Cyber Risk is a Business Risk
Long gone are the days when only banks and other financial institutions were concerned about cybersecurity.
This summer SingHealth lost the personal particulars of Prime Minister of Singapore and some 1.5 million other people, and Maersk lost hundreds of millions in revenue last year when ransomware attack prevented its employees from accessing company’s data.
These are just some of the most public attack events.
In the second Asia ICS Cyber Security Conference, various industry experts shared their knowledge and experience on attacks targeting Industry Control Systems (ICS) and advised how corporations can protect themselves.
Corporations are more and more exposed to cyber threats as the separation between Information Technology (IT) and Operational Technology (OT) infrastructures are fading away. Several devices are connected via Industrial Internet of Things (IIoT) and this leads to new cybersecurity challenges.
Cyber risk is always a business risk emphasized Dale Peterson (Digital Bond). As with any risk, the goal should not be a total risk elimination as it would cost a lot of money and create inefficiencies in the organization. Instead, organizations should identify the biggest potential consequences a cyber attack can create and try to minimize those. The key question to keep in mind is what kind of risk reduction will be created by taking all the efforts. The purpose is not to utilize the most security controls but reduce risk to an acceptable level.
The nature of cyber attacks has changed too stated by Samuel Lineres (Managing Director, Accenture). In the past attackers’ main purpose was to steal money. Nowadays attackers cause disruption and destruction by attacking critical infrastructure endangering human lives. The usual risk models don’t work anymore as the probabilities of such attacks are unknown and hence industrial cybersecurity (i.e. protection of critical infrastructure) would require collaboration between several parties.
The audience also gets a very rare glimpse of how to prepare on cyber attacks on state point of view as Volodymyr Tyshchenko, Security Specialist at Ukraine State Service of Special Communication and Information Protection, shared details on various attacks the country has encountered during the past years. These attacks have targeted mainly energy supply and transportation. However, the problems are often caused by the same factors that corporations are struggling too, namely unskilled employees, lack of backups and too slow reaction times to cyber events.
At the end of the day, it all boils down to cybersecurity skills. All the speakers brought up the need to train and educate employees. In Singapore, there are few Polytechnics with specialized cyber security curriculums whereas in the US online courses are very popular. Another way to try to reduce skill gap is to train IT people to have more operational technology skills and vice versa e.g. through job rotation.
Manager, Wärtsilä Acceleration Centre