“Logistics is too important to be left in the hands of logisticians!” That was the admonishment that I received from my commanding general in Afghanistan after informing him that my logistics officer would be handling all the logistical details for an upcoming high profile mission. His comment wasn’t meant to be critical of the skills and abilities of our amazing logistics team—it was a message to me as a leader that I needed to be concerned and focused on logistics as an integral part of operations. I took that lesson to heart. In light of the recent public sector ransomware attacks in Louisiana and Texas, I believe the corollary to that message should be “Cyber is too important to be left in the hands of your IT staff!”
I am by no means a cyber-expert and on more than one occasion, have been guilty of “wishing away” my cyber/IT problems as long as our email was working and we had internet access. Today, organizations can no longer afford to “wish away” those problems because cyber is integral to everything we do operationally and we, as leaders, need to ensure that our IT staff is engaged. We need to evangelize our critical information, risks, and threats so that the whole team can work together towards this common goal. At the same time, our cyber experts need to become versed in operations so they are contributors to the mission and not inhibitors. Cyber defense is a team sport.
"A business plan for defensive cyber should include four elements: Preparation, Planning, Communication, and Exercising"
SO WHAT? Virtually every business sector and public sector entity has been affected by cybercrime or data breaches. Accenture’s “Cost of Cybercrime” study noted a 67 percent growth in cyber security breaches and that “information loss and business disruption combined for over 75 percent of total business losses from cybercrime.” These losses are staggering and have long term economic impacts on businesses and the communities they serve. Three separate studies outline the potential damaging economic effects an attack can have:
- A 2012 FEMA study estimated that one hour of down time costs a small business approximately $8,000 an hour.
- A similar study by the U.S. Chamber of Commerce found that 43 percent of businesses that experience an interruption of 10 days or more will never reopen.
- UK based Daisy Group estimates that the average recovery time for a denial of service attack is 19.3 days and 47.3 days for an attack involving malicious code.
NOW WHAT? Many small businesses and rural public sector entities rely on managed service providers or try to do it internally with under-trained staff. These are often the entities targeted by cyber criminals because they are easy targets. In the majority of the recent incidents, they failed to follow basic cyber hygiene principles that would have protected themselves and their clients. Managed service providers are often the most cost-effective and efficient method of cyber protection but, internal to your organization, you need to have someone with basic cyber knowledge to oversee the contract. Conducting a thorough annual contract review ensures that you are getting the appropriate level of service required to protect your business and clients as it evolves and grows. The good news is that you are not alone in this fight and there are free government resources available to help:
- The Small Business Administration has published a phenomenal guide “Cybersecurity for Small Business” that is free.
- The DHS Cybersecurity & Infrastructure Security Agency has Cyber Security Advisors (CSAs) and Protective Security Advisors (PSAs) available to support planning and program implementation efforts in almost every state and region.
A business plan for defensive cyber should include four elements: Preparation, Planning, Communication, and Exercising.
PREPARATION: If you wait until your first data loss or ransomware attack, then you’ve already lost. In Louisiana, we know that preparing for any type of disaster is an all-hands effort. Interest in resiliency is top-down driven. For the cyber threat, we have to acknowledge that cyber is an integral part of operations! Basic cyber hygiene and data protection needs to be on every manager’s priority list because it is on the priority list of criminals, state actors, and a whole host of others that don’t care about your profit/loss margin and are actively seeking out the weak link. You don’t need to be a cyber expert, but you do need to care, and provide the big picture vision.
PLAN: You’ve got to put it in writing and it needs to be brief enough that people will actually read it and written in plain language so that you don’t need your IT or legal staff to decipher it. Identify your critical information, operations, continuity of operations plans, hazards, risks, and how to mitigate them. Create a line of succession and notification plan. Your DHS PSA can help and the Louisiana Business EOC webpage has a Business Risk Assessment Tool that can serve as a guide to get you started.
COMMUNICATE: Now that you have a plan you need to communicate it internally and to any external partners who are vital to its execution (managed service provider, contractors, DHS, FBI, and more). Everyone in your organization needs to know what steps to take when you get attacked. Who are you going to tell? Will you share the information with your state fusion center and other businesses? What are the legal ramifications of sharing? These are all conversations you need to have BEFORE an event.
EXERCISE: Exercising serves to validate your plan but also creates “muscle memory” and reinforces training so that when an event does occur, employees react naturally. It’ll also let you know if what you’ve written will actually work.
Encouraging basic cyber hygiene is cheap and easy. The Prepare, Plan, Communicate, and Exercise portion can bring added cost—but individual studies conducted by FEMA, Zurich Insurance, and the United Nations Office for Disaster Risk Reduction all came to the same conclusion: prevention and preparation gave a minimum of a 4:1 return on investment. These four actions will help you build a confident and resilient team ready for any challenge. Planning now is vital for “if you fail to plan, you subject yourself to the will of others.”