Published on September 2nd, 2021 📆 | 3721 Views ⚑
0Some Vital Lessons In How Systemic Risk Is Changing Cybersecurity
Attackers are exploiting systemic weaknesses in digital business systems in new and creative ways. Cybersecurity approaches need to recognize this shift and adapt to the catastrophic and compounding effects of the systemic risks now threatening businesses and critical infrastructure.  Â
Systemic risk in cybersecurity is the inherent risk that exists within complex digital business systems. Itâs the threat of risk spreading into a business from connected third-parties or out of your business into others. Itâs also the threat of one part of a digital business system going down, which then cascades and has a much larger negative impact on the extended system.Â
Hackers are now pinpointing and exploiting targeted parts of complex systems for this reason. Understanding and protecting the âcrown jewelsâ has been staple cybersecurity advice. While, protecting âcrown jewelsâ is still important, it is no longer good enough. Itâs now also necessary to understand and protect against systemic risk, which can start from an asset that is not considered a âcrown jewel.â  Attackers have figured out that bringing the system to a standstill and impairing an organizationâs ability to function is the ultimate crown jewel.    Â
I interviewed Bob Kress of Accenture Security to get his insight into what companies can do to understand and defend themselves against systemic cyber risk.Â
Zukis: Give me an example of a recent hack that was systemic in nature?Â
Kress: Colonial Pipeline was a great example. Itâs also one where the systemic threat and impact was self-imposed as they shut down the system themselves. Itâs also a good example of how systemic cyber threats can extend well beyond the digital system and threaten the business and critical infrastructure. Their hack was reportedly through a compromised password. Thatâs the hallmark of how systemic threats start, itâs usually a single and often simple point of failure. A ransomware attack followed, and as a result they made the decision to shut down their systems to control the spread of any damage a little over an hour after the attack. This then created fuel shortages and widespread disruptions.Â
The point that the shutdown of their digital and operational systems was voluntary is a very important point. Itâs frequently the only option leaders have when thereâs a lack of understanding to how risks can flow throughout the system. When systemic risk isnât understood, it can be ignored, or the system can be shut down. Those are the only two options, they chose the later.
Zukis: Is systemic risk new, and how is it impacting cybersecurity?Â
Kress: Itâs not new, although whatâs new is the inherent complexity of the digital business systems that are running todayâs complex and interconnected companies. The levels of systemic risk most companies now face is entirely new. Digital complexity is introducing entirely new levels of systemic risk. To a certain extent a level of systemic risk canât be avoided in complex systems. SolarWinds was another good example of a systemic attack. By implanting malware in their software thatâs used by tens of thousands of their customers, the attackers were able to piggyback into these customers off of the back of SolarWinds software. A perfect example of using the system against itself.  Notably, SolarWinds board added a Technology and Cybersecurity Committee to their board after this breach together with some new directors with deep cybersecurity experience and expertise.  Â
Cybersecurity is about defending against the active threats to the system. Systemic risk management is now vital in cybersecurity and needs to understand these inherent threats and stop the active threats from exploiting them.Â
Weâre only getting started on this, although some good work is being done. The National Institute of Standards & Technology (NIST) has some good guidance on these issues with NIST SP 800-160. Engineering in systemic resiliency is what this about, and itâs also what cybersecurity is becoming in terms of how companies need to approach the security of their digital and business system.
Zukis: Is this a boardroom level issue?
Kress: Yes, without a doubt. The boardroom is a part of any cybersecurity system. Without an effective corporate governance approach, the cybersecurity system isnât as strong as it needs to be. It takes a high performing cybersecurity system to defend a complex digital business system. Other breaches and especially ransomware attacks all show signs that attackers have figured out that the system is itself the weak point. And when they can find a way in through a weak point, the damage they can inflict gets amplified by the system itself. Â
We havenât yet seen the level of damage that is coming when cyber threats start to jump and move across companies and industries. SolarWinds could have been much worse. This is a new dimension in risk that corporate boards need to be aware of and have a responsibility to govern. Understanding issues such as the risks that your company can inherit and what you can spread to your business partners, customers, and other stakeholders are new challenges in corporate governance.
The cyber insurance industry has even been asked to focus on this from their regulator the New York Department of Financial Services in their Cyber Insurance Risk Framework. Â
Zukis: What signs CISOâs or boardrooms should look out for in beginning to understand this issue?Â
Kress: It starts with knowing where the digital business system begins and ends, the parts within it, and the third-parties who are inter-connected with it. Whether they are vendors who are a part of a cloud infrastructure, or customers and suppliers, how far and wide the systemic risk footprint extends will be surprising for many companies. But systemic risk also exists within the system, itâs not just a third-party issue. If a critical part of the system fails or is corrupted, how that impacts the larger system is often a much more difficult thing to map and understand. Â
It extremely important for companies to understand their internal architecture â business, technology, and cybersecurity â to understand how their processes and systems work together and are inter-connected â whether intentionally or not. Only then can they take steps to mitigate systemic risk through things like network segmentation and the isolation of credentials.
Finally, boards and companies need to recognize that they are largely self-insured for these types of systemic failures. Cyber insurance only covers a small part of cyber risk generally, and particularly with any large-scale systemic failure. Understanding this issue, and mitigating systemic risk is the best short and long-term cybersecurity risk management approach.
Gloss