Mark Lanterman | March 6, 2020
Cyber threats bring about a host of complicated and interlaced risks for which every organization should account. From the installation of malware via a complicated spear phishing incident to the insider threat to confidential client data, threats can be multifaceted and difficult to address.
These attacks often result in an equally difficult to quantify amount of damage. Legally, financially, reputationally, and operationally, an organization can be affected in a multitude of negative ways. In this article, I will delve into the immediate way an organization can be impacted: operationally.
In the immediate aftermath of an attack, business operational risk can be severe. This type of risk is commonly understood as the damage associated with the failure of critical business systems, procedures, or personnel. In 2014, Sony Pictures Entertainment was made the victim of a huge cyber attack on its networks. Largely attributed to North Korea, the attack made international headlines for its severity. Apart from the ongoing legal, reputational, and financial crisis in which Sony would find itself, the operational damage in the immediate aftermath of the attack left communication within the organization difficult to manage. In an interview with the Wall Street Journal, the then CEO of Sony, Michael Lynton, described that with the regular phones and computers being down due to the attack, thousands of employees were left using old cellphones and notepads; paychecks even had to be cut manually. 1
It is remarkable to think that this cyber attack had such an immediate impact on such a large organization. The real-world impact of such attacks is illustrated by the amount of operational risk they cause. Dealing with the attack and keeping clear communication channels open must have been that much more difficult given these technological restraints.
Depending on the sector, operational risk can be devastating. In the healthcare industry, immediate communication and the ability to care for patients can be diminished or completely destroyed for periods of time when a cyber attack occurs. In these instances, patient fatalities may be a risk. For government entities or national infrastructure, the inability to continue with operations can equate to people not receiving the services they need for daily life. This type of risk comes with far-reaching consequences.
Business continuity is often taken into account for things like natural disasters, but technology failure at the level of Sony in 2014 is often unanticipated. Accounting for cyber-security incidents means accounting for the worst; acknowledging that an attack may render all technology unusable for a period of time is important.
Reactive security strategies should take into account the immediate operational impact. Part of this response is considering the technological impact, understanding that much relied-on technologies may be out of commission for stretches of time in the event of an attack. Locating critical systems and making sure that regularly scheduled backups are being completed is paramount. Simulating an attack and learning how to continue work if the primary network is down is also important and, depending on the sector, may be an important part of the security assessment process.
Establishing clear communication channels and practicing going through them may help diminish the personnel problems that can occur as part of operational risk as well. When organizations are prepared to respond to a cyber incident, personnel and upper management are more available and better able to support mitigation efforts. Instituting a team of responsible parties, with one primary leader, also assists in information gathering, public response, and ongoing outreach.
Operational risk comes with the sorts of cyber threats that organizations now have to face. The immediate impact of a cyber attack can result in the inability to perform basic tasks and processes necessary for success. Taking this type of risk into account strengthens reactive strategies and bolsters an organization's ability to support itself and continue to thrive in the immediate wake of an attack.
Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.
Footnotes