Are Firms Ready for Strategic Cybersecurity Resilience?

 
nandan
Nandan Kumar Singh
Indian Institute of Management, Visakhapatnam

Myth: Resilience is mainly an operational consideration. Reality: Resilience is strategic. — Harvard Business Review [6]

Modern supply chains are becoming more digitalized and reliant on real-time communication of numerous devices such as sensors, robotics, and drones [8]. Thanks to the advancement of industry 4.0 technologies1, the trend is only growing stronger. However, such advancement is not without pitfalls. [13] list cyberattacks, faulty data, safety regulations, and privacy issues as the primary risks associated with these technologies. Indeed, increased digitalization and reliance on cyber-devices expose firms to cyberattack risks. A premeditated attack on specific targets, such as the electricity grid, could create a domino effect that results in disruptions and financial losses beyond any firm’s wild imaginations.

Global cybercrime was estimated to cost approximately 6 trillion US dollars in 20212, which is equivalent to a shocking number of 190,000 US dollars per second [12]. According to Accenture’s cybersecurity report [5], the average number of cyberattacks per company has increased by 31% since 2020. Luckily, companies are responding accordingly. Security investment is increasing, with IT security budgets reaching up to 15% of the total IT spending, which is five percent higher than reported in 2020. The expenditures are meant to mitigate the negative effect of disruption due to cyberattacks, aiming at one or more of the three dimensions of disruption, namely, (i) the probability of disruption, (ii) the financial impact of disruption, and (iii) the time required to uncover security breaches or attacks. To get a better understanding on how robust cybersecurity benefits the companies, one can first think of the opposite case: what if the companies have essentially zero defense against cyberattacks? To that end, the next section focuses on the three dimensions of disruption. It also suggests how investment in cybersecurity is not homogeneous or as simple as inputting more money and resources without strategic considerations.

Three dimensions of disruption

Potential disruptions are often categorized by two dimensions in traditional risk management literature: likelihood of occurrence (disruption probability) and magnitude of impact (consequences or financial impact). The high-probability, high-impact disruptive events (HH) (for example, oil companies suffer substantial losses every time a hurricane moves through the Gulf of Mexico) and low-probability, high-impact disruptive events (LH) (for example, 1986 Chernobyl meltdown and Hurricane Katrina in 2005) should be treated very differently by risk managers [10]. [9] introduces the third dimension detection lead time and emphasizes the importance of detecting disruption quickly.

3dd

Figure1: Three dimensions of disruption

The three dimensions of disruption are defined below:

  1. Disruption probability denotes the likelihood of a particular disruption.
  2. Consequence denotes the impact (or severity) of the disruption once it occurs.
  3. Detection lead time is defined as the lead time between anticipating the occurrence of a disruptive event and the event’s first impact on the company. It is the amount of warning time during which a company can prepare for the disruption and mitigate its (potential) effects.

The detection lead time plays a significant role in cyberattacks-related disruptions because the faster the firm identifies the attack and estimates the financial impact, the earlier they can execute on recovery. Detection lead times can either be positive (when the attack vector (virus/trojan/malware) is detected in advance of its impact on the firm’s business), zero (when attack vector is detected at the moment it hits the firm business), or negative (if the attack vector is only recognized after the attack has taken place) [9]. For example, Google recently blocked the world’s largest DDoS attacks [3], demonstrating a case of positive detection lead time; whereas Stuxnet, a malicious computer worm discovered in 2010, is an example of negative detection lead time, for the virus was developed as early as 2005 [14].

The Cyber quadrant

Based on the three dimensions of disruption, one may imagine a company with great cyber defense system being able to lower disruption probability, minimize disruption consequences, and have longer detection lead time. However, is this what a company should always aim for? While the aforementioned company may be more immune to outside disruptions, extreme cyber defense system can itself be disruptive to a company’s operations, as I will show later in this section.

cyber-resilient organization integrates cybersecurity abilities, business continuity, and enterprise resilience. It incorporates security throughout the business ecosystem and employs flexible security strategies to respond quickly to threats, allowing it to minimize damage while continuing to operate under attack. As a result, the cyber-resilient organization may securely deploy innovative offerings and business models across the entire value chain, bolster customer trust, and confidently expand.

Accenture identifies four levels of cyber resilience (refer to figure 2) based on two dimensions - (i) cybersecurity resilience and (ii) business strategy alignment. A strong cybersecurity resilience entails the ability to stop a cyberattack (lower disruption probability), lessen the impact of an attack (consequence), and discover a breach earlier (detectability). A strong business strategy alignment prioritizes business objectives (e.g. shorter launch time, more market share, cost reduction, business growth, innovating products/services, and entering new markets) and aligns cybersecurity forces accordingly [5]. The four levels of cyber resilience are described below:

  1. Cyber Champions: Cyber Champions thrive in protecting their assets and are the best at it. They have strong cybersecurity resilience and closely aligned business strategies.
  2. Business Blockers: Business Blockers take a security-first approach and prioritize security over their business strategies.
  3. Cyber Risk Takers: Cyber Risk Takers take a business-first approach and place less emphasis on cybersecurity strategy. They are more likely to reach or even exceed business objectives, but their business-centric behavior makes them susceptible to cyber risk.
  4. The Vulnerable: The Vulnerables are the least concerned about cybersecurity and have weak cybersecurity resilience.
quadrant

Figure 2: The Cyber Quadrant [5]

Cyber-resilience performance criteria

[5] introduce four cyber-resilience performance criteria. They are explained below:

  1. Better at stopping the attack. This implies reduction in the disruption probability. The company should invest in mitigation measures to have positive detection lead time, so as to reduce the probability of successful attack. Cyber champions perform better than others; on average, out of six cyberattacks, only one breaches the security [5].
  2. Finding breaches faster. This indicates an increase in the detection lead time. Cyber champions can identify 55 percent of the breaches within a day, while the business blockers and cyber risk takers can respectively identify 50 and 30 percent of the breaches within a day [5].
  3. Fixing breaches faster. This means reducing the time to recover (TTR). [11] define TTR as the time "it would take for a particular node in the supply chain — a supplier facility, a distribution centre, or a transportation hub — to be restored to full functionality after a disruption". Similarly, TTR in cyber-resilience can be defined as the time the system/server will take to recover from the cyberattack. Cyber champions fix 100 percent of the breaches within 15 days, whereas the vulnerables and cyber risk takers can only fix 30 percent of the breaches within a 15-day time frame [5].
  4. Reducing the impact of breaches. This requires a reduction in the severity of the cyberattacks’ impact. Cyber champions have 72 percent of the breaches with no impact, whereas the business blockers and cyber risk takers have 64 and 23 percent, respectively [5].

Path to strategic cyber-resilience

In this section, we focus on the strategic pathways for the vulnerables and cyber risk takers, who have weak cybersecurity resilience, to achieve strategic cyber-resilience based on their positions and needs.

framework

Figure 3: Strategic Pathways to Cyber-resilience

  1. Most start-ups can be categorized as cyber risk takers because they adopt a business-first approach. Our interaction with the founders of the tech start-ups based on emerging technologies, such as AM, AI, and IoT, reveals that they are not much concerned about cybersecurity at the initial stage. They believe that the market is emerging and they will consider prioritizing cybersecurity only after the market becomes mature. However, even after the market matures and the firms are no longer a start-up, they keep overlooking cybersecurity in their operations. For example, on September 15, 2022, a cyberattack on Uber compromised many of Uber’s internal systems. The New York Times [4] reported that the attacker almost got complete control over Uber, including Uber’s source code, internal systems, and emails. It is not the first time Uber has been under cyberattack. In 2016, an attacker stole information of 57 million riders and drivers accounts, and Uber paid a ransom of 100,000 US dollars to delete the copy of the respective data [4]. We may see an end to Uber’s negligence on cybersecurity. After the September 15, 2022 attack, Uber started to hire for multiple cybersecurity positions [1]. Organizations, such as Uber, can achieve better business outcomes and gain a competitive advantage in the race to cyber-resilience by aligning their cybersecurity efforts with their business strategy. The start-ups’ business niche is highly competitive and has many hidden rivals. There is a great chance that one successful attack will damage the firm’s reputation substantially and drive it out of the market. Hence, firms should seek to become cyber champions along with the market’s maturity to avoid the aforementioned situation (follow path 4).
  2. The innovative micro, small, and medium enterprises (MSMEs)3 can be normally categorized to the vulnerables as they are neither cybersecurity resilient nor have great business strategy alignment. Such vulnerability is partially justified, as the attackers usually have less incentive to launch a cyberattack on these MSMEs. Consequently, they may be safe to remain vulnerable or should seek to become cyber risk takers (follow path 1) by considering cybersecurity while defining their business objective, rather than following path 3 to become business blockers. As have pointed out before, a great cybersecurity system may be disruptive to the company’s business and is not always desired. As these MSMEs are striving to survive, a great emphasis on cybersecurity may hinge on their abilities to explore the potential markets. However, if they desire to become cyber champions and continue to thrive, the correct strategy should be putting relatively equal weight/priority on business alignment and cybersecurity resilience (follow path 2).

Acknowledgment

Many thanks to Ryan M. LaSalle Senior Managing Director, Accenture Security for responding to my queries on “The state of cybersecurity resilience 2021" report and providing input on cyber-resilience.

 

 

1 Industry 4.0 technologies include but are not limited to additive manufacturing (AM), drones, the internet of things (IoT), blockchain, advanced robotics, and artificial intelligence (AI). For interested readers, I refer to Olsen and Tomlin (7) for a more detailed review.

2 The costs are associated with data damage and destruction, theft of intellectual property, theft of financial and personal data, restoration and deletion of hacked data and systems, and reputational harm.

3 For more details on innovative MSMEs, please refer to ETRise (2).

 

 

References 

Refer to the article in our issue for detailed reference points. 

[1] Anugraha, S., 2022. Uber is hiring for over 80 cybersecurity jobs after being hacked lastweek. Metro Retrieved Sep 24, 2022, from https://metro.co.uk/2022/09/21/uber-is-hiring-for-over-80-cybersecurity-jobs-after-being-hacked-17422264/.

[2] ETRise, 2020. ETRise Top MSMEs Ranking: India’s most innovative companies. Are you one of them? The Economic Times Retrieved Sep 20, 2022, from https://economictimes.indiatimes.com/small-biz/sme-sector/etrise-top-msmesranking-indias-most-innovative-companies-are-you-one-of-them/articleshow/73545031.cms?from=mdr.

[3] IANS, 2022. Google blocks world’s largest-ever web distributed DDoS cyber attack. Business Standards Retrieved Sep 20, 2022, from https://www.business-standard.com/article/technology/google-blocks-world-s-largest-ever-web-distributedddos-cyber-attack-122082000447_1.html.

[4] Kate, C., Kevin, R., 2022. Uber investigating breach of its computer systems. New York Times Retrieved Sep 24, 2022, from https://www.nytimes.com/2022/09/15/technology/uber-hacking-breach.html.

[5] Kelly, B., Jacky, F., Ryan M., L., Paolo, C., 2021. The state of cybersecurity resilience 2021. Accenture Retrieved Sep 20,2022, from https://www.accenture.com/ae-en/insights/security/invest-cyber-resilience.

[6] Martin, Reeves Annelies, O., Philipp, C.S., 2022. Make resilience your company’s strategic advantage. Harvard Business Review Retrieved Sep 24, 2022, from https://hbr.org/2022/03/make-resilience-your-companys-strategic-advantage.

[7] Olsen, T.L., Tomlin, B., 2020. Industry 4.0: Opportunities and challenges for operations management. Manufacturing & Service Operations Management 22, 113–122.

[8] Sarah, H., 2022. Gartner predicts the future of supply chain technology. Gartner Retrieved Sep 24, 2022, from https://www.gartner.com/smarterwithgartner/gartner-predicts-the-future-of-supply-chain-technology.

[9] Sheffi, Y., 2015. Preparing for disruptions through early detection. MIT Sloan Management Review 57, 31.

[10] Sheffi, Y., Vakil, B., Griffin, T., 2012. Risk and disruptions: New software tools Retrieved Sep 19, 2022, from https://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.399.1561&rep=rep1&type=pdf.

[11] Simchi-Levi, D., Schmidt, W., Wei, Y., Zhang, P.Y., Combs, K., Ge, Y., Gusikhin, O., Sanders, M., Zhang, D., 2015. Identifying =risks and mitigating disruptions in the automotive supply chain. Interfaces 45, 375–390.

[12] Steve, M., Sausalito, C., 2020. Cybercrime To Cost The World $10.5 Trillion Annually By 2025. Cybercrime Magazine Retrieved Sep 20, 2022, from https://cybersecurityventures.com/cybercrime-damages-6-trillion-by-2021/.

[13] Tang, C.S., Veelenturf, L.P., 2019. The strategic role of logistics in the industry 4.0 era. Transportation Research Part E: Logistics and Transportation Review 129, 1–11.

[14] The Editors of Encyclopaedia Britannica, 2010.