In movies, the bad guys often fail to understand that you require security and resiliency to protect yourself successfully.
In the original Star Wars, Darth Vader built a Death Star and had fleets of TIE fighters to protect it. So, there is no question Lord Vader understood security. But famously, one precision strike was enough to destroy the entire entity. If Vader had thought of containerization, he might have limited the damage from Luke’s attack, thus, demonstrating resiliency.
In Lord of the Rings, Sauron was lousy with security and resiliency. He had armies and armies of Orcs to wage war. But he hardly bothered to protect Mount Doom, even though it was the place that could destroy the One Ring, which, if destroyed, would kill him. That left him entirely open to the Hobbits’ stealth attack. We all know how well that worked out for Sauron.
Leaders need to prepare for how they will be attacked and how they will respond. Gartner says in its report “Cybersecurity Leaders Are Losing Control in a Distributed Ecosystem” that “by 2026, at least 50% of C-Level executives will have performance requirements related to cybersecurity risk built into their employment contracts.”
Today, you need security and resiliency, with a greater emphasis on resiliency. If you are a business making any money, you will be attacked, and chances are you will be breached at some point. For example, nearly 90% of organizations around the world were targeted with spear phishing attempts in 2019. Cyberattacks are increasing in frequency and sophistication. Almost every day, a cybercriminal takes down an organization with one or multiple cyberattacks.
You already employ security and resiliency in your life as it stands. Think of security and resiliency working in tandem this way: Why do cars have spare tires? Because tires can and do go flat. That’s resiliency, designed to keep you functioning when something goes wrong. Anyone who has ever changed a tire on a busy freeway knows it’s not fun, but it is possible to get rolling again. Why do cars have doors that lock? Because you don’t want anyone to steal your vehicle. That’s security.
Suppose you have a deadbolt lock on your front door but also keep a safe inside your house, again, security and resiliency. Corporately, you must adopt this approach to protect your enterprise from attackers, so it is as hard as possible for them to get in and make it as difficult as possible should they make it through.
Zero Trust is a step, but not enough on its own. Same with containerization and employee training. Those strategies will mitigate damage and shrink the blast radius of any attack. Resiliency is what will keep the company functioning once a breach occurs. Even companies prepared for attacks can have to take drastic operations, such as shutting down their system.
German freight company Hellmann Worldwide Logistics was exposed by a phishing attack late last year. Hellmann’s Chief Information Officer Sami Awad-Hartmann told CNBC that the breach was devastating for the international shipping firm, which earned nearly $3 billion in 2020. What was most crippling for the firm is that it had to shut down its entire datacenter to source the breach and repair it, reports say.
“One of the drastic decisions we then made when we saw that we had some systems infected is we disconnected from the Internet,” Awad-Hartmann told CNBC. “As soon as you make this step, you stop. You’re not working anymore.”
That shut down – coming at a time when supply chains were under considerable stress – caused a “material impact” on the bottom line, according to the company. That means it was potentially significant enough to affect shareholder value and the company’s bottom line. The attack – no doubt on purpose – came at the worst possible time and was part of a rash of attacks on shipping companies, increasingly stressed due to the world’s supply chain woes.
Hellmann went public and had to warn its clients and partners about the data breach. Hellmann needed to ensure that clients/partners were dealing with actual Hellman employees and not imposters. As a result, Hellman encouraged cell phone communication with their staff. Backup plans did kick in, and Hellmann announced later in December that full-scale operations would resume shortly. That’s fast. IBM says the average time to identify a breach in 2020 was 212 days.
Germany has mandated that companies provide support for critical infrastructure so they can keep functioning when hacked. Every industry would do well to adopt that resilient approach. The mindset “we need to keep going” will help keep your company functional. The best thing you can do is have a plan. Attackers rely on creating chaos. Planning is the opposite of chaos; yes, it is possible to plan for chaos. You need to have processes in place, document them, and make sure people in the company know what they are and how to find them when it comes time to act.
Let’s say you get attacked by a ransomware attacker. If all systems are locked, and you cannot get your business functioning, you will likely pay whatever they ask. But even then, you need to plan: Who decides if you pay or not? Do you go public? Do you call the police? What are your local laws? And who makes these decisions in your company? If you get shut down as Hellmann did, you make decisions on the fly. Reactionary actions will never be as good as anything thought out and considered in advance.
You need to identify an internal security response team to work with your entire company to ensure security is top of mind. As the landscape changes and new security solutions such as Zero Trust become available, utilize them along with proper procedural protocols.
Find an alternate way to operate, even if you are not at 100 percent. Hellmann did when it shut down its shipping network, even if the company admitted to CNBC that some departments handled the breach better than others. Asking for cellular phone calls had to be embarrassing, but not asking would have cost them much more.
Welcome to the world in which we live. Cyber-attacks have become a cost of doing business for many companies. And like any cost, you want to make it as small as possible.