In cyber conflict, there are two types of potential victims - those that know they are a target, and those that don’t yet know.
The increase in frequency and severity of cyberattacks in Europe at a time when geopolitical tensions are high should prompt senior executives in every organisation to think about cyber resilience.
Over the past month, Europe has witnessed many cyber incidents involving critical infrastructure.
The recent cyberattack on the major European oil refining hubs of Amsterdam-Rotterdam-Antwerp led to considerable disruption in the loading and unloading of refined product cargoes amid a continental energy crisis.
In Portugal, the largest European telecom operator Vodafone had its operations severely debilitated, limiting services in that country.
In Belarus, a self-proclaimed cyber opposition group announced that it had effectively hamstrung the national rail network in the middle of ongoing military exercises with Russia.
And finally, a flood of smaller cyberattacks have hit Ukraine, with government websites being the target.
Critical infrastructure (CI) organisations generally know they are likely to become targets during cyber conflicts.
They have been investing in cybersecurity and are encouraged to collaborate with their peers towards building industry-wide resilience.
The World Economic Forum’s Cyber Resilience in Oil and Gas initiative has brought together several industry players with the objective of raising the bar across industry.
CI organisations often have access to special governmental support programmes, and sometimes even special threat intelligence.
The US Cybersecurity and Infrastructure Security Agency has been especially active lately in pushing out warnings to all companies.
However, there is often a discrepancy between how cyber-resilient a company’s board think it is, and what the cyber professionals think.
In a recent survey by the World Economic Forum, 92 per cent of business executives considered cyber to have been integrated into their enterprise risk-management strategies, while only 55 per cent of cyber leaders agreed.
Attackers often target organisations that are not critical infrastructure.
Throughout the Covid-19 pandemic, hospitals were routinely hit by cyberattacks, and in January 2022 the International Committee of the Red Cross announced it had been hacked.
It is sometimes difficult to decide if an attack of this nature is motivated by criminal or political intent (is it ‘ransomware’ or ‘ransomwar’?), as cybercriminals may seek to exploit the general confusion of any political crisis.
All organizations should be aware that it is not a question of whether they are going to be attacked, but when.
A basic checklist for senior executives
Create “digital slack” in your organisation
This means not only keeping some obsolete equipment around as potential spares or backup in case you need to replace some hardware immediately, but also being ready to create space in business processes.
How vital are video calls? What level of connectivity do you need to keep in touch with your staff in the field, what needs to be prioritised?
And if your business depends on high levels of business-to-business or business-to-consumer contact, what are your measures in keeping a minimum level of service in play? What happens when your main customer, partner or supplier disappears behind a national-level firewall?
Be prepared to deal with attacks on service providers
Consider hedging within and across the range of the services. For instance, cloud providers often allow you to set the “regions” or geographic zones your data is held in, giving you the option to temporarily avoid a general geographic conflict zone, although likely at some operational and regulatory costs.
You may also want to invest in secondary relationships in case you need to change providers in a hurry.
Review your business continuity management or disaster recovery processes
This helps you to be prepared for both ransomware attacks and debilitating attacks on your external service providers. Apply the 3-2-1 rule for your most important data: have three different backups for each kind of critical data set, on two different media, one of which is stored offsite.
Consider regularly changing your backups – one reason ransomware succeeds is either because the ransomware has infected the backups, or restoring from backup is considered to be a too lengthy process.
Give your cyber team more leeway
If something needs to be updated, don’t force the cyber team to wait so as to not inconvenience the business – do it as soon as you can.
If some services need to be suspended temporarily to shore up your network, on balance that could be a small price to pay compared to the impact of an attack.
Perhaps most importantly, allow your cyber team to collaborate with others, through both formal and informal channels.
Incorporate cybersecurity expertise into the board
All organisations should have identified a corporate resilience manager at the board level or equivalent. That person will need to take a very wide perspective, and include other risks such as pandemic-related crises.
To make sure cyber is adequately represented, consider having either the Chief Information Security Officer (CISO) directly present, or at least plan on regular briefings of the entire board.
Overall, the resilience manager and the CISO should consider engaging the board through tabletop exercises to stimulate digital disruption, and the decisions it may require.
Present-day cyber conflict is often associated with apocalyptic images of burnt-out infrastructures and week-long blackouts. These threats are real, but thankfully still very unlikely.
A much more realistic scenario of wider political cyber conflict could involve prolonged low-level disruptions to critical infrastructure, and a generally degraded cyberspace and tech environment.
As leaders, it is imperative we prepare for such disruptions by embracing cyber resilience practices and business continuity measures.