Preparing your business for a Cyber Attack

Survival Time Objective.

A phrase that rings home for most CIOs who keep hearing about "ransomware", "malware", "cyber attacks" from ambulance chasers working for technology vendors.

STO is a sum total of time taken by an organization from detecting an "event" (such as a detection of a malware on a VIP's laptop, or your CFO's EA complaining of a Bitcoin demand screen on her/his PC - of course you get the picture) all the way to assembling a decision task-force that will drive Response and Cyber Recovery action from that point forward.

For a bank, STO should be hours, not days. We live in times of digital access to our accounts and cards; payment systems are interconnected and no bank can afford a micro-meltdown via its retail and corporate clients rushing off to branches for withdrawals en masse. Barriers to account opening and loyalty switch aren't that high anymore, and overall liquidity in the economy helps even the weakest bank to claim better credentials than the entity that's just been ransomed.

For a retail chain, offline POS terminals means customer dissatisfaction and queues - would you return to the same retailer again if you were inconvenienced? MEA region is still cash centric so Yes, some of us just might. Brick and mortar retail chains compete with online sharks - so any cyber "event" is not just embarrassing, it can sound a death knell for the business. (If they can't protect their POS terminals, how will they protect my credit card information?)

I'm privileged to have worked with a number of insightful Heads of Technology, CTOs & CIOs across MEA who understand that running from crisis to crisis isn't a job they are hired for. Cyber crisis is often a painful outcome of not having done enough to predict and prepare. Here are some insights I've gained over a decade at Dell/EMC and I hope these help you, dear reader:

#1 - Map out what is critical for your business' survival

Maintain a list of business and IT systems your organization simply can't do without. Have an "outside-in" approach - think like your biggest client and map out how they interact with your systems and people. You will have a number of systems and processes that (hopefully) cohesively work together to deliver a specific outcome for that client... that's your critical chain right there. Next, map out systems and processes consumed by your top performing staff who make it rain for your organization. Repeat above. Survival of your business depends on your heavy-hitters and stakeholders holding the fort during times of cyber crisis.

During my days at HSBC, I would deal with Operations Risk teams who have a clear catalog of services and linkages that are necessary. Regular risk reviews were a norm. We all must get out of the "IT Risk" mentality... a cyber event is not an IT-only problem. Make the transition to the "Business Risk catalog" thought process, do it quickly and you might just be better prepared for the next crisis.

#2 - Answer the question : "What's our Survival Time Objective"

Next, I'd advise sitting down business stakeholders and running them through your critical chains. They will bring in business perspective while you provide insights on IT systems and Technology team members that contribute to recovery from a cyber crisis. While you and the business stakeholders jointly draft up a "Business Risk catalog" of services and critical chains, push for a clear answer on organization's STO. The business defines STO, and IT delivers outcomes to meet or reduce STO. Make suggestions on STO - but get this answered and documented.

IT folks often tinker with age-old metrics such as Recovery Time Objective and Recovery Point Objective. Those follow ... but you need to know the business STO first. Every other approach is a non-starter if STO isn't discussed with, and defined by, the business.

#3 - Detection+Protection are important, but Business Recovery is King (or Queen)

Cyber security vendors are quick to flaunt their detection+protection credentials and InfoSec team members often take pride in several technologies that bring in Defense in Depth, Zero trust access, advanced Identity/Access pillars - all for good reason. They should be proud - after all detection and protection/prevention are critical, just as regular Cyber Threat awareness trainings for employees.

All these, however, don't help recover business systems when you need them back in action post-attack. Recall that once a symptom is detected and a destruction event has been thrust upon you, the STO clock has started ticking. You need a Cyber Recovery System to restore your business back to the last known good point from what should be a Golden Copy of your systems, processes and data.

Insights from a CTO

Last Friday, I had a cyber recovery strategy review call with one of our clients' CTO in the region (a bank). Two discussion points came out - and I did chuckle hearing these - as perhaps you would too. So here goes:

"When you have a ransomware attack and you cannot recover the systems, what do you do? You talk as if you had an epiphany! "Oh! Let me document this whole incident under Lessons Learnt for future reference". Would your business trust you going forward? Would you have a job after this incident, for utter lack of preparedness? I doubt it."

and this:

"What's more important for my business... the bank's reputation? Or the collective ego of our InfoSec team? Of course our brand!"

Controversial, as always, Mr. C ... thank you for that conversation!

Summary

Thank you, folks, for reading my article. Do share your stories or insights with me - offline if you must. We owe it to ourselves to strengthen our businesses. I will share more insights and specifics in future articles.

Stay well and stay curious!