Today the UK's National Cyber Security Centre (NCSC) revealed that, in its first year of operation, it dealt with more than reported 1000 incidents: half of which could have posed a significant threat to the nation. It also described the cyber threat as "large, growing and diverse".
This revelation comes hot on the heels of the results of the NCSC's "Cyber Governance Health Check" that found that 54% of company boards said computer hacking was one of the main threats to their business - yet 68% of them had no specific training to deal with a hacking incident.
Therefore, if the threats are significant enough to pose a risk to the nation, and the nation is responding with a comprehensive strategy that includes "deter" and "develop" as well as "defend" then why is business not following suit?
This is something that we have been studying for a while at Sungard Availability Services and have found that the two main factors are:
1. A false sense of security caused by Anchoring Bias
Even though every official government statement is now at pains to point out that the threat is such that no security solution is 100% effective and it is a case of when, and not if, organisations are affected. We have found that our cognitive "anchoring bias" (the natural human tendency to rely on the first piece of information offered) is lulling organisations into a false sense of security.
Early cyber threats lacked sophistication and most were easily combatted by ensuring that security vulnerabilities were rapidly identified and closed. Hence, a whole industry associated with this type of defensive tactic sprung up. For example Penetration Testing to identify system and people vulnerabilities, Patching Programmes to close the vulnerabilities, Perimeter Security to prevent malicious access via pathways such as connection to the internet and Access Control to prevent unauthorised access to valuable or critical assets.
However, the cyber threat has now been democratised and whilst, decent information security measures are essential to reduce the probability of the threat gaining access to an organisation's IT system, being able to react quickly and effectively at the corporate level if compromised is the only way to reduce the impact.
We have found that although organisations recognise that the threat has evolved, they often instinctively believe that tactical information security solutions deployed within their IT systems will effectively neutralise the threat. When questioned further they reveal it is because they heard that "information security" was the solution to the cyber threat first.
This cognitive bias is reinforced still further when you take into account that when looking for solutions to combat the cyber threat it is still very difficult to find anything other than articles about new and exotic cyber threats that have the ability to exploit hitherto unknown vulnerabilities in IT systems and organisational annihilation can only be averted by purchasing some new cutting-edge technology.
The good news is that this cognitive bias can be easily countered with logic and we have found that, once the bias has been explained, organisations are very keen to "develop" Business Continuity and Disaster Recovery plans to be able to respond when/if their "defences" fail.
Which brings me onto the second factor.....................
2. Forgetting that there is a sentient adversary present
The vast majority of conventional Business Continuity and Disaster Recovery plans describe in detail the pre-defined steps that should be taken and discourage deviation. They are also often widely available outside of an organisation.
This means that a would-be cyber-attacker already knows what the organisations first response will be and can counter it. It also means that the cyber-attacker has a reasonable amount of time on his/her side after being discovered to cover their tracks and avoid identification whilst the organisation gets themselves together and works out a new plan.
The solution to this is fairly simple: accept that “plans rarely survive first contact with the enemy” (see - Helmuth von Moltke) and stand up a Crisis Management Team comprising of the organisation’s executive who can make strategic business decisions the minute a viable attack is identified.
However, we have found that the reality is that most organisations don't stand up their Crisis Management Team until several hours later when the IT Department have exhausted all pre-prepared steps and the situation has escalated out of control.
Unfortunately, we also find that although it is widely recognised that a cyber attack is characterised by information overload and an extremely high tempo very few organisations have pre-prepared their executives to be able to psychologically function in such an environment.
The modern interconnected business landscape is a target rich environment for a cyber attacker and organisations can do much to "deter" attackers by recognising that all cyber attacks require an executive crisis response and executives need to be prepared to respond in real time to counter their attackers moves.
In summary, whilst it is essential to deploy decent Information Security, Business Continuity and Disaster Recovery tactics, an organisation will be severely challenged by a cyber-attack unless it also has the Crisis Leadership skills and knowledge within their executive to be able to adapt their response in real-time and lead the organisation through the complex, uncertain and unstable environment that is created by a cyber-attack.
In short they need a "Cyber Strategy" that involves "defending" the organisation from attacks, "developing" response plans and "deterring" would-be attackers.
More than 1,000 incidents were reported to the National Cyber Security Centre in its first year of operation.