Cyber attacks are one of the greatest threats to companies’ operations and the area is so lucrative that its has overtaken global drug trafficking in scope.
We asked Mårten Thomasson and Rehanna Gerleman, who are responsible for the Cyber Risk Management Program at SSE Executive Education, to understand more and to be able to share their tips on how companies can manage the risk of attack.
Why should organizations prioritize cyber risk management?
– An understanding of cyber risks is a prerequisite for prioritizing correctly and implementing strategies to mitigate or prevent the effects of cyber attacks. In recent years, governments’ cyber weapons have been leaked and are available online for downloading, allowing any criminal whatsoever to make such downloads and carry out advanced attacks. Several well-known cases in recent times – including Maersk, whose operations were knocked out by ransomware at a cost of USD 300 million, as well as Norsk Hydro, for whom the final bill ended up at approximately SEK 600 million – indicate the importance of company management prioritizing cyber risks as one of today’s foremost business risks. Today, cyber attackers largely exploit the same shortcomings that we and our colleagues in the industry have been warning about for a long time. For example, the extent of the damage at both Maersk and Norsk Hydro could have been reduced significantly if these shortcomings had been addressed in time. In the case of Maersk, IT representatives had, a year before the attack, indicated the risk of being seriously affected by rapidly spreading malicious code as a consequence of the unsegmented network.
How concerned should we be?
– Very concerned indeed. The area is so lucrative that is has overtaken global drug trafficking in scope. And it does not look like diminishing. Everyone risks being hacked sooner or later; the question is really just how extensive the damage will be.
Who is responsible for preventing attacks?
– Ultimately, the question of responsibility lies with senior management and, from there, needs to be disseminated out into the operations. Today, there is a gap between IT and other operations in far too many companies. It is still common to order IT, so to speak, rather than treating it like any other business process. IT is a key area, just like finance or recruitment, and should be managed in the same way. Someone should own the responsibility for each management system, enabling all operations to maintain pace with one an other. Collaboration generates positive connotations throughout the organization.
Cyber attacks are nothing new exactly, so why have we not progressed further with our strategic efforts?
– In part, cyber risks are perceived as abstract and are not generally subject to the same type of structured risk management as, for example, organizations’ financial control. We often see strategic cyber efforts commencing in earnest only once the organization itself, or others in the same industry, suffer an attack. And, in part, the nature of the attacks has shifted, becoming more destructive – the attackers have become far more resourceful and are often one step ahead. We see people everywhere waking up to what is going on – both at the company management level and at the political level in society. For example, EU regulations and directives, such as GDPR and NIS, threaten organizations with severe fines if security is not managed properly.
As a manager, why should I educate myself on cyber risks and not send someone else?
– The knowledge should be where the responsibility lies. In pace with digitization and the challenges this poses to organizations, from strategic, technical and skills perspectives alike, people in senior positions need to be familiar with cyber risks to be able to make appropriate decisions and navigate properly.
Mårten and Rehanna’s tips for avoiding cyber attacks:
- Tear down the fictitious walls between departments, increase understanding by discussing openly between departments and being structured. Perform a joint risk analysis: what does the cost scenario look like in the event of a cyber attack? “How great is the risk of an attack that encrypts our computers and what would the consequences be?” Every minute during which the operations are at a standstill represents a monetary loss.
- Invest your budget where it has greatest impact. By prioritizing correctly and working strategically, much can be done to enhance resilience. It is better to have a plan than to react in an emergency, putting out fires when the attack has already occurred. Find out what works for you in particular.
- Learn what types of attackers you can expect to be exposed to and protect yourselves against them. Two strategic approaches are understanding how cyber attacks occur, and working with scenarios regarding where in the infrastructure an attack will occur. Work with real-life examples to enhance relevance. How should we avoid getting into trouble? You need to consider what targets, in terns of both personnel and assets, that are particularly worth protecting, and what your current risk exposure looks like.
- Hold workshops together. Bring together different people, who do not often meet, in the same room – the CIO and CISO, the operations manager, HR representatives, legal and technical areas such as workplace, server platform and development – and discuss. Such meetings are very interesting because many awakening take place during them.
Mårten Thomasson, founder and CEO of Addlevel, has worked with security for large organizations in banking, finance and Swedish industry for almost 20 years. He is a leading expert in information security, with assignments ranging from setting up security strategies, security design and architecture and acting as a security adviser for international companies and management teams.
Rehanna Gerleman is a lawyer and information security consultant with experience from the municipal, central government and private sectors. Alongside Mårten, she educates data protection officers and acts as an adviser to banks and insurance companies in areas including GDPR and information security.