Too Big to Fail: A New Way to Think About Cybersecurity
A new report draws direct comparisons between the ripple effects that led to the 2008 financial crisis and the current state of the internet. The goal? To get officials, both within organizations and beyond them, to see the bigger picture when tackling cybersecurity.
Could the internet’s future parallel the 2008 financial crisis?
It’s a provocative way to think about technology that’s become so integral to our lives and business needs that a little downtime can cause big headaches during a workday.
But “Beyond Data Breaches: Global Interconnections of Cyber Risk,” a new report from the Atlantic Council and Zurich Insurance Group, poses the question and says it’s exactly why security experts should be managing risks before they happen.
“The similarities between the financial and cyber risk management methodologies go well beyond simple analogy,” the study states.
More details from the report:
Why the comparison sticks: The study argues that before the 2008 financial crisis, financial experts assessed risks individually, rather than looking at the full picture of what could happen. As a result, a failure in a small part of the system—the U.S. mortgage market—had ripple effects that spread to the rest of the world. “The system’s very complexity allowed risk to be spread to those most willing and able to deal with it. But it was this complexity, magnified by attendant lack of transparency and limited understanding, which contributed to the ultimate crash of 2008,” the study states. The study suggests that many technology executives fail to take a broad view of cyberattacks, which could cause similarly huge ripple effects.
Where the weak points lie: The study lays out potential impact points that could affect an organization’s online infrastructure, including internal issues, such as hardware and software; vendor issues involving cloud computing; disruptive technologies that could change technological paradigms; and the internet’s fundamental organizational structure, which can be shaken by governance challenges and external risks (think Turkey’s recent efforts to shut down Twitter in the country). “Just imagine if a major cloud service provider had a ‘Lehmann moment’, with everyone’s data there on Friday, and gone on Monday,” the authors write in an executive summary. “If that failure cascaded to a major logistics provider or company running critical infrastructure, it could magnify a catastrophic ripple running throughout the real economy in ways difficult to understand, model, or predict beforehand.”
So what can you do? The study outlines a two-fold approach to protecting the online infrastructure—through systemwide risk-management solutions for organizational bodies such as ICANN and governments and more localized means for individual companies or nonprofits. For the latter, the study recommends practices such as fast turnarounds on patching application and system software, whitelisting the applications used, and building more resilient platforms. The report recommends implementing exercises to plan for worst-case scenarios, similar to the Securities Industry and Financial Markets Association’s recent cybergames. “The best organizations examine the most likely and most dangerous cyber risks and exercise their security and response teams, as well as their corporate executives and boards, to build muscle memory for responding to incidents,” the document states. “Seize the opportunity of each crisis to create ‘teachable moments’ for responders and executives.”
The full report is available on the Zurich website [PDF].