Forget cyber security — Focus on cyber resilience!
In June 2017, the NotPetya worm exploited a Windows security flaw, which Microsoft had fixed in the spring via an update that hadn’t yet been installed by many users. This computer attack – one of the largest in history – cost the Danish carrier Maersk $300 million. In France, Auchan and SNCF were affected, and Saint-Gobain lost several million euros. The computer system for managing its warehouses collapsed, preventing it from fulfilling orders and deliveries.
Cyber risk: time to end the reassuring fiction of the Great Wall of China
While the challenges of cyber risk are nowadays embraced by the majority of companies and their executives, this process has been built on a forced march and in fear, around a discourse that lends cyber security an almost magical infallibility. To protect against attacks, data theft and information system paralysis, companies have erected ever taller, ever more numerous, ever more expensive Great Walls of China around their digital assets. This “perimeter” doctrine is clearly common sense, but it has a perverse effect on decision-makers: it creates a false sense of security, a dangerous fiction of comfort reinforced by the high level of investment. This was revealed by the NotPetya crisis.
Because the rise of BYOD (Bring Your Own Device), the increasing penetration of the Internet of Things in offices and production sites – which will gain pace even more in the near future with the rise of 5G – are constantly creating thousands of potential breaches in the wall. Any hacker who looks hard enough will always find a way in. This fundamental principle is the starting point for all cyber risk management today: closing all doors, but above all anticipating what will happen if someone manages to get in despite everything. As a result, companies must learn to cross process and business issues with the fundamentals of security, to identify the critical points of their organisation, and define scenarios that will make them resilient, able to maintain their business or resume it while minimising the effects of an attack. And always think about the following day: can a malicious intrusion critically block their organisation and business?
Cyber resilience: large companies are responsible for evangelising their ecosystems
It is no longer enough to simply implement good practices of cyber resilience within one’s organisation and to ensure an efficient and responsible training approach for all of its own employees through internal communications, knowledge management, micro-learning or training programmes. For the world’s largest companies, this means involving their entire ecosystem of partners, service providers and current and prospective customers in this new approach to managing cyber risk. Setting exemplary standards “internally”, of course, but also explaining to those around them that the rules of the game have changed. Quite simply because – by their size and position – they are at the heart of a worldwide, globalised, interdependent economy: if their information systems are secure, if their organisation is cyber resilient, attacks will be directed elsewhere at the systems of their partners, which are smaller, less mature, protected and resilient. And if a new NotPetya paralyses them, breaks their raw material supply chain and deprives their customers of cash to pay them, what will happen to large groups in their secure dungeons?
In every sector (IT, consulting, insurance, energy, software, finance, etc.), the leading players are providing thought leadership for their category and the whole of their industry. It is both in their interest and good for their credibility to use this thought leadership to address the new challenges of cyber resilience.