Insights

Preparing for a Black Swan Cyberattack

Featured In Harvard Business Review

 By Claus Herbolzheimer
This article first appeared in the Harvard Business Review on September 14, 2016. 

Major institutions such as banks have a long history of establishing redundant systems to survive cyber-attacks. But as severe cyber-attacks hit companies, governments, utilities, and hospitals with greater regularity, it’s becoming abundantly clear that organizations now require two playbooks: the one they already have for common cyber threats like malware, phishing, and denial-of-service attacks; and a new one that covers something even worse. They must prepare for cyber crises that could cripple not just their own operations, but spread through their industry and across others as well.

To get ahead of today’s evolving cyber challenges, companies must borrow the playbooks used for other types of disasters, so-called “black swan” events that can occur suddenly, with unexpectedly widespread ramifications. Yet while severe cyber-attacks are becoming increasingly common, nearly half of companies have not even identified cyber scenarios that could affect them, according to a recent survey conducted by Marsh, Oliver Wyman’s sister company. A quarter do not even treat cyber risks as significant corporate risks at all.

To get ahead of today’s evolving cyber challenges, companies must borrow the playbooks used for other types of disasters, so-called “black swan” events that can occur suddenly, with unexpectedly widespread ramifications.

This means that companies need to spend time examining what types of cyber crises they might face – no matter how unlikely. Like other disasters, cyber-attacks can hit as suddenly as a catastrophic 100-year storm. But they also can emerge slowly at first, like a pandemic that systematically builds and spreads over time before emerging as a full-blown crisis – when it is too late to prevent them. As a result, companies must have plans in place to both mitigate extreme cyber threats and pinpoint slow-burning, emerging cyber dangers.

Companies then need to analyze if they can contain cyber threats or if they could spread like a contagion within their industry – and perhaps beyond.  Already, some organizations have developed extreme fallback and containment plans, such as preparing to operate offline. Some are even adopting operating offline as their preferred approach. Singapore recently decided to cut off access to the internet for nearly all of its computers, three years after hacktivists crippled the government’s websites through a series of cyber-attacks. Healthcare providers and hospitals infected by ransomware attacks in the United States and Germany are taking critical systems partially offline and are preparing to go back to pen and paper in case an incident impairs their digital operations.

Due to the networked nature of many operations today, most companies will need to go further to prepare for cyber-attacks that could have industrywide ripple effects, such as forging coalitions with competitors, regulators, and industry associations. By working together, industry stakeholders can establish predefined channels and mechanisms that ensure a speedy and effective response.

For example, some banks are joining forces with competitors to step in as proxies in the event of a cyber-crisis, because they understand that the ramifications of an attack on their systems could go far beyond their own business. An economic crisis could result if banks were suddenly unable to provide millions of businesses and people access to their accounts, preventing them from paying salaries and bills.

Other leading organizations are examining establishing “cyber pool funds,” similar to funds set aside to assist with the aftermath of terrorist attacks or natural disasters. These funds could minimize the aftershocks of cyber-attacks that cascade to the point that they develop into complete cyber meltdowns that bring down more than one industry.

By working together, industry stakeholders can establish predefined channels and mechanisms that ensure a speedy and effective response.

Another key step could be to set up industrywide or cross-industry “SWAT” teams to regularly monitor and address common cyber threats. These teams would examine what cyber risks should be covered at a minimum and to what degree. They would identify trigger points that can head off full-blown cyber crises: Which types of data and services are okay to lose for a couple of hours? What losses would quickly lead to a cyber-meltdown?

These same SWAT teams could conduct cross-industry cyber-attack post mortems as well, so that industries’ cyber defenses become stronger over time. These teams would not only identify best practices but assist companies in embedding lessons learned from past attacks into their systems.

One thing is certain: The ramifications of cyber-attacks will only spread and the level of their sophistication will only grow. In response to the release of sensitive Democratic National Committee emails to influence the United States presidential election, for example, the White House recently issued its first emergency response manual for a major a cyber-attack. While that hack is considered low grade, the government is preparing for higher-grade cyber threats to infrastructure, stability, and human life.

Extreme times call for extreme measures. Cyber threats that many companies previously considered unthinkable now happen on a daily basis. Organizations should take a cue from governments’ growing sense of alarm and begin forging the ties required to build a second playbook focused on heading off cyber meltdowns.


The state of cyber risk management at a glance

Even though the number of targeted cyber-attacks is growing by double digits annually, many medium and large-sized corporations still do not devote sufficient resources to cyber risk management


Source: European 2015 Cyber Risk Survey Report, Marsh, Global Risks 2015, medium and large-size corporations.

This article is posted with permission of Harvard Business Publishing. Any further copying, distribution, or use is prohibited without written consent from HBP - permissions@harvardbusiness.org