Image MoD Crown Copyright 2012, Defenceimagery.mod.uk
My presentation was delivered on the Cyber Threat Intelligence stage on the subject of “Making Cyber Security Work with the Mission, and not Against it.” It seemed to be very well received, so I thought that I would share my thoughts on this topic as a blog post for the benefit of those who weren’t at the Expo.
There are 2 types of risk that an organisation has to contend with: Operating Risk and Operational Risk. Operating Risks are the day to day risks an organisation has to manage, they are relatively high probability but low impact; like a project running late. Operational Risks are the high impact but low probability events; like a major fire in your office – there is a risk to life and significant impact on the organisation’s output. Balancing the management of these two types of risk is difficult as decreasing one increases the other. You mitigate the risk to life of an office fire by having regular fire drills. Everyone stops working and exits the building and the organisation has a degree of assurance that if a real fire starts then all their people will be safe. But during that drill no work is being carried out – this means the risk of the project being delivered late increases. There is also an increased risk someone will trip and hurt themselves during the evacuation.
The UK military has always been focused on Operational Risk – reducing casualties on both sides of a conflict and delivering peace, stability and aid to civilian population. However, several factors over the past decade, most notably the Haddon-Cave QC enquiry, have forced the military to become much more focused on reducing Operating Risk, especially for military flying training and exercises. The UK military have looked to industry to learn this best practice and it has been instrumental in reducing risk outside of operations across the military.
When it comes to Cyber-security risk there is one big topic that is focusing the minds of executives across Europe – the General Data Protection Regulations (GDPR). If an organisation loses personal information they can be fined up to 4% of annual global turnover, forced to compensate the affected individuals and banned from processing personal information. It has had a profound effect on the levels of Cyber-security engagement from senior executives in all businesses and organisations.
Image MoD Crown Copyright 2015, Defenceimagery.mod.uk
However, it’s not the only Cyber-security risk that organisations need to consider; what about the Operational Risks? WannaCry caused large amounts of disruption to the NHS in May 2017 but was only a Category 2 cyber-attack – the UK National Cyber Security Centre is publicly warning that an even more destructive Category 1 cyber-attack is likely in the coming years. This will be a cyber-attack which could cause loss of life and widespread economic damage to the UK as a whole. WannaCry exploited a known vulnerability which could have been patched, was stopped quickly when a security researcher discovered a ‘kill switch’ and only affected data which can be recovered from backups. A Category 1 cyber-attack is unlikely to have an of these features; it will exploit a 0 day vulnerability for which there is no patch and will, initially, be undetectable to anti-virus software; there won’t be a convenient ‘kill switch’ to stop the spread; and it won’t only affect the data, it will affect the physical systems themselves. This has already been seen to a limited degree by the ‘Dark Energy’ cyber-attacks against Ukrainian Critical National Infrastructure.
Image MoD Crown Copyright 2015, Defenceimagery.mod.uk
So what should you do about it? Unfortunately there are no magic bullets or easy fixes. There are no right answers but there are a lot of wrong answers – one of those is to bury your head in the sand and hope that the Category 1 cyber-attack passes you by or doesn’t happen on your shift. But hope is not a plan, you need to take action! And now is the ideal time; executives everywhere are already engaging on GDPR and cyber-security, so ensure that the thinking expands to include cyber-resilience. This is where industry can look to the military for best practice.
Your organisation needs a robust plan, and needs to practice the implementation, for how to survive a major cyber-attack. This needs to start with a serious conversation at the top level of your organisation about attitudes towards risk… and the balance between operating and operational risk… because preparations to reduce operational risk will increase the operating risk! You already know how to ave these conversations; you don’t have a fire drill every day, you don’t ignore the risk of fire and never have a drill – you find an appropriate balance for your organisation. You need to do the same for operational level cyber risks and this starts with working out when risks you hold. As I’ve said, there are no right answers, but here are a few starter questions for you:
• How long can the business afford to be shut down for?
• Can my business operate without critical national infrastructure – electricity and water?
• If you are using remote/cloud computing or storage can you still operate without external connectivity?
• How would you keep the business going if a large number of your computers where physically damaged and needed replacing?
Inzpire’s Cyber Security experts can’t give you all the answers but we can help you with asking the right questions and identifying the best solution for your organisation.