Öykü Isik, a professor of Digital Strategy and Cybersecurity, leads IMD’s Cybersecurity Strategy and Risk program which helps businesses develop an action plan to identify, prepare for and respond to emerging and imminent cyber threats. A computer scientist by training, Isik’s work before joining IMD focused on business intelligence, analytics, and technology and business process management. She is a member of the World Economic Forum’s Global Future Council on Cybersecurity, is a part of the Forum’s initiative on Bridging the Cyber Skills Gap, and is a scheduled speaker on a May 3 panel at the Forum’s Growth Summit which will be moderated by The Innovator’s Editor-in-Chief. Isik recently spoke to The Innovator about how to build cyber resilience into a digital business strategy.
Q: This week the European Commission announced The EU Cyber Solidarity Act to better detect, prepare for and respond to significant or large-scale cybersecurity incidents. What’s your take?
OI: Like many of these new legislative initiatives and policies, it focuses on critical infrastructure and on cyber resilience. Covid gave us the opportunity to see that we are not really doing our best to digitally protect our critical infrastructure. The second thing is that traditionally all cyber security efforts focus on prevent and protect but it is not enough. It is the day job of criminal groups to find vulnerabilities, so businesses need to come to grips with the fact that it is not possible to prevent all cyberattacks. All it takes is one unpatched vulnerability or one mistake by an employee for the bad guys to break in, so businesses and operators of critical infrastructure need to put resiliency at the forefront of their strategies. The message is: continue to protect to prevent but please do not ignore the necessity of knowing how to deal with the crisis when the crisis hits. Just like you need to have a plan in case of natural disaster have a plan for a digital disaster.
Q: What does a good plan look like?
OI: Vulnerabilities are natural. The way we design software means that any kind of system will have bugs. We make things more complicated by building things on top of each other, implementing what used to be called middleware so that systems can talk to each other, which introduces breaking points. While it is natural to have these vulnerabilities, through proactive and prioritized management businesses can make themselves resilient. The arguments usually put forward are that implementing security upgrades and patches means losing availability and keeping the business up and running takes priority. So, there needs to be a prioritization of incoming patches and updates. This is possible if there is a good connection between your operations team and the security team. Through connection and collaboration, they will be able to find moments to not just update and patch but also to proactively search for vulnerabilities, which is a good idea. Many organizations rely on red teams from SOCs [security operation centers] to find vulnerabilities and proactively try to find what can be patched but more and more companies are hiring ethical white hat hackers and giving them ‘a get out of jail free’ authorization to go into their networks and by any means possible find weak spots, whether it be an IT vulnerability, a receptionist that lets someone into the building or a second story window that is left unlocked. It is a good way of being proactive and enables organizations to fix things before they are exploited by third actors.
Q: There is no one agreed upon approach to handling ransomware. Some companies pay, others do not. What, in your opinion, is the best way to handle ransomware demands?
OI: It is not always a black and white decision. What we see is that it often is a case of cost analysis: how much ransom are the threat actors demanding and is it less than the cost of recovery? But the fact of the matter is that from the moment the threat actor contacts your organization you can be sure that they have been lurking inside your system for many months, examining your financial situation, whether you have backups of your IT systems, and whether you have cybersecurity insurance. They already know everything about you: your pain points and how much you can afford to pay. They know that organizations that have insurance are more likely to pay. But threat actors are changing their behavior and adapting to the way organizations have been responding. Five years ago, organizations could make a financial calculation: If I pay the ransom, I can get back to business in three days instead of three weeks. That is no longer necessarily the case. Now we know that threat actors keep tabs of organizations that pay so if you pay once you have a sticker on your forehead and you’re increasing your chance of it happening a second time. What’s more the likelihood of receiving a decryption key after paying is decreasing. We are seeing more cases where organizations pay, and then the ransomware gang don’t send the decryption key, or they send one and it doesn’t work. That is what happened to Colonial Pipeline. They had backups but figured it would take longer so they paid, and then the key didn’t work, and it ended up taking longer to do the technical decryption than the recovery from the backups. Since this is a business exchange the business gangs want to be known as reliable but what we are seeing now is that because this is such a lucrative market affiliates that don’t know how to code are approaching the ransomware gangs and offering to get them access to more organizations. The affiliates tell them ‘we will infect organizations for you and we will split the money we make.’ This sometimes leads to disagreements between the ransomware gangs and the affiliates. For example, ransomware gangs sometimes have their own code of ethics -such as never attack a hospital or NGOs or schools – while other groups might decide that these institutions are exactly who they want to go after because they are vulnerable. There are different approaches, but some affiliates ignore the codes of honor and do whatever they want, and this creates conflict. In January a children’s hospital was attacked and the original ransomware gang made an announcement saying that an affiliate member did this and they were not in agreement, and so they handed over the decryption key. All of this is to say that ransomware is becoming more difficult to manage, with multiple actors making negotiations very unreliable, so long term thinking is required.
Q: You mentioned cyber insurance. Doesn’t it give companies a false sense of security given that insurance companies do not want to pay out if the threat actor is state-sponsored and more and more cyberattacks are engineered by rogue nation states?
OI: Cybersecurity insurance is a young product that is still trying to find the right balance. The good thing they are doing is they won’t ensure a company unless that have implemented basic cybersecurity measures, so I welcome that. [Multinational food and beverage company] Mondelez International went to court after Zurich American Insurance company argued that it did not have to pay its NotPetya malware attack claim due to a War or Hostile Acts exclusion. The insurance company argued that if the attack is sponsored by a nation state it can be considered an act of war. But if you look at a case like North Korea, one of the biggest nation state-funded hacker groups, should their attacks also be considered as an act of war when they are doing this not as an act of war but as a for-profit to collect money? How do we differentiate an act of war versus financially motivated cybercrime? It’s very difficult.
Q: What about SMEs? Most don’t have their own IT departments. They are suppliers to large corporates and can end up infecting them with malware.
IO: The role of corporates is to ensure their suppliers are complying with cybersecurity standards. Questionnaires are a great starting point but this year there are a lot of complaints about the many forms SMEs are being requested to fill out. It is not productive, so we need to look at-how do we automate and optimize this whole process.
Q: Beyond supply chains is there a need for a more systemic approach to cybersecurity?
IO: Yes. The statistics on ransomware are not reliable because not all attacks are reported. There is a stigma about reputational damage even if there is evidence that the contrary is true. In 2019 when Norsk Hydro’s network was shut down and it received a ransomware demand the company said no. They rebuilt the system, and it took weeks, so from a business perspective it was very difficult, but they were very transparent and even offered to allow journalists into their war room. By exposing their vulnerabilities, they gained empathy and their share price increased.
It is important for companies and countries to share information with each other. Some non-profits are popping up here and there. The Cyber Threat Alliance, which started in the U.S. but has a global focus, is one of them. There is a new association in Bern and another in Belgium and many others. These organizations form islands of best practice. We need to find a way to combine these initiatives so we can all learn from each other.
Q: What advice do you have for corporates?
IO: First normalize cybersecurity throughout your organization. By now everybody is aware of cybersecurity but when it comes to accountability executives are still pushing it to the SOCs or CISOs. Businesses should develop security by design, from ideation to market phase, so that processes, services, and products have a security aspect in their design and development. Not all executives are experts in marketing, but they still talk about it because it’s considered a shared business capability. This should also be the case with cybersecurity. It needs to be part of the business strategy conversation rather than limited to tech professionals and giving the CISO ten minutes in front of the board once a quarter. And finally, companies should get rid of unproductive practices. All organizations now organize security awareness training and phishing simulations. Many have established fear-oriented practices surrounding this awareness training -such as threatening to fire repeat offenders – which ends up doing more harm than good. Instead, I recommend approaching this with ‘what are the practices we are going to improve though awareness training?’ while giving employees positive reinforcement.
This article is content that would normally only be available to subscribers. Sign up for a four-week free trial to see what you have been missing.
To access more of The Innovator’s Interview Of The Week articles click here.