Creating Resilience to Cyber Risk

2023 was a record year for cyber risk, with 20% more threats than in 2022 (as reported by MIT Sloan’s Stuart Madnick). Typical incidents included: malware attacks (the insertion of malicious code); spoofing (AI enabled fake and fraudulent messaging); and supply chain disruption (malevolent interference with messages between stakeholders). Over these years there has also been a growing awareness that hostile nation states, rather than the stereotypical nerdy adolescent hacking in their bedroom, are today’s main bad actors in cyber space. As the Director of the FBI recently suggested China’s cyber activity now poses a serious threat to the USA’s critical infrastructure.

Yet at the same time, with cyber risk having been around for decades, business people have tended to become less vigilant. This is not so much complacency because nothing bad has happened to them. It is more just not knowing what to do about cybersecurity, so doing nothing. This situation has arisen because too often cybersecurity has been seen as entirely an IT responsibility, with the sole aim at achieving 100% protection through technical resources. There has been too little acceptance that 100% is impossible, that breaches may happen, and that when they do the whole organization must find the resilience to react and survive.

Being resilient to cyber risk requires a holistic approach, protecting IT systems, but also involving the whole organization in preemptive cyber-awareness and in planning for remedial action in the likely event of a cyber breach. Organizations need to develop a culture of cyber resilience, inspired by a vision that a cyber-attack will happen, but without affecting business as usual. As Keri Pearlson, Executive Director of Cybersecurity at MIT Sloan School of Management, explains in a recent webinar, “Protection is about keeping the bad guys out. Resilience is assuming the bad guys get in and having plans in place to really minimize the damage.”

Board responsibility

The ultimate responsibility for cybersecurity—for changing attitudes, values, and beliefs, and for motivating cyber-conscious behavior in the organization—rests with the senior management, the C-suite. Board oversight needs to go beyond considering the technology and contemplate the potential business and organizational risk, the supply-chain risk, and the compliance risk. It needs to focus on what must be put in place when systems lock-up or when the supply chain is compromised. They need to ensure the organization’s muscles are there to resist an attack and the back-up systems in place to recover.

…………………………………………………………………………………

Join Keri Pearlson for MIT Sloan’s ‘Cybersecurity Leadership for Non-Technical Executives’ program

Dates: Nov 6-7, 2024 | Format: In Person | Location: Cambridge, MA

…………………………………………………………………………………

Cyber threats may come as known unknowns, recognized risks that are poorly understood, or as Donald Rumsfeld’s famous “unknown unknowns,” breaches that could never have been rationally predicted. This is where resilience comes in. It is why senior leaders must reflect on the potential business, financial, and reputational damage that could follow a serious cyber-attack. Think less about how to prevent attacks and more about how to protect the organization from existential harm.

People power

The board sets the tone, but everyone in the organization must take some responsibility. Everyone should be aware of right behavior to avoid obvious risks and the protocols required to ensure back-up and remedial processes are effective and regularly updated. There is an argument for larger companies to appoint a specific cyber culture manager to train, inform, and help minimize potential human risks. For individuals at all levels in the organization the National Institute of Standards and Technology (NIST}: Cybersecurity Framework is a useful guide with its six key principles: Identify; Protect; Detect; Respond; Recover.

Ecosystem risk

There is a wide range of cyber world activity that companies have no real way of influencing at all. Utility providers and government agencies responsible for power supply and information systems are outside the company’s control, as are other members of the ecosystem—banks, logistics, etc.—with suppliers and customers only controllable in a limited way. Larger companies can offer to help smaller supply chain partners with both technical and cyber culture support.

Fundamentally, dealing with ecosystem cyber risk takes us back to resilience—if the online order processing system or the power supply go down what is the plan? Do we have a back-up? How well are we insured?

How will AI add to the risk?

AI is already being employed by bad actors to further enable and personalize malware to poison software systems. With advances in Generative AI and the coming of quantum computing, cyber risk is bound to increase. 'Secure by Design', the mainstream approach to software engineering used to ensure security of software systems, is being updated to counter negative AI intrusion, but no definite cybersecurity model has yet emerged.

AI is not all gloom and doom. On the bright side, AI enabled detection systems, auditing code at unimaginable speeds, could greatly improve technical defection and defense—from monitoring core systems to checking e-mails for misinformation. Generative AI systems could be set to clean and quickly rebuild infected software.

Cyber risk can affect even the most sophisticated large organization, and it is here to stay. While the cyber future is uncharted territory, from a leadership point of view, it is clear that the priority must be to focus on resilience.

………………………………………………………………………………….....................

This article is based on the MIT Sloan Executive Education webinar: ‘Cybersecurity Resiliency is More Than Protection,’ with Keri Pearlson, Executive Director of Cybersecurity at MIT Sloan, hosted by Senior Associate Dean Peter Hirst.