In mid-December, President Obama announced a number of new Cyber Security measures. In late January, I was in the audience for the 50th Appleton Lecture, organised by the IET, at which James Quinault CBE spoke about ‘Cyber Security: why we should be worried and what can we do about it’. In late January, on a much grander scale – and unfortunately I wasn’t there in person to listen to the great, the good and the wealthy, Cyber Security was a really hot topic in Davos at the World economic Forum. In early February, there was an article on the BBC website titled ‘Cybersecurity: Defending ‘unpreventable’ cyber attacks’. Finally, I was back in London again last week for a seminar on ‘Cyber Security for Industrial Control Systems’.
There are some strong emerging themes from these diverse sources: firstly, that cyber-attacks are not just something that happen to celebrities and big-businesses; secondly, that the attacks emanate from a variety of sources with varying degrees of sophistication and widely differing objectives and last but by no means least, that this is not just a technology issue. We, the people and our behaviour, are critical to minimising the likelihood of an attack succeeding, the damage done by the attack and the ability to recover afterwards. These are all themes that I hope to return to in more detail in later posts.
Having thought more about this, it appears to me that the digital revolution is following a pattern of development that is not too dissimilar from previous technological revolutions, specifically, that we often don’t notice the turning point until sometime after it actually occurred; that the technology has gone from something known about and understood by a relatively few ‘experts’ to something taken for granted by many; and that following the initial honeymoon of the technology being developed and utilised for the good of humanity, it becomes commercialised, commoditised and ultimately criminalised.
The reality is that we can’t turn the clock back, the revolution isn’t going away. Like fire, the wheel, gunpowder, internal combustion engines and genetic engineering, we need to learn to live with the upsides and the downsides.
We’ve moved through Industrialisation and Globalisation. Now we’re in to Digitalisation. We’ve progressed from simple ping-pong video games and emails through Web2.0 and are now on the brink of the ‘Internet of Things’. Although, there has been tremendous adoption of digital technology over the past 50 years, there is still plenty more to come.
In the new paradigm, the world is digital, our enterprises need to reflect this.
In amongst all this change and uncertainty the important thought to hold on to is that the Digital Revolution is full of opportunity. Creating opportunities to do new things and to do old things better. Doing nothing is not a viable long-term option. If you are starting-up, then you have a wonderful opportunity to start as you mean to go on without being weighed down by baggage from a previous era. If you are an established enterprise, now is the time to seize the initiative and change because you want to, not because you have your back to the wall and have to.
So, assuming that you are in the majority and are one of the good guys, what should you do? My view is not to hold back – do whatever it is that you believe will enable you to move forward, improve your operations or deliver new services. Promote your enterprise on-line, embrace the cloud, network your building or industrial control systems, proceed at speed – albeit with a degree of caution. It’s a bit like crossing a busy road in a town or city– fraught with danger but provided that you have good reason to get to the other side, understand the risks, take precautions and behave sensibly, it is eminently do-able!
Once you have accepted the likelihood of an attack on your digital enterprise being quite high, you can begin to think through how you intend to manage the risks and consequences. Although Cyber Security sounds scary, in reality, it has much in common with other accepted areas such as financial or Health & Safety risks – these are issues that the majority of enterprises are now familiar with, albeit that you might want to invite external experts to help you work through the detail.
As with managing most risks, adopting a multi-faceted approach is likely to be more successful than relying on a single line of defence. The first step should be to understand what it is that you are trying to protect, why, and what are the threats. It is important to remember that threats to your digital enterprise don’t just emanate from hackers and criminals. Data loss due to human error, a natural disaster or equipment failure should also be included in your deliberations. An important concept here is that of resilience – what can be done to make the enterprise capable of surviving a security breach or an information loss. For some enterprises, the impact of information loss or a security breach may be low, whereas for others there may be serious legal or commercial consequences that could, in-extremis, jeopardise lives, destroy your business and/or result in personal liability.
To manage this, the approach should be to:
- Identify the risks
- Assess their potential severity and probability of occurrence
- Establish a strategy*
- Develop a Plan
- Implement the Plan
- Review** and Evaluate
*Classic risk-management involves deciding upon one of four fundamental strategies Accept, Avoid, Reduce or Share (There are a variety of alternative ways of expressing these options such as Retain, Eliminate, Mitigate or Transfer, but the principles are essentially similar).
**It is important when reviewing, not just to review progress against the plan but to also periodically go back to the first stage of risk identification since in a fast moving world, the goalposts have a habit of moving without you noticing!
As a parting thought, don’t think of Cyber Security as a bolt-on to your enterprise or an added cost. Instead, think of Cyber as representing opportunity and Security as an integral part of your enterprise and as fundamental to its success as the People, Products, Processes, Quality, Safety and, of course the money!