Businesses should look at the structure of their organization if they want to prepare for cyber attacks,” says researcher.
Cyber crime is on the rise, and businesses are often the target. The risks are increasing as businesses networks become ever more complex with more IT solutions and global supply chains with many suppliers.
That makes the process of completing a realistic risk analysis very difficult for businesses,” says postdoc Daniel Sepulveda Estay, DTU Management Engineering.
With a decade of experience as, among other things, supply chain manager for Coca Cola and for the mining company BHP Billiton, he has observed first hand how this complexity makes the task of protecting businesses from unexpected events such as cyber attacks ever harder.
As a cyber risk researcher, he has noticed a new trend:
“Instead of putting all of their efforts into preventing cyber attacks, some organizations are working on attack response scenarios. The right response is crucial to how bad and how long the attack will affect the business,” he says.
Cyber attack analyses
In his research, Daniel Sepulveda Estay has analysed a cyber attack on an American IT hardware business.
Company data on a number of new products close to going on the market was stolen. The attack cost the company a number of key clients, and the incident affected the company earnings for nearly five years.
“Resilience is not about avoiding attacks, but how quickly the business can recover after an attack. A business is resilient if it is capable of containing the damage and quickly getting back to the normal activity level,” he says and continues:
“With our research, we are challenging the traditional way of analysing risks in the supply chain, because the diversity of risks has become so enormous that the traditional risk analysis methods simply do not suffice.”
He believes that we can improve risk analysis by moving away from the statistical analyses that focus on business reliability, and use dynamic analyses, where the focus is to identify and take control of business weak points, instead.
“Knowing the company’s weak points enables you to design structures such as teams and chains of command that enable the organization to react quickly to, e.g., cyber attacks.”
Three important factors
Through his research, Daniel Sepulveda Estay has identified three important factors that make businesses resilient to cyber attacks: flexibility, redundancy, and response time.
Flexibility is important during the acute phase of the attack and consists of mobilizing existing resources in the company. For example, this could mean allocating employees who can drop their usual tasks and instead help get an overview of the severity of the attack, manage consequences such as product and service delays, and communicate with the customers.
In the next phase, redundancy—a kind of business plan B—is important. Here the company further mobilizes its resources towards crisis management. This can be in the form of, e.g., extra backup servers or an alternative network of suppliers, which has been on standby.
The third key factor, response time, is all about the time it takes for the company to bring flexibility and redundancy into play. The time factor is crucial to the company’s resilience:
“The amount of time it takes to mobilize and utilize both flexibility and redundancy is crucial to how long and how bad the crisis will affect the company.”
Know the weak spots
Once the business has built up cyber resilience, it will not only be resilient to cyber attacks, but also to other incidents such as strikes, accidents, terrorism, and extreme weather conditions.
However, it all depends on the company’s ability to look inwards:
“We cannot control what comes from the outside, but we can try to control how we will react if a crisis occurs. By subjecting the organization to a risk analysis, you uncover the company’s weak spots. It is important to know the weak spots, if you want to have a resilient organization that can sustain a cyber attack,” says Daniel Sepulveda Estay.
Cyber security theme