GDPR is on its way

GDPR is on its way

On 25 May 2018, GDPR comes into force. Any company that does business with EU members needs to be in full compliance with the EU’s General Data Protection Regulation (GDPR). This requires them to take specific steps to more securely collect, store and use personal information.

For many organisations, time is running out……

GDPR has big teeth

Companies not meeting the GDPR this time next year face significant fines for indiscretions.

For example, NCC Group came up with a model that took fines actually imposed for privacy breaches by the UK’s Information Commissioner’s Office and calculated what they might be under GDPR. Under the model, British companies that were penalised for breaches last year could have faced fines totaling $112m AUD under GDPR, rather than the $1524m AUD they had to pay. That’s an order of magnitude larger.

Extrapolating the modelling.

  • The 2016 fine for the data breach of Talk Talk seems small compared to what it might be under GDPR. Talk Talk got whacked last year with the biggest fine ever in the UK for a data breach $693,000 AUD. NCC calculated that Talk Talk’s fine under the GDPR would have been an eye-watering $102 million.
  • Pharmacy2U, sold personal details, including medical related information, to a lottery company. It was fined $225,000 by the UK information commissioner in 2015. NPP’s modelling indicates that it would have instead faced a much steeper fine of $7.6 million under GDPR.

Those are large $$$, especially in light of a report from earlier this year by (ISC)2’s EMEA council, which covers Europe, the Middle East and Africa. According to the (ISC)2, companies aren’t doing at all well. The familiar mantra is

“Time is running out”.

The (ISC)2 EMEA council warned of what it sees as poor acceptance of accountability across organizations and an apparent belief that the task ahead is one for the specialists – either legal or technical.

Meanwhile, a recent report by UK company Crown Records Management found,  nearly one in four UK businesses surveyed said they had stopped preparing for GDPR. In fact 44% saying they didn’t think GDPR would apply to them once the UK divorces the EU sometime in 2019 post Brexit. There are two problems with this line of thinking. Firstly, in the short-term, businesses will still need to meet the GDPR whilst the UK is part of the UK; and secondly, unless there is a complete change in trading relationships, the EU will remain the UK’s biggest export market.

SMEs are not immune

Another point of uncertainty for companies is about size. Unlike Australia. where there is effectively a privacy carve out most small companies, the GDPR requires that any company doing business in the EU more securely collect, store and use personal information. So, smaller companies face fines for violations that might occur.

That said, the regulation accounts for the fact that smaller businesses lack the resources of the big guys. The Bytestart UK small business portal gives some advice for SMEs on what they need to know about the GDPR. They make four points:

  • Firms of a certain size (over 250 employees) must employ a Data Protection Officer (DPO). This person ensures that a business collects and secures personal data responsibly. Smaller firms may have to as well if “the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects”
  • Mandatory Reporting – Breaches in data security must be reported immediately to data protection authorities such as the Information Commissioner’s Office (ICO) in the UK. Ideally, breaches should be reported within 24 hours if possible but certainly within 72 hours.
  • Individuals have more rights dictating how businesses use their personal data. In particular, they have the ‘right to be forgotten’ if they either withdraw their consent to the use of their personal data or if keeping that data is no longer required.
  • Failure to comply with the GDPR will lead to heavier punishments than previously. The GDPR will be able to fine up to 20 million Euros or 4% of annual turnover (whichever is higher).

So what?

Now that we’ve outlined what’s at stake, let’s look at some concrete steps companies that want to trade with the EU must take to be ready for 25 May 2018. Australian and New Zealand companies are in this boat, not only those in Brexit Britain. We’ve written previously about how the decisions in the EU and USA on privacy affect Australia. It is likely that this will be much the same.

Ireland’s Office of the Data Protection Commissioner has produced a checklist which is quite good. We’ve found this list to be particularly helpful with our clients.

  1. Become aware.
  2. Become accountable.
  3. Communicate with staff and service users.
  4. Protect personal privacy rights.
  5. Review how access rights might change.
  6. identify your legal basis for carrying out processes and document it.
  7. Ensure you are using customer consent as grounds to process data.
  8. Process children’s data extra carefully.
  9. Have a plan to report breaches.
  10. Understand Data Protection Impact Assessments (DPIA) and Data Protection by Design and Default.
  11. Consider data protection officers.
  12. Understand International Organisations and the GDPR.

How to approach GDPR compliance

GDPR is just another project. These are some milestones that your organisation might consider so that it can be ready for 25 May 2018

  • Executive Support and Awareness in place
  • Project Plan and Budget
  • User Awareness
  • Appoint a Digital Protection Officer
  • Identify privacy information holdings
  • Update Privacy Notices
  • Revise Data Protection Policies
  • Re-examine Information Sharing Agreements
  • Develop and accept at an organisational level Privacy Impact Assessments
  • Identify cross-border transfers
  • Establish a Data Subject Rights Management protocol
  • Ensure “Privacy by Design” is implemented into the Organisational Project Methodology

More resources

The EU has created a GDPR portal which gives a countdown until enforcement, and more importantly FAQs about how to prepare

http://www.eugdpr.org/

There is a lot of guidance available from the UK Information Commissioners’ Office

https://ico.org.uk/for-organisations/

Also useful

http://cfsystems.biz/wp-content/uploads/2016/11/Preparing_for_the_General_Data_Protection_Regulation_-_White_Paper.pdf

 

Security Professionalisation in Australasia

Security Professionalisation in Australasia

Security Professionalisation is an issue that all who are involved or care about societal resilience should be concerned about. I’ve just written an article for Security Solutions Magazine talking about the efforts that a new organisation, Security Professionals Australasia (SPA) is undertaking to work with the security industry and governments to improve the state of affairs.

The article has been published in the latest edition of Security Solutions Magazine (Nov/Dc 2015) which is available at  http://www.securitysolutionsmagazine.biz/ 

(Disclosure of interest, Alex Webling is a member of SPA)

Climate sustainability and resilience

Resilience for organisations is bound to their adaptability to climate change both in the short and long term.

A review of US public companies shows a number of climate related risks and costs. Their ability to adapt and become resilient to climate change is starting to affect their finances.

The document reveals that USA S&P 500 companies are seeing climate change related risks increase in urgency, likelihood and frequency, with many describing significant impacts already affecting their business operations, according to a new report from CDP, which collects environmental performance information on behalf of investors.

company

Threats include damage to facilities, reduced product demand, lost productivity and necessitated write-offs. The impact of these threats being realised comes with costs that can reach millions of dollars.

Importantly, the proximity of the threat is quite near. 45% of the risks S&P 500 companies face from extreme weather and climate changes are current, or expected to fall within the next one-to-five years, up from 26% just three years ago. 50% of these risks range from “more likely than not” to “virtually certain”. This is up from 34% three years ago.

Around 60 companies describe the current and potential future risks and their associated costs in the research, which highlights excerpts from the companies’ disclosures to their investors between 2011 and 2013. Ironically, even NewCorp made the following contribution to the report.

“Climate projection models make it difficult to know exactly how business might be impacted by episodic weather events. However, it is clear from past severe weather events that some of News Corporation’s businesses are susceptible to such extreme weather.”(p6)

The media release accompanying the report asserts that

Dealing with climate change is now a cost of doing business

Making investments in climate change related resilience planning both in their own operations and in the supply chain has become crucial for all corporations to manage this increasing risk.

Resilience Outcomes has the skills and expertise to help your organisation develop its organisational resilience strategy to take into account how it will adapt to the changing environment. contact us via the form below or at [email protected] to discuss your needs.

Download the full report here

CDP is an international, not-for-profit organisation providing the only global system for companies and cities to measure, disclose, manage and share vital environmental information. We work with market forces to motivate companies to disclose their impacts on the environment and natural resources and take action to reduce them

 

SCADA CERT practice guide

ENISA has released a good practice guide for CERTs that are tasked with protecting industrial control systems  (SCADA).

The European Union Agency for Network and Information Security (ENISA) publishes a lot of advice and recommendations on good practice in information security. Necessarily, it has a European focus, but almost all the advice is applicable to systems in any region.

This SCADA CERT practice guide focuses on how Computer Emergency Response Teams should support Industrial Control Systems (ICS).The terms ‘ICS’ and ‘SCADA’ (Supervisory Control and Data Acquisition) are pretty much interchangeable.

SCADA systems were around before the Internet. The first systems were driven by mainframes and installed to control water and electricity networks. Since then, SCADA has become ubiquitous and systems that were initially designed to work on independent networks have been connected to the Internet.

Connecting SCADA to the Internet has many advantages. It increases system availability and reduces costs of connecting geographically disparate systems. At the same time, connecting SCADA to the Internet decreases system confidentiality and more importantly in this situation, system integrity.

CC Worldbank photo collection
Industrial Control Systems support every aspect of our daily lives. Photo CC WorldBank Photo Collection

The ENISA ICS guide tries to put together in one document, a guide for CERTs that are required to protect SCADA/ICS systems. Importantly, it doesn’t just focus on the technical capabilities required for operations, but also organisational capabilities and what it terms ‘co-operational capabilities’. This last part is important as computer emergency response teams can forget that they are part of a system and the system is only as strong as the weakest link. It is important to remember that preparation for things going wrong involves identifying people, resources and stakeholders that will be required. Developing relationships with other organisations will always pays dividends when an emergency occurs. This is where the ENISA advice is in some ways superior to the advice from the US DOE, although I acknowledge the attractive simplicity of some of their guidance.

It is good that the authors acknowledge that this area is one where there is limited experience and that the guide should be considered a ‘living document’. As usual in cyber-security protection, both technical expertise and organisational /management guidance are required.

 

More information available from ENISA

US DOE SCADA guide

 

 

Over-classification restricts information sharing

Over-classification in government continues to restrict information sharing according to a report by the US Department of Defense Inspector General.

Balance in Information Security

I’ve written previously about over-classification and why it needs to be actively countered in large organisations in the private sector and more importantly government. Getting the balance right in information security is critical to mission success.

There are a few key findings from the Inspector General’s report which will be no surprise for anybody who’s worked in a classified environment. The review sampled emails and documents classified by the US Defense Department and found:

  • 100% of the emails reviewed were incorrectly classified or marked
  • Around 70% of the sample material (documents/ files)  had ‘classification discrepancies’

I’d like to say its better in Australia, but I’m not confident. What is more interesting from a security perspective is the over-classification of material. The report states

“we do not believe that those instances concealed violations of law, inefficiency, or administrative error; prevented embarrassment to a person, organization, or agency; restrained competition; or prevented or delayed the release of information not requiring protection in the interest of national security.”

Well they would say that wouldn’t they. But leaving my cynic’s hat off for the moment… Ok one passing comment – there is a difference between the organisational approach which tries not to conceal and the approach of individuals or groups within an organisation.

Unfortunately, the report doesn’t make very many recommendations that will bring about change. In typical public servant speak, it says

We recommend that the Under Secretary of Defense for Intelligence and for Acquisition, Technology, and Logistics carry out the recommendations outlined in this report and continue to leverage the new Defense Security Enterprise, especially with regard to ensuring that Original Classification Authorities are fully engaged and accountable.

In any case, the report does acknowledge that

over-classification could unnecessarily restrict information sharing.

Hooray! Admittedly, a bit softer than I would like, but still important.

In this information age where as the Snowden revelations keep showing us,  the US and allies have access to huge swathes of information, but they can’t use it effectively to defend themselves or their allies.

The answer to this problem is not gathering more information! The 9/11 Report and scores of others keep telling us that we have the information in our databases, but we don’t use it effectively.

I’m not sure what the best analogy is here, maybe its a person who’s brain is not connected to their muscles properly. They can see and hear everything, but they rarely succeed in reacting to any of these stimuli. The problem with this analogy is that somebody with locked in syndrome desperately wants to make his limbs move. I’m not  sure this is the case with intelligence agencies and sharing information.

This does seem to be the curse of too much information and not enough brainpower to analyse it and use it properly. Especially when you are looking for the terrorist needle in a haystack. Over-classification is a key issue in the fight against fast evolving terrorist organisations.

Another perspective can be found over at Secrecy News – “DoD Inspector General Report on Over-classification misses the mark“.

More about the USA Department of Defense Inspector General

Alex Webling was the head of protective security in the Australian Attorney-General’s Department.

Cyber-Security doesn’t stop at the virtual perimeter

News that the New York Times was hacked by the Syrian Electronic Army  is interesting not because of the fact that NYT was hacked by the hacking group, but by the method of gaining access.

According to this article, information security at the NYT fell over because they forgot that cyber-security doesn’t stop at the perimeter. It would seem that MelbourneIT , an Australian hosting company for both Twitter and NYT was breached. This then allowed the Syrian Electronic Army to gain access to the DNS records of domains owned by Twitter and NYT which they then proceeded to change.

A number of quick conclusions

  1. This was a well planned attack almost certainly took some time to conceive, research and operationalise.
  2. You should assume your organisation will be hacked. Work out how to detect the breach and recover quickly.
  3. Cyber-security is an evolutionary struggle between those who wish to break systems and those who wish to stop systems being broken. Quite often its the same people eg NSA
  4. 80-90% of the differences between good cyber-security and great cyber-security are not in the IT, they are in the organisational approach and culture.
  5. In this hack, a variety of methods seem to have been used, including phishing and attacking the DNS servers via privilege escalation.
  6. Cyber-security requires expertise in managing information, risk and developing resilient organisational frameworks, something often forgotten.
  7. Everybody is your neighbour on the Internet, the good guys and the bad.
  8.  Cyber-security practitioners need to consider the risks to high-value systems that they are protecting from connected suppliers and customers.
  9. This requires cyber-security practitioners who are good people influencers, because the vulnerabilities tend to be at human interfaces.

Further technical details have been posted here.

http://www.flickr.com/photos/alextorrenegra/
New York Times – by ATorrenegra

 

Contact Resilience Outcomes to discuss how we can help your organisation become more resilient at [email protected]

 

 

Organisational resilience – biological approaches

A biological approach to organisational resilience

By a lapsed microbiologist
 “Organisational resilience is only achievable through adaptability”
Wattle flower
Flowers are just an adaptation of normal leaf on plants, a combination of genes normally responsible for forming new shoots.   Photo by AWebling 2013
Too many leaders start believing their own press and thinking that they are able to predict the future. Whilst it is absolutely true that the best indicators of the future are the events of the past. It is also true that the past is not an absolute indicator of future events because our view of the past is limited by our record of it. Some events are so rare that they are not recorded, yet they may have extreme consequences if they occur. So if we cannot predict the future with certainty, how is longevity possible for organisations?  The answer is resilience, and at the core of resilience is adaptability.

The lesson from biology is that adaptation to the environment that has allowed organisms to survive and thrive. However large and seemingly terrible[1] an organism is, if it is not adapted to its environment it will become extinct. The vast majority of species that have ever existed are not around today.

The same is true for organisations.

The vast majority of organisations that have ever existed are not around today

In simple terms the story is the same for each failed organisation. They were unable to adapt to the business environment before they ran out of resources. Those that survive a crisis are able to do so for two reasons

1               They have the resources, capital personnel leadership etc to manage themselves out of a crisis once it hits emerging weaker but alive; or

2               They are prepared to adapt if a crisis arises and have developed a broad set of principles which will work with minimal change in most eventualities. These companies still suffer from the crisis at first, but emerge stronger in the longer term.

By my reckoning, 99% of companies that manage to survive a crisis are in the first category. In most cases, those companies are then consigned to a slow death (My Space anyone?). Sometimes however, the first crisis weakens them, but they then become more resilient and bounce back to ride future crises.

This is an era of organisational accelerated extinction

What is more, the ‘extinction rate’ for companies is becoming faster as society and technology changes more rapidly.

I think we all understand that small businesses come and go, but this lesson is true for large organisations as well. Of the top 25 companies on the US Fortune 500 in 1961, only six remained there in 2011.

Research carried out on fortune 500 companies in the USA shows[2] that the average rate of turnover of large organisations is accelerating.  The turnover has reduced from around 35 years in 1965 to around 15 years in 1995.

If you think about how much the world has changed since 1995 when Facebook barely existed and Google just did search, you might agree with the idea that organisations that want to stick around need to adapt with the changing environment.

So give me the recipe!

Bad news, there isn’t a hard recipe for a resilient organisation, just like there isn’t one for a successful company, but they all seem to share some common attributes such as agility and the ability to recover quickly from an event and an awareness of their changing environment and the willingness to evolve with it amongst others. This is difficult for a number of reasons.

1               increasing connectedness – interdependencies leading to increasing brittleness of society/organisations  – just in time process management – risks, in rare instances, may become highly correlated even if they have shown independence in the past

2               increasing speed of communication forces speedier decision making

3               increasing complexity compounds the effect of any variability in data and therefore the uncertainty for decision makers

4               biology –  Organisations operate with an optimism bias[3]. Almost all humans are more optimistic about their future than statistically possible. We plan for a future which is better than it is and do not recognise the chances of outlier events correct. Additionally, we plan using (somewhat biased) rational thought, but respond to crises with our emotions.

5               Organisational Inertia. The willingness to change organisational culture to adapt to a change in the environment.

Something about organisational culture and resilience

When discussing culture, resilience is more an organisational strategic management strategy, and less a security protocol. In this sense, Resilience is the ‘why’ to Change Management’s ‘how’. But both are focused on organisational culture.

Organisations, particularly large organisations, all have their own way of doing things. Organisational culture is built up because individuals within the organisation find reward in undertaking tasks in a certain way. This is the same whether we are talking about security culture or indeed financial practice. Organisational culture goes bad when the reward structure in the organisation encourages people to do things that are immoral or illegal.

Larger organisations have more inertia and so take longer to move from good to bad culture and vice versa. Generally most organisations that are larger than about 150[4] staff have a mix of cultures.

The more successful an organisation has been in the past, the more difficult (inertia) it will be to make change and so it becomes susceptible to abrupt failure. Miller coined the term ‘Icarus Paradox‘ to describe the effect and wrote a book by the same name. Icarus was the fictional Greek character who with his son made wings made from feathers and wax, but died when he flew too close to the sun and the wax melted, causing the feathers to fall out of the wings.

Maybe the Kodak company is the best example of this. An organisation that had been very successful for more than 100 years (1880 -2007), Kodak failed to make the transition to digital and to transition from film as fast as its competitors. The irony is that it was Kodak researchers who in the 1970s invented the first digital camera thus sewing the seeds for the company’s doom forty years later.

Where does my organisation start on the path

So what is the answer, how do we make sure that our organisations adapt faster than the environment that is changing more rapidly every time we look around? The only way is to begin to adapt to the changing environment before crises arise. This requires making decisions with less than 100% certainty and taking risk. The alternative is to attempt to change after a crisis arises, which historically carries higher risk for organisations.

It is a combination of many things –

  • developing an organisational culture which recognises these attributes which is supported and facilitated from the top of the organisation;
  • partnering with other organisations to increase their knowledge and reach when an event comes; and
  • Lastly engaging in the debate and learning about best practices

Are there two sorts of resilience?

But is resilience just one set of behaviours or a number.  When we think of resilient organisations and communities, our minds tend to go to the brave community / people / organisation that rose up after a high consequence event and overcame adversity. These people and organisations persist in the face of natural and manmade threats. Numerous examples include New York after the September 2001 events; Brisbane after the floods in 2011; and the Asian Tsunami in 2004.

However there is another set of actions, which are more difficult in many ways to achieve. This is the capacity to mitigate the high consequence, low likelihood events or the creeping disaster before a crisis is experienced. The US behaved admirably in responding to the 9/11 terrorist disaster after it had occurred, but as the 9/11 Commission Report notes, terrorists had attempted on numerous occasions to bring down the World Trade Center and come quite close to succeeding.

Last Thoughts

Life becomes resilient in that it is replicated wildly so that many copies exist, so that if some number fail, life can continue. Individual creatures carry DNA, which is all that needs to be replicated. Those creatures compete with each other and the environment to become more and more efficient. An individual creature may or may not be resilient, but the DNA is almost immortal.

How an organisation achieves this is the challenge that every management team needs to address if they want to achieve longevity.

If you wish to discuss any of the issues in this whitepaper, please contact us



[1] noting that the word dinosaur is directly translated as terrible lizard

[2] http://www.kauffman.org/uploadedFiles/fortune_500_turnover.pdf

[4] Dunbar number

Getting cyber security on the company board agenda

Making strategic decisions about cyber security, or any sort of security needs to be done a the board level. It is difficult to get company boards to focus on strategic issues, despite the fact that this is what they are theoretically meant to do. Companies are busy places and there are always minute issues that take time from board meetings. In some companies, the culture is such that managers avoid their responsibility by sending decisions to the board, again robbing the board of valuable time.

The Centre for the Protection of National Infrastructure, a UK Government organisation, has released a short document aimed at helping security managers get cyber security onto the corporate agenda. CPNI makes the somewhat obvious point that getting buy-in from a company board is crucial to the successful outcome of a cyber security implementation project.

Although the CPNI paper doesn’t spell it out quite this way, the key is to show in a concise manner why security is of importance to them and the company they are responsible for. Generally the key issues fall into three categories.

  1. Financial – the loss due to another entity (government, business, criminal) gaining commercially sensitive information. The effect of this can be short term where a negotiation is damaged or longer term where valuable intellectual property is lost.
  2. Legal – many organisations are subject to regulatory requirements to protect information that they hold on behalf of clients, stakeholders and staff. In Australia, the Australian Privacy Principles come into force in March 2014. Most private sector organisations will be required to adhere to them. Financial and professional organisations have been required to meet similar requirements for a number of years.
  3. Reputational – High profile privacy breaches have affected a number of large companies. Companies such as Sony, Heartland and RSA have suffered huge breaches which cost them millions of dollars to clean up and resulted in significant lost business. In some cases, they have resulted in tightened regulation which in turn increased the cost of doing business.
rsa fob
RSA key generator
Playstation breach - Sony contrite
Playstation breach – Sony contrite

 

 

 

 

 

 

 

 

Things to remember

  • most if not all board members will not have a good understanding of the Internet or information security (Tech companies are the exception of course).
  • boards are generally made up of people who are very clever and need you to acknowledge it – presentations need to be logical but also require little subject specific knowledge.
  • If you are the expert, you need to have the answer when one board member starts talking about “his daughter’s computer” or the spam she “gets on the company email” that she doesn’t get at home – this is where a well briefed chair is important
  • the best briefings work when board members are given details of current, real world examples of similar companies’ misfortunes. You can bet that Microsoft looked very hard at the Sony hack at the board level and that CA examined the breach of RSA tokens carefully!
  • Sometimes an outside expert needs to be brought in to tell the board what the security cell already knows. It is a funny quirk of human nature that we sometimes don’t give enough respect to the people in our own organisation.

That’s where you can call on us to help you get your message across. We have experience talking to boards and senior executives from government, councils, banks and companies including those in the DISP.

The CPNI paper is here http://www.cpni.gov.uk/documents/publications/2013/2013009-influencing_company_boards.pdf?epslanguage=en-gb

Australia’s CERT also publishes advisories which are useful (disclosure – Alex Webling was the founding director of Govcert.au) https://www.cert.gov.au/advisories

 

 

Cybersecurity – keep your head

The Australian Attorney-General’s Department released the 2012 Cyber Crime and Security Survey on 18 February. Reading the press that accompanied it eg Cyber criminals struck one in five top Australian businesses, and similar surveys in past years, you might be forgiven for thinking that we are on the precipice of a cyber armageddon!

There is no denying that the threat, vulnerability and consequence of cyber attack to organisations is increasing steeply.
Luckily all is not lost, organisations can minimise their attack surface significantly. How, by taking a holistic approach to their information security which blends appropriate physical, personnel and IT security mitigations.  This, with a well thought out response and recovery plan can produce layered security and lead to a resilient organisation able to sail the ‘cyber seas’ with confidence.

In the IT space, doing the basics well can protect against all but the most sophisticated attacks
In the IT space, doing the basics well can protect against all but the most sophisticated attacks

The survey in question was conducted on behalf of the Australian Computer Emergency Response Team (CERT.au), part of the Attorney-General’s Department. CERT’s 450 client organisations were sent the survey and 255 responded. Whilst the survey numbers are small and therefore become statistically unreliable very quickly, the clients of CERT.au are vital to Australia.  Generally CERT.au client organisations are part of Australia’s critical infrastructure. They include utilities, telecommunications providers, financial institutions and also mining companies.

That said, there are some interesting figures.

  • 22% of respondents (around 55) said that they knew that they had had a cyber incident in the last 12 months. Of more concern were that 9% of respondents reported that they “didn’t know”.
  • 50% of respondents (ie 127) said considered that they had been subjected to targeted attacks.

The most common reported cyber incident was ‘loss of a notebook / mobile device’ ; followed by virus infection;  trojan/rootkit; unauthorised access; theft /breach of confidential information; and denial of service attack. This seems odd, I find it difficult to reconcile loss of a laptop with hackers sitting in bunkers outside Shanghai and target key espionage targets.  The concerning question is whether respondent companies are only seeing the easy to spot attacks ie missing laptop, computer not working because of virus etc and not the more sophisticated level, ie stealth attack that exfiltrates data to foreign lands.

The survey authors also reiterate an oft made point about the ‘trusted insider’ that

“Many companies spend the majority of their IT security budget on protection from external attacks. But the figures above serve as a reminder that internal controls and measures are also important, to ensure that internal risks are also managed”.
This is a relic of the perimeter approach to information security, the us and them approach. It doesn’t work anymore because the network has no discernible boundary in the modern interconnected organisation.

Delving further into the report it is interesting to look at contributing factors to attacks. The relevant table is replicated here. Almost all of the contributing factors can be wholly mitigated, with the possible exception of “attractiveness of your organisation to attack” and arguably “Sophisticated attacker skill which defeated counter-measures in place”.

Source www.cert.gov.au  – Cyber Crime and Security Survey Report 2012

In any case, we sometimes forget that the spectrum of resilience involves prevention preparation, response and recovery. Organisations need to be agile, they need to work hard to prevent and prepare for loss or compromise of sensitive information, but accept that it is not possible to repel every attack. For this reason, resources need to be allocated to response and recovery.

Another important point is about the vital role of computer emergency response teams (CERTs). CERTs, are like the white blood cells in our bodies, they share information which help their clients protect themselves.
The other way to think about it is that the bad guys take advantage of the information superhighway by sharing information at the speed of light about vulnerabilities in different systems and new attack techniques, so why shouldn’t the good guys? I’ve written about this previously.  The problem is always, that the bad guys have an advantage. As the IRA said after the Brighton bombings in 1984 which almost wiped out the then UK Prime Minister Margaret Thatcher….

“Today we were unlucky, but remember we only have to be lucky once”

So do the hackers.

Alex

Back To Top

Visualising organisational resilience

Resilience

I’ve been trying to summarise organisational resilience into a form that can be visualised for some of the people who I’m working with. The key has been to summarise the thinking on resilience as succinctly as possible.

Apart from the diagram you can see, the text below attempts to give concise answers to the following questions

  1. What is it (Resilience)?
  2. Why should my organisation care about resilience?
  3. Why is detailed planning not working anymore (if it ever did)?
  4. What’s the recipe for resilience?
  5. How does an organisation develop these characteristics?
  6. Resilience before and after (a crisis)
  7. How does nature do resilience?

 

Resilience in a mindmap

Visualising resilience is itself an exercise in complexity

The diagram should be A3, so You can download a pdf version here resilience in a mindmap PDF

Let me take you on a journey …

What is it?

Resilience is about the ability to adapt for the future and to survive. Whether that is for an organisation, country or an individual.
What seems sometimes forgotten is that the adaptation is best done before a crisis!
And here Resilience is more an organisational strategic management strategy, and not a security protocol. In this sense, Resilience is the ‘why’ to Change Management’s ‘how’

Why should my organisation care about resilience?

Research shows that the average rate of turnover of large organisations is accelerating. from around 35 years in 1965 to around 15 years in 1995. Organisations that want to stick around need to adapt with the changing environment.

Organisations know that they need to change to survive, but today’s urgency overrides the vague need to do something about a long term problem.  For this reason, crises can be the  catalyst for change.

Resilience is about dealing with organisational inertia, because the environment will change. The more successful an organisation has been in the past, the more difficult it will be to make change and so it becomes susceptible to abrupt failure. Miller coined the term ‘Icarus Paradox‘ to describe the effect and wrote a book by the same name. Icarus was the fictional Greek character who with his son made wings made from feathers and wax, but died when he flew too close to the sun and the wax melted, causing the feathers to fall out of the wings.

It is possible that Eastman Kodak is the best example of this trait. An organisation that was very successful between 1880 and 2007, Kodak failed to make the transition to digital and to move out of film fast enough.

Why is detailed planning not working?

Simply put, the world is too complex and the outliers becoming more common

  1. increasing connectedness – interdependencies leading to increasing brittleness of society/organisations  – just in time process management – risks, in rare instances, may become highly correlated even if they have shown independence in the past
  2.  speed of communication forces speedier decisionmaking
  3. increasing complexity compounds the effect of any variability in data and therefore the uncertainty for decisionmakers
  4. biology –  we build systems with an optimism bias. Almost all humans are more optimistic about their future than statistically possible. We plan for a future which is better than it is and do not recognise the chances of outlier events correct. Additionally, we plan using (somewhat biased) rational thought, but respond to crises with our emotions.

So if

  • we can’t predict the outlier events and
  • this makes most strategy less useful– especially that which is written and gathers dust without being lived ,

maybe we can be more resilient when we run into the outliers. What Taleb calls the Black Swans in the book of the same name.

Taleb’s book is available from Book Depository and is well worth the read, even if he can’t help repeating himself and dropping hints about fabulous wealth.

What’s the recipe for resilience?

Bad news, there isn’t a hard recipe for a resilient organisation, just like there isn’t one for a successful company, but they all seem to share some common attributes such as:

  • Agility and the ability to recover quickly from an event and,
  • an awareness of their changing environment and the willingness to evolve with it amongst others.

How does an organisation develop these characteristics?

It is a combination of many things –

  • developing an organisational culture which recognises these attributes which is supported and facilitated from the top of the organisation;
  • partnering with other organisations to increase their knowledge and reach when an event comes; and
  • Lastly engaging in the debate and learning about best practices

 Resilience before and after (a crisis)

But is resilience just one set of behaviours or a number.  When we think of resilient organisations and communities, our minds tend to go to the brave community / people / organisation that rose up after a high consequence event and overcame adversity. These people and organisations persist in the face of natural and manmade threats. Numerous examples include New York after the September 2001 events; Brisbane after the floods in 2011; and the Asian Tsunami in 2004.

However there is another set of actions which are more difficult in many ways to achieve. This is the capacity to mitigate the high consequence, low likelihood events or the creeping disaster before a crisis is experienced. The US behaved admirably in responding to the 9/11 terrorist disaster after it had occurred, but as the 9/11 Commission Report notes, terrorists had attempted on numerous occasions to bring down the World Trade Center and come quite close to succeeding.

In this thought may be one of the best argument for blue sky research. Serendipity – wondering through the universe with your eyes open to observe what’s happening around you, rather than head down and focussed only on one task – is this the secret to innovation?

How does nature do resilience ?

Life becomes resilient in that it is replicated wildly so that many copies exist, so that if some number fail, life can continue. Individual creatures carry DNA, which is all that needs to be replicated. Those creatures compete with each other and the environment to become more and more efficient. An individual creature may or may not be resilient, but the DNA is almost immortal.

How an organisation achieves this is the challenge that every management team needs to address. Over the next posts I will expand more

😉

back to top