Topics: Audit and Risk,Cybersecurity,Technology
Topics: Audit and Risk,Cybersecurity,Technology
July 27, 2018
July 27, 2018
Editor’s Note: This is the second in a series exploring the board’s role in corporate resilience. Click here to read the first installment.
The structure of risk is changing. Across the world, accelerating rates of technological and social change are putting growing pressures on businesses, governments, and international structures to respond at a previously unseen speed. Interconnected stresses and shocks are challenging assumptions and best practices. Stand-alone risk mitigation and incident management approaches will not be enough, and have not been enough for some time. Adaptive approaches are needed.
Before your company considers what it needs to do to become more resilient (as discussed in part one of this series), it should also take time to consider how and why the risk landscape is changing at such a dramatic speed. Why is resilience becoming more important now?
Public trust in business is declining—and is being sped by data insecurity. Diverse, recurring incidents across many industries challenge confidence in corporate leaders and practices. These include data losses, repeated cyber penetrations (for instance, Sony has been breached several times in the past decade), leader-sanctioned data falsification, and deceptive practices. Europe’s General Data Protection Regulation (GDPR) raises the bar for protecting privacy and imposes severe penalties both for data loss and reporting delays which will challenge nearly every data-based company doing business on the continent. In any case, since companies cannot expect to avoid incidents in these environments, it behooves them to prepare in ways that build resilience and leave all concerned better off afterwards. The changing structure of risk is making this particular task harder all the time.
Geopolitical risk is rising after a period of relatively stability. Klaus Schwab, founder and chair of the World Economic Forum (WEF) Geneva, postulated that the world is entering a Fourth Industrial Revolution that will be characterized by “a fusion of technologies that is blurring lines between the physical, digital, and biological spheres.” The velocity, scope, and systems-wide impacts of these changes will be massively disruptive, transforming how companies are managed, as well as means of production and distribution. This paradigm shift can provide very important collective benefits, raising productivity and improving qualities of life for many. But labor markets in many countries are likely to become more unequal and disrupted, with losses of jobs and a further bifurcation into “low-skill/low-pay” and “high-skill/high pay” groups. A result may be societal inequalities and social tensions, which could generate significantly more refugees from “youth bulge” areas in the Middle East, Africa, and Asia. There also could be unrest in megacities and under-served parts of the developed world. The resulting geopolitical risks include domestic turbulence, scapegoat-finding, radical nationalism, and protectionism.
Technological change is accelerating. Most businesses consider technological change in their own competitive areas, but few have internalized its accelerating, interconnected parts. If a capability—say computing power per unit cost—doubles every eighteen months, in ten years it will grow by 10,000 percent, and in 15 years nearly 100,000 percent. Even if the doubling period is two years, in 15 years the increase is nearly 20,000 percent. The rate of growth may slow, or there may be dramatic increases in some capabilities, such as quantum cryptography. There may be new materials or advances that we have yet to foresee. The net result is that linear projections based on present conditions cannot work, however comfortable they may be, and useful they may seem for driving conversations and decisions.
Understanding the impacts of new technologies is complicated by the fact that many changes are occurring simultaneously, and across diverse areas. Some areas of biotechnology are changing even faster than computations per dollar. Robotics and autonomous vehicles are proliferating quickly. Additive manufacturing such as 3-D printing grows more sophisticated daily. Nanotechnology is entering widespread use, from batteries to medicine to new materials. The energy that underpins everything is undergoing several different types of transformation. Changes across all these domains, plus areas like additive manufacturing and artificial intelligence, need to be at least considered in corporate planning, along with their interactions.
Even if a company is not directly implementing a particular technology, leadership needs to understand how the overall environment is changing and ask how it will affect the firm’s interests. These changes provide new opportunities but also add new risks—many of them interdependent, and without borders.
Technical and social risks are becoming more interconnected. Consider four examples of interconnected risks: Mobile devices, the Internet of Things (IoT), physical vulnerabilities of infrastructures, and insider threats. These might seem to be mainly related to information technology (IT), but they can have impacts across the company and the environment in which it operates.
Mobile devices are becoming more essential to daily life—and presenting more risks. They introduce threats that must be understood and addressed aggressively. The board should ask if devices issued by the company are password or PIN protected. Is the data on them encrypted? Can they be tracked or neutered remotely, at home and abroad, if lost or stolen? Does the company even have an inventory of them?
IoT risks are exploding. Almost no one understands the extent of cyber risk posed by the rapid deployment of the inherently insecure IoT. Even those who recognize IoT’s potential upsides and downsides find it hard to turn this into realistic risk assessments for their companies, much less for the outside organizations they interact with and on whose networks they may depend. This is not a hypothetical issue. Security cameras and corporate refrigerators already have been turned into attack vectors. How many companies have an accurate picture of their IoT connections, or plans for managing them over the life cycle of the components?
Physical infrastructure is becoming more vulnerable. Cyberattacks increasingly can do physical damage to infrastructure. Generators can be destroyed, industrial control systems hacked, and sensors corrupted to degrade output quality without showing up on monitoring reports. Medical devices are exceptionally vulnerable to hacking, leading to everything from misdiagnosis to death.
Social engineering and insider threats are rising. Beyond technology, the pervasiveness and danger of insider threats is growing. Some big data analytic applications are working to develop baselines of activities across a company from which anomalies can be detected in near-real time. It remains to be seen how effective these will be in the long run, but it is clear that traditional security approaches against insider threats and social engineering, e.g. phishing e-mail attacks, are failing too often.
As noted in part one of this series, security approaches aimed only at locking down and keeping cyber threats out cannot work. There are too many penetration vectors, and the attack surface is too large, and growing. In 2016 Daniel Dobrygowski of the WEF was explicit: “Cybersecurity is no longer enough: we need a strategy of defence, prevention and response…. [L]eaders should be considering cyber resilience as a strategic goal.”
To be cyber resilient a company first needs to be resilient overall. Much of the focus of cyber resilience is on technology and network measures, referred to as operational or business resilience in part 1. But the cultural component of cyber resilience is equally critical. All members of the organization need to know their roles and execute them. People are both the first line of defense and the greatest weakness.
These are complex problems that demand adaptive approaches. Few people in the company, including the board members and the most senior leaders, will have the expertise and the perspective themselves to address the technical issues, tie the disparate threads together, and understand the interdependencies. Yet it is essential that they ensure that the organization overall considers these challenges in decision-making.
In a March 2016 Director Dialogue, Judy Warner, editor-in-chief of NACD Directorship, summarized advice from a 2016 series of NACD roundtables on organizational resiliency: “Be skeptical. Trust, but verify. Resist complacency.” Because of the special nature of cyber resilience, the board might benefit from outside advice.
Future parts of the series will address how resilience differs from enterprise risk management, how companies can build a capacity for resilience, and what the board’s role should be in resilience.