Richard Nesbitt is CEO, Global Risk Institute in Financial Services.
As you travel to work one morning, your chief technology officer calls with ominous news. Your organization has just joined the lengthening list of businesses, universities and government agencies that have fallen victim to a cyberattack.
How could this happen? After all, the same CTO assured you not long ago that all systems had passed a stringent audit and could fend off any known threat.
There is one crumb of consolation: You're not alone. Guarantees that systems are hack-proof mean less and less these days, as damaging cyberattacks on Equifax, Yahoo and the U.S. Securities and Exchange Commission, among many others, have shown.
A recent IBM study forecasts that at least one in four organizations will experience some form of cyberpenetration within the next decade. Emerging technologies such as artificial intelligence and quantum computing are rendering obsolete every one of today's encryption codes.
The growing risk of becoming the victim of a costly hack has far-reaching implications. Does e-commerce have any future in a world where no amount of encryption can protect files from a determined intruder? Perhaps it's time to reacquaint ourselves with the fax and telex machine again. Welcome back to the 1970s. The good news is that it shouldn't come to that. Organizations that do some serious contingency planning not only stand a better chance of fending off even the most ferocious cyberattacks, but also limiting the damage if one does occur.
Many businesses could take a leaf out of the book of the big banks, which have drawn up extensive disaster recovery plans, and regularly conduct cyberthreat simulations.
Canada's Superintendent of Financial Institutions recently co-ordinated industry-wide anti-hacking reviews. Canadian banks are also among dozens of participants in Quantum Dawn, a cybersecurity war game organized by the U.S. Securities Industry and Financial Markets Association. Banks in Britain have participated in several rounds of "Waking Shark" tests.
The Global Risk Institute runs a cyberwar game for directors of a wide range of companies so they can ask better questions about their own preparedness. This exercise has taught us some valuable lessons.
Perimeter protection is vital, but it is only the first stage of an effective defence.
We have learned that detecting a cyberattacker is far more difficult than even many experts have been assuming. The average intrusion goes on for 146 days before it is discovered. Imagine a burglar living in your attic for almost five months and helping himself to your belongings while you are at work.
If the hack proves to be successful, a robust response plan is critical. Advance planning ensures that you are ready to act quickly to contain the damage. It also improves the chances of communicating effectively with customers, suppliers, media and others that may be affected. Without such communication, the damage to your organization's reputation will be even worse, as Equifax and others have discovered to their cost.
Every cyberattack response plan should thus include three elements:
Damage mitigation: This should be your top priority. A review of causes and damage can come later. Determine immediately what steps are possible with existing technology. Do you continue to operate or do you shut down some systems to contain the problem?
Communication: Multiple parties need to be kept informed, starting with employees, regulators, directors, customers, suppliers and media. You need to draw up a specific plan with timetables and key messages for each group, ready to go at a moment's notice.
Legal: Your plan should cover as many types of intrusion as possible so that legal experts are ready with carefully thought-out advice for each one. Inadequate preparation for the legal consequences of a hack has tripped up many a victim.
Be sure to test the recovery plan through role-playing or war-gaming. This exercise should involve all levels of the organization, including – and, perhaps most importantly – the chief executive officer and board of directors.
Finally, ask key suppliers and even large customers to be part of the planning process. That will give them confidence in your preparations and your willingness to keep them informed. Their support – or lack of it – could make or break your business when a crisis hits.
The bottom line: Your firm needs to have a well thought-out and tested cyberattack response plan to be prepared for that call from your chief technology officer telling you that "you've been hacked."