Cyber Resilience in the Post-Pandemic World – An Urgent Need for Data-Sharing and Co-Operation
Heyrick Bond Gunning
Heyrick Bond Gunning
Heyrick Bond Gunning is the CEO of S-RM, a global intelligence and cyber consultancy. Before S-RM, he was a Managing Director at Kroll – prior to which he consulted for DHL in Iraq in 2003 and 2004, following the end of the Iraq War. From 2000 to 2003, Heyrick was the Head of Client Engagement for Mergermarket (Acuris). He started his career with 5 years in the British Army. Heyrick has a BA in Geography and Archaeology from the University of Manchester and is an INSEAD alumnus.
Since the beginning of the Covid-19 crisis, phishing attacks have targeted remote workers, ransomware attacks on hospitals have increased, and a stock exchange was even closed by an old-style distributed denial-of-service attack.
Beyond the number of cyber-attacks that seems to have increased in frequency and in scale, have the type of attacks also changed?
With Covid-19, between March 2020 and March 2021, the number of ransomware attacks we had to deal with was multiplied by 4. They now represent about 50% of the ways data is being breached, and it is a dynamic, evolving threat. Traditionally someone would encrypt your data and demand a ransom to decrypt it. Today, they’ll take the data, encrypt it, and because they understand the reputational risk and regulatory risks, they’ll threaten to start talking about the attack publicly. They now use two levers and it’s called ‘double extortion’.
Has the pandemic shifted cyber security priorities?
At a very practical level, one challenge comes from using personal devices for work, such as phones and computers. Policies and procedures around this have always been important, but they are going to be at the forefront of cyber resilience going forward, as many parts of the world are going to continue to embrace flexible remote working practices. With this hybrid model of working, there are very difficult questions about how to balance the privacy of the employees with ensuring that the correct protections are in place for the work data.
Another shifting priority for the future is the question of how cyber risks will be insured. The insurance sector is talking a lot more about what services can be used to reduce the risks, including advice and training to the clients, such as in-depth reports on their threat picture, establishing plans to activate in case of a breach. The first 72 hours can more than double the cost of a recovery, if the situation is handled badly at first.
Are you focusing on the right risk? Does your response plan reflect the most likely threat scenarios, and have you tested them? Do you have a roadmap to recover in the event of an incident, or in other words: how are you going to get your systems back and running?
Cyber Ecosystems against Cyber-Crime, Nicolas Arpagian
Does the way we assess risk and organizational cyber resilience need to evolve?
Even before Covid-19, there were questions around the usefulness and value of ‘cyber readiness metrics’, and the pandemic has introduced even greater uncertainty. It has led to a further reduction of the confidence of security teams and corporate leaders about their ability to understand and tackle the most important cyber issues.
However, the three key points to consider remain the same: the people, the technology and the processes. One needs to ensure that everyone is trained and knows what to do in case something suspicious occurs. Then, while technology is useful, it can be relied too heavily upon, especially when people don’t understand it. People and technologies go hand-in-hand, what binds them are the processes. In particular, having a plan for when it all goes wrong. One needs to think about the worst-case scenario prior to something going wrong, because it will be really difficult to think clearly in the midst of a ransomware attack. We ask four key questions to assess cyber readiness: do you know who your adversaries are? Are you focusing on the right risk? Does your response plan reflect the most likely threat scenarios and have you tested it? Do you have a roadmap to recover in the event of an incident or in other words: how are you going to get your systems back and running?
That’s even more important now, as data compromise within a business has become very likely -- it may take the form of an attack, a mistake an employee makes or an action an employee takes because they’re disgruntled for example.
What are the challenges to putting in place a more resilient ecosystem?
First, the big challenge is obviously the scarcity of data. The cyber sector is new and cyber threats are very dynamic and difficult to model. The best strategy in that case is to map out the decision that one would like to make, identify the information that one needs to make these decisions and make a plan about how you will collect that information.
Indeed, the lack of data also comes from a lack of sharing the information. Companies actually hold intelligence -- the way they are addressing issues, their failures and successes. But people are reticent around sharing their intelligence, even within a company. Externally, companies avoid sharing the information due to reputational concerns and regulatory concerns, as some attacks may let a company fall foul of some regulatory constraints.
To build an ecosystem, it comes down to building relationships and trust. I see different areas that can be worked on, for example when same-level experts from different IT departments are able to discuss best practices freely. Companies could agree on an external information-sharing scheme for certain elements of the data. Finally, an important point would be to communicate regularly with the regulators, who usually become more open once a relationship is built.
Are states and international bodies aligning their thinking to improve global cyber resilience strategies in a post-Covid-19 world?
One of the big challenges with cyber is that it has no boundaries, it is a global issue. In many ways, it takes the same form as a pandemic and requires multinational organizations, regulatory bodies and state agencies to act together.
A big turning point for businesses to start really thinking about cyber and data protection was actually GDPR — it was rolled out in 2016 and a good example of international regulation having real impacts.
International alignment is very difficult because everyone has vested interests, but where there seems to be some form of coalescing of agreement now is around the payment of ransoms to terrorist organizations, as opposed to criminal organizations, and around the relation between terrorism financing and cyber security. I think that’s where we’ll see the biggest change in the coming years. For example, the Office of Foreign Assets Control in the US has a list of people that need to be checked against to prevent terrorist financing — in other words, companies need to be extremely cautious when they pay a ransom, to ensure the organization is ‘just’ criminal and not terrorist. It’s really challenging to know, but there are a few hidden clues sometimes, such as the bitcoin wallet used, or the way communications are held with the victim.