Global brands need consistent global cyber security. But how?

 Cybersecurity Operational Technology

Consistency underwrites the value proposition. Your customers might first come to you for any number of reasons, but they stay because you deliver what you have promised. You don’t have to be the cheapest or the fastest or the best. But you do need to be consistent and reliable.

Anything which interferes with consistency transforms brand promises into unfulfilled aspirations, or worse, outright lies. It might not even be your fault. And it can happen with astonishing swiftness as we all saw with Covid.

Notwithstanding conspiracy theories, Covid was entirely accidental. Yet it was the most powerful disruptive force since America’s Great Depression of 1929. In April 2021 the Wallstreet Journal reported that the pandemic caused the permanent closure of roughly 200,000 US businesses (above and beyond the usual rate) during the first year alone. 

When Covid ripped through Europe, EuroStat recorded that around 397,000 people in the European Union lost their jobs in the month of April 2020 alone. In truth, no country was untouched and, initially, there was no defence, very little mitigation and a whole heap of uncertainty. 

Enough about Covid. My point is that the world endured a period of damaging uncertainty which no one had predicted or planned for. Today we face a man-made threat which is not only destructive but is almost inevitable. I’m referring to cyber-attacks - the bane of every global business.

Almost inevitable? Well, certainly more likely than not. In a survey of 5,600 businesses commissioned by Sophos, research agency Vanson Bourne reported that 66% of respondents had been hit by ransomware in 2021 – an increase of 76% over the previous year.

The rapid growth is helped along by the ‘Ransomware as a Service’ model which makes it easy for non-technical actors to launch crippling attacks. And that’s never going to go away.
It gets worse. In July last year, research firm Gartner went on record predicting that: ‘By 2025, cyber attackers will have weaponized operational technology (OT) environments to successfully harm or kill humans.’ 

There are various responses to a successful attack: pay the ransom; claim on insurance; rely on backups and in-house expertise; bring your carefully rehearsed emergency plan into play; cover it up and do nothing, which are beyond the scope of this article. None of them are great. But what if you can take the initiative?

 

Brand is king

Let’s start with a basic truth. Your brand reputation is everything. People in local countries are buying from you because you are a global brand, which delivers the same service, the same quality of product and the same responsiveness wherever they are in the world. They want you to be reliable, predictable. Consistent. That’s especially true if your customers are running a Just in Time model. 

Riding right along on that journey, that experience, is cyber security. Because cyber has to be consistent as well. You can't have a situation where your operation in Asia is very cyber secure, but your operation in North America isn't. Your customers expect you to have the same levels of cyber security throughout your organisation. 

That’s a challenge, but there is a way forward and you don’t have to be a cyber expert to make a start. In fact, as a Covid survivor you already know what needs to be done. 
 

Decide what’s critical

Not long ago I was talking to the board of a multinational which was reviewing its cyber stance. The business has operations in more than 20 countries and the local workforces speak at least 15 languages. Some territories had excellent cyber security, other less so. 

The requirement was for an international team, which can immediately react to any cyber incident, in the country of the attack, in person.  Multiple teams, multiple countries, multiple languages – and all to a very high degree of capability. That’s a big ask. Is it even possible?

Well, yes. It is possible to protect everything, everywhere, all of the time. It’s just hugely expensive and resource hungry. A more realistic and cost-efficient approach is to start by deciding what is critical to your business. What are the things which will hurt you most if they were shut down? Focus on those first. If a major production line was put out of action for a couple of weeks, for instance, could you recover?

But what about if it was only your web site that was compromised? Or your CRM platform? It would be annoying for sure, and perhaps a little embarrassing, but eminently survivable. No one ever died from embarrassment.

So, focus on your operational technology first. OT is generally an easier, more spectacular and rewarding target. That’s where hackers make the news; that’s how they enhance their reputations. 

Remember the attack on the Colonial Pipeline? It made headlines all over the world. It was a ransomware attack which earned the hackers $4.4 million, which was paid in a few hours. It is believed that the hackers also stole around 100Gb of data prior to the attack. 

For hackers, OT is the gift which keeps on giving.

Local, global or both?

When your OT is attacked your response must be swift and certain. This isn’t the time to book flights for a cyber response team to fly out to you the next day. And you can’t allow time zones and language barriers to complicate things. 

You need boots on the ground within a few hours. You need people who understand your OT, your control systems, your production equipment and who also have deep cyber expertise. Remote support simply doesn’t cut it. You need a cyber response team on the shop floor, getting into the system, physically looking at what's going on. 

That’s difficult to set up if cyber isn’t your business. So treat this like any global outsourcing project. You’re looking for local expertise backed with global resources, a service level agreement, KPI’s, a single point of accountability – you know all this stuff.

The alternative is to have contracts with individual cyber firms in each country. That’s OK in theory but, quite apart from the difficulty of finding, say, 20 national cyber firms with OT expertise, you’ll have 20 different contracts and 20 slightly different ways of protecting your systems. That’s not good for consistency.

You don’t have to regionalise everything. Some things, such as cyber notifications, the 24/7 monitoring of your systems, threat intelligence, and so on, can be managed centrally from affordable locations. That’s prudent and useful but won’t stop a cyber-attack. So you have to make some decisions.

You've got to work out this blend between what you're going to do centrally and what you're going to do in a more regional or local way. That takes us back to having a clear, current and coherent view of your critical systems.

At this stage, you aren’t giving any thought to cyber at all. It’s not relevant. The time to start thinking about practical cyber initiatives - and how to protect your critical systems and processes if someone lobs a cyber half-brick your way - comes later. Once you have mapped your critical systems you can get to work with a cyber security firm.
 

Get in front. Stay ahead.

When you have good cyber-security, supported by a ready-to-go recovery plan, you have an advantage over competitors who don’t. And you should make that part of your pitch: ‘We understand that you need your suppliers to be consistent and reliable. That’s one of the reasons why we retain teams of cyber experts in every country we operate in. We protect our critical systems with world-class cyber security and we have recovery plans which are regularly rehearsed and updated. We are resilient. You can rely on us.’

But don’t stop there. You should be talking to your suppliers and moving cyber to the top of the agenda because if they are disrupted you will be, too.

A final thought for you. An attack against your OT is, as I said at the start of this article, is almost inevitable. But what if you can announce to your shareholders and to the market:  
‘Yes, we experienced a cyber-attack. But we were prepared for that. It was resolved the same day. We have made substantial investments in securing our critical systems and will continue to do so.’ That supports your brand values.

And it is so much better than: ‘We suffered a cyber-attack last week. We’re working hard to fix it but we can’t ship anything to you right now. We hope to restore those systems in the near future,’ followed by those universally hated words: ‘We apologise for any inconvenience.’

If you have implemented good, solid cyber security you can come out punching after an attack. And the markets will applaud you for it.

    
Key points in brief

 

  • A cyber attack against you is almost inevitable.
  • The number of attacks worldwide is increasing rapidly.
  • Attacks have become easier to perpetrate, thanks of the ‘Ransomware as a Service’ model. They are also growing in sophistication.
  •  Decide which assets are mission critical and allocate your cyber security budget accordingly.
  • Good cyber security should be part of your value proposition.

Meet  Gareth Williams 

Vice President Operations & International - Cyber Defence Solutions Business Line.

Gareth is responsible for the International Cyber Solutions Business of Thales across the world, spanning multiple  countries and regions. He is also a member of the UK National Cyber Advisory Board, a member of the CBI Wales Council, and a board member of Technology Connected.

All articles