya ransomware attacks, a series of powerful cyberattacks which caused over $10 billion in global economic damage across a number of industries. Their study was primarily focused on three global companies that were the subject of NotPetya attacks: a logistics company with over 60,000 employees, a manufacturing one with over 20,000 employees, and a third in professional services with over 5,000 employees.
The study conducted around 50 interviews with senior executives across the three companies, including CEOs, CFOs, CIOs, and CISOs. In addition, it reviewed internal documents, presentations, press releases, newspaper coverage, and audio and video files related to events before, during, and after the attack. Their study was published in two articles in the MIT Sloan Management Review, the first in 2020, the second in 2022.
The first article, Make Cybersecurity a Strategic Asset, noted that “organizational resilience to cyberattacks requires a fundamental change of mindset: Executives must view cybersecurity as strategic rather than operational, and as an opportunity rather than an expense. … By elevating cybersecurity from an operational necessity to a source of opportunity, leaders can boost resilience and business advantage.”
The article cites several reasons why executives treat cybersecurity as an operational instead of a strategic priority. Traditionally cybersecurity has been delegated to IT operations where the technical expertise resides, even though technology now permeates just about every function of the firm. Many executives view cyberattacks as a random, unpredictable event, as opposed to the kind of predictable, manageable risks that exploit organizational weaknesses across the company. And, when a cyberattack happens, companies often focus on internal damage control instead of engaging openly with all stakeholders.
Based on their research, Hepfer and his collaborators developed a model for improving organizational resilience to cyberattacks that leverages their cybersecurity efforts to capture strategic opportunities. The model is based on four strategic capabilities: protecting the business, broadening awareness, managing the consequences, and responding and recovering. “Each of the four elements raises questions that executives can use to lead discussions on the company’s approach to cybersecurity strategy. Although some of these discussions are concerned with events after a cyberattack, all of the discussions should happen now, as part of strategic planning - before a cyberattack.”
Let me summarize the four capabilities and list a few of the questions that should be addressed by each capability:
Protecting the business. “While it remains important to maintain and harden defenses, companies in our study acknowledged that attacks are nonetheless inevitable.” Perfect defenses are impossible because attacks and defenses are continually evolving. A strategic approach to protection should encompass “a deeper understanding of key business processes and how they might be designed to minimize an organization’s vulnerability to attacks.” Such a strategic plan should address these questions:
- What are our key business processes and how vulnerable are they to cyberattack?
- How can we design our business processes to minimize our vulnerability to attack?
- What internal capabilities do we have for protecting against cyberattack?
Broadening awareness “requires senior management to take responsibility for looking outside the company to understand current threats and to develop a more comprehensive strategy for acquiring intelligence. These actions include establishing better connections into the network of threat intelligence, such as communicating with cybersecurity researchers at anti-malware vendors and building relationships with peers at organizations with the strongest capabilities in this area.” To help broaden awareness, companies should discuss:
- How significant is the threat of cyberattack and where is it most likely to come from?
- What capabilities do we have for detecting external threats?
- How are cyberattacks evolving?
Managing the consequences “demands that leaders look outward to plan for the potential effects of a cyberattack on customers, suppliers, financial markets, and the company’s reputation. … The decision to communicate openly with customers, shareholders, and the general public proved especially valuable, according to a CEO in our study. It generated not only positive customer feedback but also numerous offers of help from customers, suppliers, and even competitors.” To better manage the consequences of an attack, companies should raise these questions:
- How would our key stakeholders respond and what can we do to shape these responses?
- What capabilities do we have for anticipating how stakeholders might respond?
- How would our customers be affected?
Responding and recovering “requires understanding the organization’s capabilities to take appropriate action in case of a cyberattack and identifying potential weaknesses in processes, leadership skills, and backup plans. Executives in our study advised that response should focus first on recovery and spoke to the importance of having top leadership support for technology teams throughout the recovery effort.” These questions should be helpful in planning the response to an attack:
- What capabilities do we have for responding to a cyberattack and how can we improve them?
- What weaknesses would hinder our response?
- What is our plan for business continuity in case of a cyberattack?
In 2022, Hepfer and his collaborators published a second article based on their research, Building Cyber Resilience Before the Next Attack Occurs. “Lessons and insights from past cyberattacks can help companies prepare and respond more successfully to future threats,” said the authors. To understand best practices and mistakes to avoid in responding to cyberattacks, they analyzed their interviews with senior executives whose companies had endured serious cyberattacks, and gathered data from cybersecurity training centers that help executives prepare for crises by simulating realistic cyberattacks on their enterprises. Let me summarize their findings.
When a cyberattack happens, business leaders are often confronted with unfamiliar, overwhelming, and seemingly random issues. Experience shows that they should avoid some common mistake: instead of setting unrealistic deadlines for recovery, wait until you understand the full scale and impact of the attack; instead of trying to deal with the attack on your own, seek outside support and expert help ; and don’t try to analyze and correct mistakes that may have made the attack possible until stability has been restored and the business is up and running.
Finally, here are a few best practices based on the actions of the most resilient companies:
Plan and prepare. Since there’s pretty much nothing a company can do to prevent a cyberattack, it’s all about being as prepared as possible when an attack happens. “Unfortunately, our research shows that most enterprises spend most of their time, money, and attention on protecting their IT infrastructure while neglecting other elements of organizational resilience.”
Don’t delegate, lead. A successful response is a matter of organizational leadership and collective responsibility, as well as effective coordination and decision-making during the crisis. “In our experience, senior executives who have guided their companies through cyberattacks undergo a major change of mindset. In particular, they cast aside any previous belief that the burden of responding to cyberattacks falls mainly on their technology specialists.”
Provide open, consistent communication. Trying to keep an attack under wraps doesn’t work.“In our research, we came across numerous examples of employees tipping off outsiders - in many cases, inadvertently. In contrast, airing the facts helps shape the narrative around the story and can help protect the company’s reputation.”
“As the risk of future cyberattacks continues to rise, the stakes for companies and leaders could not be higher,” wrote the authors in conclusion. “The core findings from our research - that success or failure in the wake of a cyberattack depends on leadership across an organization, on gaining practical crisis experience in advance, and on consistent communication - provide guidance for senior executives to navigate future threats successfully.”
Comments