Cyber risk management seems to be a huge undertaking. What’s the first thing organizations need to know?
The reality is you can’t control every single aspect of cyber risk to your business. But there are baseline things you can control, that you need to measure and manage, to make your business run smoothly. Even if you can’t control every single element, there is still a lot within your control to put cyber security measures in place. You’re only as vulnerable as you allow yourself to be.
Who’s responsible for leading a cyber risk management program?
This starts from the top down. If you don’t have executive support – and I’m talking from the board level down – if they don’t understand the critical nature and the critical dependency that a business has on these industrial control systems, especially in oil and gas, then you’re fighting an uphill battle to get the money, resources, and commitment from other leaders to implement a successful program.
It’s a question of willpower. Companies have the money to do this and the technology and best practices are out there to help with assessments, monitoring and controls. But it’s the will and commitment by leaders to do something constructive with that. And then, of course, it’s the willingness to put the resources in place to follow up, manage that risk and make sure it’s being done effectively.
Once you get leader buy-on, where do companies start when implementing cyber risk management?
First off, you have to be an expert in your own business. Cyber security starts with knowing your own business plans, business processes and workflows. It comes down to classic risk management principles. To identify what your key risks are – cyber or other – you need to know what your environment looks like right now. Do you have a solid idea of your basic functionalities as a business? What technology do you rely on to make your business run smoothly? What assets do you own? How old are they? For technology assets, what’s their basic connectivity method? In other words, are they connected to the internet or to an internal network that’s connected to the internet? All that basic knowledge has to come before asking ‘how do we protect it?’
How do companies identify which parts of their operations are most vulnerable to a cyber attack?
Creating a cyber security plan relies on taking that typical risk management approach, but through a cyber lens. Once you have identified your key assets – which could be people, machines or products – and where they fit within your business, then the question becomes, ‘what key technologies do we depend on to protect these key assets or keep them operational?’ Are they at risk of failure because of the technology? Are they vulnerable to hacking? What controls do we have in place right now to protect these assets? And how good are those controls based on trends we’re seeing in the global cyber risk landscape?
To use an example in my work, I would start by asking my energy clients, “What’s the best thing we can do to protect these key assets to make sure we can get oil out of the ground, get it into a pipeline and get it to market?” That’s it. That’s the whole point of their business, from an upstream perspective. What’s the point of your business and where are you relying on technology to keep things running smoothly?
Cyber risk management may seem overwhelming, particularly for smaller companies. Do they have to worry about everything that’s out there?
Definitely, it can seem intimidating. There are a number of different of types of advanced persistent threats (APTs), out there now. If the hackers want you, they’re going to get you. But it’s important to realize there are some things we can do about it and other things we cannot. When we’re looking at designing and implementing a cyber risk plan, our test is around reasonableness. If we try to protect against every single exploit, every single potential bad guy that’s out there, then there’s not enough time or money to do that.
What are some of the primary cyber risks of which companies need to be aware?
Technology is intertwined with every aspect of an organization. For some organizations, their primary concern will be personal data, proprietary trade secrets or intellectual property. They need to ensure the safe collection, storage and management of that data and also take into account local and international laws. In Canada, this includes the new Personal Information and Electronic Documents Act (PIPEDA). Europe will be putting into place even tougher privacy laws in May, under the General Data Protection Regulation (GDPR), which will affect companies all over the world.
When we look at some of the automation that’s taking place, where industrial equipment may be remotely controlled or operated by machines, this goes beyond individual data protection. Some of the vulnerabilities or risks we see include malware that can take over a machine. Ransomware, for example, can block a machine’s ability to operate, or feed false information back into a control system to affect operations of the plant. This can come from external sources. But there are also internal threats in terms of employees within trying to intercept information and cause intentional damage.
What’s on the horizon to help companies manage cyber risk?
Right now, with so many emerging threats, the single biggest problem is threat intelligence – keeping up with the bad guys. But the automation technology is getting better and better to help monitor threats and to respond much more quickly when there’s a problem. Until now, a lot of security controls have centred around someone looking at the correct screen at the right time to see if something bad is happening. It’s been a very manual process.
But now, once you have your “normal” environment established, it is possible to translate that into data that machines can read. We’re at the stage broadly where companies can map these data flows to provide a baseline, a picture of what’s normal. This baseline data can be consolidated into a single data flow of information that feeds analytical software that alerts us in near-real time that something is not normal.
Right now, we have this sort of unit-by-unit monitoring approach. So System A has a problem. And then you see that System B has a problem. And eventually you figure out that System A and System B are showing the same problem. But it takes a long time to manually align those units and figure that out. We’re trying to reduce the dependency on monitoring unit by unit. Instead, we want to consolidate that into single view of what’s happening in our environment. And eventually, with the advances in machine learning, there will be a robot out there that’s monitoring all this stuff and can respond to it within seconds, rather than hours.
What are some of the pitfalls you’ve seen around cyber risk management?
People are buying a lot of stuff they don’t need. In some cases, companies buy the wrong technology to mitigate something that’s not even a risk in their specific environment. In other cases, they buy the right technology but they don’t implement it correctly, or they fail to put the processes in place to monitor and control. You have to identify your assets and know what you need to protect before putting in measures to protect it. This is classic risk management. And if you don’t have the staff in house, this is one thing that’s worth spending money on right now to get cyber risk management right from the outset. The bad guys are getting better and better, and we need to “up our game” to stay ahead of them.