Illustration: Shutterstock

Cyber security: the best defence is a flexible organization

Tuesday 16 Oct 18

Contact

Daniel Alberto Sepúlveda Estay
Postdoc
DTU Management Engineering
+45 45 25 44 03

In December 2015, large parts of Ukraine went dark for six hours as a result of the malware ‘KillDisk’, which shut down a number of power stations.

Source: ‘The future market for cybersecurity in Denmark

The global WannaCry ransomware attack affected more than 300,000 computers in 150 countries in May 2017.

Source: Centre for Cyber Security, Danish Defence Intelligence Service.

Businesses should look at the structure of their organization if they want to prepare for cyber attacks,” says researcher.

Cyber crime is on the rise, and businesses are often the target. The risks are increasing as businesses networks become ever more complex with more IT solutions and global supply chains with many suppliers.

That makes the process of completing a realistic risk analysis very difficult for businesses,” says postdoc Daniel Sepulveda Estay, DTU Management Engineering. 

With a decade of experience as, among other things, supply chain manager for Coca Cola and for the mining company BHP Billiton, he has observed first hand how this complexity makes the task of protecting businesses from unexpected events such as cyber attacks ever harder.

As a cyber risk researcher, he has noticed a new trend:

“Instead of putting all of their efforts into preventing cyber attacks, some organizations are working on attack response scenarios. The right response is crucial to how bad and how long the attack will affect the business,” he says.

Cyber attack analyses

In his research, Daniel Sepulveda Estay has analysed a cyber attack on an American IT hardware business.

 Company data on a number of new products close to going on the market was stolen. The attack cost the company a number of key clients, and the incident affected the company earnings for nearly five years.

“Resilience is not about avoiding attacks, but how quickly the business can recover after an attack. A business is resilient if it is capable of containing the damage and quickly getting back to the normal activity level,” he says and continues:

“With our research, we are challenging the traditional way of analysing risks in the supply chain, because the diversity of risks has become so enormous that the traditional risk analysis methods simply do not suffice.”

He believes that we can improve risk analysis by moving away from the statistical analyses that focus on business reliability, and use dynamic analyses, where the focus is to identify and take control of business weak points, instead.

“Knowing the company’s weak points enables you to design structures such as teams and chains of command that enable the organization to react quickly to, e.g., cyber attacks.”

Three important factors

Through his research, Daniel Sepulveda Estay has identified three important factors that make businesses resilient to cyber attacks: flexibility, redundancy, and response time.

Flexibility is important during the acute phase of the attack and consists of mobilizing existing resources in the company. For example, this could mean allocating employees who can drop their usual tasks and instead help get an overview of the severity of the attack, manage consequences such as product and service delays, and communicate with the customers.

In the next phase, redundancy—a kind of business plan B—is important. Here the company further mobilizes its resources towards crisis management. This can be in the form of, e.g., extra backup servers or an alternative network of suppliers, which has been on standby.

The third key factor, response time, is all about the time it takes for the company to bring flexibility and redundancy into play. The time factor is crucial to the company’s resilience:

“The amount of time it takes to mobilize and utilize both flexibility and redundancy is crucial to how long and how bad the crisis will affect the company.”

Know the weak spots

Once the business has built up cyber resilience, it will not only be resilient to cyber attacks, but also to other incidents such as strikes, accidents, terrorism, and extreme weather conditions.

However, it all depends on the company’s ability to look inwards:

“We cannot control what comes from the outside, but we can try to control how we will react if a crisis occurs. By subjecting the organization to a risk analysis, you uncover the company’s weak spots. It is important to know the weak spots, if you want to have a resilient organization that can sustain a cyber attack,” says Daniel Sepulveda Estay.

Cyber security theme

 Photo: Shutterstock  

 

Vulnerability can be turned into an advantage

 Photo: Shutterstock  

 

Spin-out makes data immune

 Photo: Shutterstock  

 

New method to boost efficiency of quantum cryptography

 Photo: Colourbox  

 

New hacker lab aims to improve security on the internet

Related videos  

Show more

News and filters

Get updated on news that match your filter.