The Knowledge Hub of IMD
Share
FacebookFacebook icon TwitterTwitter icon LinkedInLinkedIn icon Email
hacking, cybersecurity

Technology

Are you underestimating the evolving cyberthreat?

Published 2 May 2022 in Technology • 6 min read

Cyber-risks are proliferating as attackers professionalize and organizations’ entry points increase. But too many CEOs do not understand the nature of today’s risks and how important it is to face them head on.

 

Executives know that the IT they need for their operations is a double-edged sword. Already in the first months of 2022, two polls tell the story: PwC’s latest CEO Survey found that leaders considered cyber-risks the chief threat to growth; in a separate KPMG study, 77% of senior executives believed that these cyber-risks would grow during 2022.

The three things many CEOs get wrong

We can see that business leaders recognize the risk, but they frequently misunderstand it. First, they are unlikely to need to worry about a teenage hacker sitting in their basement probing systems for vulnerabilities, like in the movie War Games. The real danger comes from sophisticated criminal gangs taking a multifaceted approach. Think Ocean’s 13, where the thieves’ solution is to create an earthquake, not break through invincible technological defenses.

A typical ransomware attack shows the extent of cyberattackers’ planning. Before they strike, the fraudsters learn about the target victims in depth. They gain access to information in company systems, often via phishing attacks.

Then, they take their time to study the corporate picture: the amount of money that a company’s resources make it realistic to demand; the maximum pain threshold below which executives are more likely to pay up than to resist; even the extent to which a business’s cyber insurance covers ransomware payouts. Only after this kind of analysis do they launch their endgame.

Second, these gangs do not have to function in isolation, because they can rely on an advanced criminal supply chain. Some organizations specialize in the social engineering aspects of hacking, some in creating back doors, others in creating software to carry out attacks, and others in keeping a database of unresolved security risks that affect major commercial software. And these organizations have access to the same advanced technologies, such as artificial intelligence, as well-financed corporates. Put it all together, and this cyberattack supply chain makes companies’ detection and prevention methods less effective.

The third aspect of cyber-risks that business leaders tend to miss is that physical security and cybersecurity are no longer distinct. For example, if someone enters an office with a badge, that location’s security depends on the recognition software. Similarly, an attacker who gets into a network can create a physical security threat. Every organization has an interface between these two kinds of security.

Faced with such a sophisticated set of threats, what can companies do?

oceans thirteen
“The real danger comes from sophisticated criminal gangs taking a multifaceted approach”

Protection comes from proactive security

They should start by throwing out the old rule book. The traditional approach is a reactive one that involves building high technological walls around the organization. Over the past decade, it has become clear that once attackers breach that barrier even a single time, and through whatever means, they can do almost whatever they want.

In a world where many employees work from home and use a multitude of connected devices, it no longer makes sense to focus exclusively on an increasingly indistinct perimeter. Proactive security, on the other hand, assumes that a breach of corporate IT systems is inevitable. It then works out how to minimize the related damage and continue with business as usual while dealing with the incident.

As the name suggests, proactive security also involves ongoing preparation. As a starting point, businesses need up to date expert threat intelligence about the nature of attacks that those in their sector and country are particularly exposed to. For example, some businesses are especially likely to be hit by ransomware while others are more likely to experience a denial-of-service attack. Knowing how you might be targeted enables you to prepare accordingly.

Many companies have plans in case of incidents, but too often these just sit there. Instead, businesses need to practice executing their contingency arrangements – including for recovery. They need to:

  • Document key weaknesses

Sound preparation requires rigorously keeping up to date with upgrades and patches. It may sound simple, but many businesses miss upgrades or do them too late for fear that it will disrupt operations. The reality is that the downtime caused by upgrades is negligible, especially compared with the disruption that a cyber-attack could cause. 

Even if upgrades and patches are executed in a timely manner, some systems are naturally more vulnerable than others. Documenting weak spots can help mitigate the fallout from a breach because it gives IT teams a head start in identifying the system that was originally compromised.   

In addition, companies must probe actively for vulnerabilities, including by employing ethical hackers to test for weak spots both in corporate systems and in how employees interact with it. Digital transformation has made the attack area much bigger, which means that no organization has the time to find everything that could go wrong. So-called white hat hackers can step in here to find the most dangerous gaps in security.

  • Know exactly who should lead the response

When a major cyber event occurs, an incident-response team needs to assemble rapidly that can identify the source of the problem, direct action to get key systems back up and running and communicate to the public. This team must therefore include the Chief Information Security Officer, if one exists, an IT director that has knowledge of the business’ IT architecture, a PR director that can draft communications to customers, and a legal director. The latter is vital because there are certain regulatory reporting obligations that need to be met if personally identifiable information has been breached. It’s also vital for a C-level executive such as the CEO or CIO to be part of this group so that they can update the board.

  • Gather all of the information that is needed to evaluate ransom demands

A fundamental question that will need to be answered very quickly in the event of an attack is whether the ransom will be paid. And to answer this, businesses need to know whether they are insured against a ransomware attack and what the Terms & Conditions are. They also need to understand their financial exposure to the disruption, and whether this eclipses the size of the ransom. Understanding the legal implications is also critical as paying ransoms to certain organizations could result in criminal proceedings according to US law. Multiple factors need to be weighed up when determining whether to pay, so those making these decisions need to have this information at their fingertips.

Ransomware demands are extremely challenging to respond to. It is therefore also vital to plan how you will respond in advance. This means determining who will negotiate on behalf of the business, and whether this should be an internal employee or an outside negotiation expert.

Although the majority of businesses ultimately pay up, some do not. For example, Norwegian renewable energy company Norsk Hydro received acclamation for its refusal to pay and its swift and effective response after being hit by a major ransomware attack. Very soon after suffering an attack, the business consulted external experts and took the decision to be completely transparent about the impact of the breach.

But the culture must be right

On its own, however, this new approach will not provide enough protection. Organizations also need to make a cultural change, and that includes the corporate leaders themselves. Cybersecurity can no longer be seen in isolation, and the people responsible for IT and physical security need to work closely together – at a minimum.

More generally, Chief Information Security Officers are too often given a mandate to provide security but gain no visibility in the boardroom. Instead, they typically report to CFOs, where it is often a struggle to demonstrate any return on investment. This can make it a thankless job, where success is achieved when nothing happens. CISOs could get better at communicating their challenges, but to do that they also need an audience that is ready to listen. When cyber-risk is growing this rapidly, security must become a board-level issue.

Authors

Oyku Isik IMD

Öykü Işık

Professor of Digital Strategy and Cybersecurity at IMD

Öykü is Professor of Digital Strategy and Cybersecurity at IMD. She is an expert on digital resilience and the ways in which disruptive technologies challenge our society and organizations. Named on the Thinkers50 Radar 2022 list of up-and-coming global thought leaders, she helps businesses to tackle cybersecurity, data privacy, and digital ethics challenges, and enables CEOs and other executives to understand these issues, which she believes are too important to be left to technical specialists alone.

Öykü leads IMD’s Cybersecurity for Managers program, which helps businesses develop an action plan to identify, prepare for, and respond to emerging and imminent cyber threats.

Related

Learn Brain Circuits

Join us for daily exercises focusing on issues from team building to developing an actionable sustainability plan to personal development. Go on - they only take five minutes.
 
Read more 

Explore Leadership

What makes a great leader? Do you need charisma? How do you inspire your team? Our experts offer actionable insights through first-person narratives, behind-the-scenes interviews and The Help Desk.
 
Read more

Join Membership

Log in here to join in the conversation with the I by IMD community. Your subscription grants you access to the quarterly magazine plus daily articles, videos, podcasts and learning exercises.
 
Sign up

You have 5 of 5 articles left to read.