As it is late August, I wanted to start with a quote from a great summer movie about a town in denial. “Close all the beaches at the height of the summer tourist season? It would ruin the local economy! Yes, the ocean is full of sharks, but what are the odds …?”
If you are like most people, the constant risk of some sort of cyberevent has been drummed into you, both at home and at work. Just like the threat of great white sharks, we know the risk of a cyberattack is out there, but we tend to shrug it off.
[Learn more about the Internet of Things at Interop's Internet of Things Summit on Monday, September 29].
While some of us have fallen victim to a data “breach” or “hack” of some sort, it was likely of short duration and a minor inconvenience. Bad charges may have appeared on your credit card and you were eventually covered, and perhaps even first notified by the issuer’s fraud department when its algorithms flagged it.
Mostly minor cyberlosses
Let’s leave aside a subset group that has suffered significant loss due to a situation like identity theft. For most of us, life has gone on, and it was no big deal. Better still, we’ve witnessed increased IT spending against the problem (the boat is now bigger) and we all have become a bit savvier. We no longer use “password” as our password.
Because of this, I believe we have become complacent and inured to cyberrisk. We are for better or for worse fully invested in the model. We are like that town in the movie. Shark attack? Low probability -- keep the beaches open!
This scares me on several levels, especially because we have yet to imagine, let alone prepare for, Cyber Doomsday. So, the time is now to start the conversation about Business Continuity Planning (BCP) 2.0 or Disaster Recovery Planning (DRP) 2.0 -- take your pick.
Let’s set the stage. This scenario is different. It’s systemwide and global. Everything is down -- all systems and all communications -- and nothing may come back online for days, weeks, or months. Moreover, everything is corrupted. Even if the systems come back up, the dataset is so badly damaged that it is impossible to reconcile who has what. There is no electronic finance of any kind -- from ATM withdrawals to credit cards, to wire transfers -- nothing. No trading, no settlement, and no idea who holds what.
Thinking the unthinkable
The culprits? Take your pick, but the risk is not likely to be criminal. (They can’t steal much once all screens are black and all bank balances are at zero.) It's not likely even environmental. (We lose the power grid to a force majeure event.) Sovereign risk is a bit more likely from state actors or others whose motivation is not financial but, worse, political or religious (or both). All of this done without a shot fired and with all other infrastructure left standing.
No matter the reason, we are not prepared for it. While we do craft BCP models, most still assume that the event is within a band of reason -- bounded and limited to a single entity. Most assume that even those events with a broader impact across multiple entities and networks will fully resolve and self-heal over time. We are at BCP/DRP 1.0.
With this in mind, I recently sat in on an industry roundtable to discuss a number of socially important FinTech topics. (That’s correct -- the terms are not mutually exclusive.) The group included fellow CEOs, tech wizards, policy makers from the public and private sectors, investors, GRC (governance, risk management, and compliance) experts, and entrepreneurs of various pedigrees.
When we turned our attention to the doomsday scenario, many felt it was a matter of if and not when. The discussion ranged from, “How do we do more to prevent it?” to, “How do we fix it after it occurs?”
This first of what will hopefully be ongoing discussions highlighted a few key considerations for us all to ponder and work on, including the following:
- We are going to need a coordinated response paradigm.
- Like BCP/DRP 1.0, there should be a “fire drill” or two in order to raise our response readiness.
- Is there a role for “insuring” against the risk so that losses are somewhat covered?
- We may need to rethink how we have built parts of the system. Is it open to a fault?
- How do we restore confidence and an orderly resumption of commerce in the aftermath?
The sharks are out there. It’s impossible to close every beach. Time to get a bigger boat.Mitchel Kraskin is co-founder and CEO of Compliance Science, Inc. ("CSI") which has developed several groundbreaking governance, risk management and compliance solutions. With over twenty five years of executive experience managing the creation and delivery of software-based ... View Full Bio