Building a cyber resilient organisation
Before discussing cyber resiliency, let’s take a step back and talk about digitisation. Nowadays, every day, everywhere, every company is buzzing about digitisation. What does going digital mean? It’s not really a thing; it’s a new way of doing business. Going digital is taking advantage of technological advancements to provide a better customer experience; creating new ways of doing business; exploring new avenues of value for the business and collaborating better with all business partners. Since customers and business partners are located outside the boundary of companies’ network security perimeter, going digital often means sharing critical data with outside world.
All companies are eager to take advantage of the latest technologies. They want to integrate social media in business processes; they want to use cloud technology, big data, Internet of Things etc. Modern technologies generate value for business, but rapid digital expansion also completely changes the cyber risk perspective of a company. All these digital technologies are new and still maturing, so they pose more vulnerabilities than a more established system. As a result, the likelihood of a cyber incident causing significant implication on the operation, and more importantly on the reputation of the business, is increasing multi-fold every year. Statistics show that year-by-year the number of cyber-attacks are increasing exponentially and so is the impact every attack has on the businesses. The challenge is, while companies are rushing to go digital, how can they keep the organization safe from cyber-attacks?
A few years back, most companies didn’t even have a cybersecurity program. All they knew about security was ‘how to secure the computer network perimeter’? The only known security questions were: ‘Is there a firewall in place?’ or ‘Do computers have an anti-virus installed?’ Over the last few years, most companies started implementing a cyber security control program. They have designed processes to safeguard their network of computers, programs, and data. However, there are significant flaws in their cyber security processes.
Most companies have created a group called ‘cybersecurity team’ in theirorganisation, headed by a security officer, and made that group responsible for cybersecurity in the company. These groups are working to protect the company against the cyber events that have already happened somewhere else. They are also fighting a constant battle with the business leaders because the business wants innovation and modern technology, but security controls slow down the process. That creates a dilemma for the top management.
The solution for this dilemma lies in the fact that they need to embrace the cyber risk not as an IT security risk alone. A cyber risk is a business risk. In a digitalorganisation, cyber risk is part of doing business. Companies must integrate the cyber risk into each of their business and IT processes and work towards building a cyber resilient organisation. Resilience means that the systems in place should be able to withstand cyber-attacks. All systems should be able to protect themselves. Even when a system fails, it should be designed in such a way that it should fail while protecting its confidentiality and integrity. A failed system should also be able to recover as quickly as possible so that the company gets back into business the fastest way possible. That is, in a gist, cyber resilience.
How does a company achieve cyber resilience?
They must reassess the business risks from a post-cyberattack perspective and evaluate the consequences and identify the critical assets that need to be made cyber resilient. Companies need to rethink their processes and policies to mitigate the cyber risks on their critical assets to the best of their abilities. They need to keep a close watch at threat intelligence to find out what can affect those critical assets and implement protection. They need to monitor, so when any asset gets compromised, they can find that out as soon as possible.
Companies should have a recovery plan from a cyber incident. Maritime industry companies already have various incident response plans and now they should create a cyber incident response plan to recover quickly if one of the critical assets fail. Like their other incident response plans, the cyber incident response plan also should be tested routinely for effectiveness and preparedness.
Finally, how does a company sustain its cyber resilience? One of the key steps is to integrate cyber security risks into theorganisation’s enterprise risk management and governance plan. Once the top policy makers of theorganisation are involved in the cyber security planning, the risks will be better managed and prioritized. The collaboration between business groups and cyber security team needs to continue. Whenever businesses make any changes or implements a new digital technology, the cyber resilience steps mentioned before need to be repeated. The cyber incident response drill also should be conducted as and when there is a system change.
They also need to realize that in a digital world, individual organizations will not be able to defend themselves alone. Industry associations, regulatory bodies, partner organizations, vendors and law enforcement must commit together to build a cyber resilient digital eco system. The shipping industry is reliant on external entities supporting them all over the world. Companies have also outsourced key business processes to external vendors. For cyber resiliency, all stakeholders need to work together and share intelligence, best practices, and more importantly, when they face a cyber challenge, they need to collaborate to face it.
Cyber risk is not going away soon, it will only intensify further. So, companies need a plan to keep working on mitigating it, keep improving, and get stronger.
Amit Basu is the Chief Information Officer at International Seaways (INSW). INSW, headquartered in New York city is one of the largest tanker companies worldwide providing energy transportation services with fleet of 55 crude oil and petroleum products vessels.
Amit is a proven IT leader with almost 30 years of successful track record of delivering organizational growth, performance, and efficiency leveraging information technology. He has over 20 years of experience in maritime IT.
Amit is a pioneer in maritime industry in utilizing global IT delivery teams as well as garnering the value of hybrid cloud. For the past couple of years Amit is focused on prevalent Cyber Security risks and mitigation best practices and designed an efficient cyber security risk management program at INSW.