The rise in cyberattacks during the pandemic have been well documented, with the majority of organizations experiencing at least one attack during this tumultuous year. It is, of course, not a new phenomenon, as new research from Oxford University highlights the tremendous economic damage caused by the NotPetya virus. The virus, which was released in 2017, was estimated to have caused around $10 billion in damage across a multitude of industries around the world.
The researchers believe, however, that despite these visceral warnings, too many organizations remain unprepared for possible attacks in future. The study explored the response of three companies to the NotPetya attack, with a range of interviews conducted with executives and internal documentation reviewed to understand the attitude towards cybersecurity before, during, and after the attack. The analysis gave the researchers a strong insight into the best ways to prepare and respond to cyberattacks.
Winners prioritize cybersecurity
The research found that the companies that had managed to successfully weather and respond to cyberattacks were typically those for whom cybersecurity was a strategic priority. For many, however, it remained an operational rather than a strategic issue, which rendered them extremely vulnerable to attack.
Cyberattacks, and their impact, are not something that is confined to the IT department, but rather something that affects the entire business.
It’s a situation whereby the successful development of resilience requires a shift in the organization’s mindset, with cybersecurity viewed as an issue that is of strategic importance rather than a cost that should be reduced at every opportunity. Indeed, for the most successful firms, it was viewed as an opportunity to gain a strategic advantage over competitors, not only by not exposing the business to attack, but also by enhancing organizational learning, and noticing and capturing new strategic opportunities.
The lack of strategic emphasis applied to cybersecurity is often because the responsibility for it is delegated to the IT department, which in itself is often viewed purely as an internal service provider rather than a source of strategic advantage. This is a position that has often endured even as the threat posed by cyberattacks has become even more evident.
This situation is compounded by a perspective of cybersecurity that sees attacks as a largely random and unpredictable event rather than an inevitability if weaknesses and vulnerabilities are not addressed. Indeed, these kinds of companies are often attractive targets for attackers precisely because of this attitude. With any attacks often hushed up by these kinds of organizations, there is little real opportunity to learn from peers, as best practice seldom gets shared.
Investing in cybersecurity
The research reveals how many executives were taken aback by the damage that could be caused by a cyberattack, and described many of their cybersecurity efforts as little more than a box ticking exercise. Indeed, for many, cybersecurity was viewed as a lose/lose situation, whereby an attack would cause obvious financial and reputational damage, but an investment in cybersecurity would also be money diverted from seemingly more useful purposes. This had an obvious consequence of a significant under-investment in cybersecurity.
Arguably the most important strategic benefit accruing from investment in cybersecurity capability is through its ability to help the organization to learn and develop new opportunities.
This is because cyberattacks typically expose weaknesses across the business, so a robust cybersecurity program can help to improve everything from employee development to process innovation as those holes are plugged.
Indeed, as the COVID-19 pandemic has shown, an emergency, such as a cyberattack, can often provide a hugely valuable catalyst for accelerating changes that might ordinarily have taken a very long time. It is the necessity that gives birth to rapid invention as the entire organization focuses on getting back to normal as quickly as possible.
Developing organizational resilience
The researchers conclude by proposing a model for the development of cyber-resilience within the organization. The model proposes the development of four key capabilities:
- Protecting the business. Traditionally cybersecurity efforts have focused on protecting the IT infrastructure, but while this is undoubtedly important, the researchers urge executives to broaden their focus to encompass the entire business, under the belief that attacks are an inevitable part of doing business in the modern world. As such, a layered approach that protects more of the key business processes is required.
- Broadening awareness. Too often, executives look purely internally for cyber threats. The researchers urge instead to broaden their horizons and look outside the company to understand the threat landscape. Only then can a comprehensive strategy be developed. This is where sharing information of attacks can be so crucial as it raises awareness across the industry as companies learn from each other.
- Managing the consequences. Just as before, dealing with the consequences of a cyberattack should not be purely viewed as an internal matter. Customers, suppliers, regulators, and financial markets are all likely to be affected, and will need to be managed and communicated effectively with. Being open and transparent is nearly always the best approach.
- Responding and recovering. To respond effectively requires a detailed understanding of the capabilities of the organization. It’s vital that response plans should always strive to make resilience better than it was before, and further position cybersecurity as a value generator rather than a cost center.
Each of these elements raises a number of questions that executives can use to drive discussions on the best approach for their organization to take in improving their cybersecurity. It will, the researchers hope, help to put cybersecurity on the strategic rather than operational level.