- Too often, major companies fail to imagine how a cyber attack could unfold on their network
- The cyber-security sector can learn a lot from the principles of intelligence analysis; forewarning and forecasting future threats
- An internal exercise to imagine all of the potential cyber threats to your business is a smart, cost-free and diligent way to understand and mitigate cyber risks
- Understanding the threat is key - thinking through the range of actors that might want your data and how they may get it will reduce the likelihood of a surprise attack
The best things in life are free.
Many organisations are rightly concerned about their network security, the storage of their data and resilience plans in the event of a crippling cyber attack. Many spend huge sums of money on cyber security, but all too often attacks are successful because decision makers (including board members) fail to imagine who might hack their system and how they might do it.
Consumer brands are often the most naive: whether it be Domino's or Dairy Queen, it often comes as a surprise to companies that they have been targeted. I've consulted for a few brands who cannot see how they would be the target of cyber-criminals and opportunist hacktivists. The first step to rectify this state of mind is to assume the worst.
Even companies that take cyber-security seriously, as [US Drugstore giant] Target did, installing a multimillion-dollar IT security system is not a guarantee of security. Target suffered one of the worst cyber attacks in history; the CEO was fired and Target spent over $60m dollars rectifying the hack. One post mortem suggested the computer systems spotted the attack but Target's IT security professionals failed to see the attack coming.
There's a lot than can be applied from the Intelligence world to this problem. After all, cyber security is about threats and risk, and Intelligence is about forewarning and imagination: asking questions such as What might happen next? Will Country X attack Country Y? Which terrorist group will threaten us most next year?
Sony Pictures recently learned this lesson the hard way. As Lt General Clarence E. McKnight comments "Sony is a great example of how this sort of thing happens even though they had been warned about it before"
So what kind of questions would you need to ask to understand the threat your company faces from cyber attacks? Here's my top 5:
-Who would want to launch a cyber attack on my organisation? [ACTOR]
-What would their motivations be for doing so? [MOTIVATION]
-Once inside my network, what would they want to do? [INTENT]
-Is our data of value to other people and who would want it? [UTILITY]
-Are other businesses in our sector being targeted? [CONTEXT]
If the much criticised IT employees at Target had conducted the above exercise, perhaps Target would have implemented the right kinds of cyber-security measures and have thought about who might want their data, why, how they may go about acquiring it, and what the warning signs of that activity might be.
Conducting this type of exercise early on is critical for your business - thinking in this way will open up a whole series of second-order discussions about the security of your data and the threat you face. It'll save you money, it will reduce the likelihood of surprise, and who knows, it might even be fun.