Data risk is a new reality in boardrooms across the globe. In addressing it, leadership teams need to differentiate between the temporary changes and the permanent ones. Social distancing and the current level of working from home may be temporary, but the new normal may well involve more working from home than before. On top of this, they need to learn two big lessons from the whole debacle – the need for greater flexibility and risk awareness.
1. Flexibility and digital transformation
While once organizations asked themselves, “Should we move to the cloud?” – doubting its benefit and security – over the last decade this had become, “How quickly do we move to the cloud’?” – looking at what order to migrate workloads and how best to do so. Post-pandemic many will think “we NEED to be in the cloud.” Organizations that were further down the path of digital transformation almost all fared better than their peers during the pandemic – able to work remotely and collaborate with ease. Flexibility may have been just one advantage listed in the business case for digital transformation, but it is now seen as a critical business requirement.
This is a wake-up call for organizations that have placed too much focus on daily operational needs at the expense of investing in digital business and long-term resilience.
Businesses that can shift technology capacity and investments to digital platforms will mitigate the impact of the outbreak and keep their companies running smoothly now, and over the long term.— Sandy Shen, senior director analyst, Gartner
2. Security and risk awareness
“Risk isn’t sexy.” The risk managers that evaluated credit risk in large banks weren’t really listened to until after the financial collapse in 2008. Likewise those evaluating health risk were ignored for too long at the start of the pandemic. Aside from Dr. Anthony Fauci and a few others, those focusing on risk are never going to be celebrities. But whereas once they were ignored they should now at least be listened to. Having lived through the financial collapse and pandemic, we are now all acutely aware of the kind of risks that exist and also of the kind of major disruption events that they can cause.
Hospitals may nearly have been overwhelmed at the peak of the pandemic, but if their systems had been hit by a cyberattack they’d hardly be able to operate at all. Western society is becoming ever more interconnected and ever more dependent on technology in almost all that it does.
3. Flexibility and risk awareness for competitive advantage
Few however realize that flexibility and risk awareness can together be a powerful source of competitive advantage. Dominant players tend to use their scale to sustain market leadership, but during major disruption events, if they lack the risk awareness to be crisis prepared and the flexibility to respond effectively, then they can fall rapidly from grace. Such events are a real opportunity for flexible, risk-aware organizations not only to capture market share, but even also to capture entire markets. They are well positioned to thrive while those around them flounder.
It’s highly probable that this crisis will define winners and losers by their digital proficiency since consumers may prefer the contactless delivery protocol that digital ordering offers.
Now that we’re living in a world where the entire industry is an off-premise business, digital orders gain importance and provide an edge to those who already lead in that space.—David Portalatin, NPD food industry advisor and author of “Eating Patterns in America”
4. So how do you do it and what happens if you don’t?
Flexibility and risk awareness are, as with many other things, a combination of people, process and technology. The people and process aspects require leadership to embed a culture that takes account of risk and is ready to respond, while the process and technology aspects are more about enabling them with the tools to do so effectively.
Even the move to the cloud as part of any digital transformation initiative comes with risk – both migration risk and security risk. However, rather than being daunted by this, a forward-looking organization will not only know how to minimize such risks but will also understand the costs and risks of doing nothing. Standing still is simply not an option. Not only would you fail to grasp the benefits of digital transformation but the ground is always moving under your feet. The threat landscape is constantly evolving, making patching and updating a continual overhead, and data itself is also constantly moving, changing and growing.
Digital transformation is not a one off project or a tick in the box. It is a never-ending journey. Almost all systems become legacy as soon as they are implemented. Organizations seeking to move away from the cost and limitations of older legacy systems, need to avoid simply creating another generation of legacy systems by building in means for continual evolution.
5. Security and access is everything
All of this would be challenging enough in a benign environment. With the threat landscape continually growing and evolving, plus the inevitability that all organizations make mistakes (that’s why phishing is such an effective attack vector), we have to plan as though a cyber incident WILL happen. Focus not just on prevention but also on detection as well as on backup and recovery.
The consequences of not doing so are stark: from business interruption and regulatory sanction (including not only fines, but also loss of the right to process data), to reputational damage and litigation (with class action suits on the rise).
6. Evolving ransomware threats
One of the most high-profile threats has been ransomware. The prospect of having your data encrypted and being held to ransom is terrible enough, but even if you choose to pay out there is no guarantee that you’ll have your data unencrypted or that backdoors will not have been created allowing them to return to extort you all over again.
The attackers are also becoming more sophisticated: in their use of technology – such as using AI to scan for and automate penetration or using metamorphic and polymorphic malware to avoid detection – and in their tactics, choosing to blackmail you by releasing tranches of sensitive data in the glare of publicity, rather than doing so quietly behind the scenes.
7. Dealing with ransomware
Most investment needs to be done up front in prevention, in detection and in backup and recovery. The reality is, however, that if you are hit then prevention has failed, detection may well have been too late (on average incidents are detected more than 200 days after they occurred) and your backup and recovery may also have been compromised. The focus once an incident occurs is on damage limitation.
Your first step should be to disconnect your backups to ensure that they are not compromised (if this has not already occurred), and to seek expert help to find and fix the problem and ascertain its nature and scope. Of course you could have had the foresight to have implemented the best technology from leaders like Commvault with, for example, the use of immutable backups to the cloud for greater data protection. Not only would a more sophisticated approach provide extra capability on prevention and detection, but you’ll also be well positioned for backup and recovery as well as for analytics to assist with the technical forensics – to find and fix the problem fast.
8. Dealing with the repercussions
The technical fix and forensics, though, are just the first step. You will then need specialist legal advice to turn the forensics into a legally defensible narrative and specialist reputation management advice to turn this into a brand defense strategy – dealing not only damaging headlines but also social hysteria and misinformation.
In most crises where you and your customers are victims of a crime, you can expect that if you show empathy for your clients you will gain sympathy for both you and your clients. Unfortunately, cyber-crime is almost the only crime where rather than blaming the villains (the hackers), the press and public will blame the victim of the crime (you) for failing to prevent it. This is why specialist support on the technical, legal, reputational and social fronts will be required to deal with what will be an extremely difficult situation.
9. Be prepared
Unlike the credit risk in the global financial crisis and the health hazard during the pandemic, the cyber risk is not only visible but you also still have time to address it. In your planning, you need to consider both the individual impact to your organization of being the victim of cyber-crime and also the systemic impact of a widespread cyber pandemic impacting your entire ecosystem – and how you’d cope with either. A risk-aware organization will balance its risk appetite with its cyber security budget and target its resources strategically, with a long-term focus on secure digital transformation.
Bill Mew is the founder and CEO of cyber crisis incident response firm The Crisis Team. He is also a high profile digital ethics campaigner, who focuses on striking the right balance between “meaningful protection” (privacy, security, etc.) and “the maximization of economic and social value” (innovation, digital transformation, cloud, smarter cities, govtech, etc.). As well as being one of the top global influencers on all these topics, he appears regularly on international broadcast TV and radio, having more broadcast airtime than any other technologist in the UK.