How to prepare for the cyberattack
that is coming to your company

By Michael Coden, Shoaib Yousuf, Alex “Sandy” Pentland, and Stuart Madnick

December 4, 2016 - Cybersecurity is a $445 billion problem, and some predict that figure could rise to $6 trillion by 2021. The list of companies that have already been hacked, attacked, and breached—suffering business interruptions and intellectual-property losses and exposing their customers to identity theft —reads like a who’s who of the retail, tech, telecom, manufacturing, and financial services industries, among others. The finances, operations, customer data, R&D, intellectual property, and brand reputations of all companies are at risk, which makes cybersecurity a fiduciary responsibility of the board and senior management. Yet in many organizations, top executives and board members still believe that cybersecurity is just an IT issue.

Nothing could be further from the truth; IT alone will never be able to address cyber- security in a meaningful way. Sustainably addressing cyber risk requires an organization-wide, cross-functional approach and the integration of cybersecurity and business strategy. Boards and senior management play a pivotal role in creating the organizational and cultural environment for such a joint approach. Top management and board members must recognize the risks involved and take steps to ensure that they are prepared for the day that their company is compromised—because it’s all but certain to happen.

Over the past year, in collaboration with the cyber  resilience initiative of the World Economic Forum, BCG, MIT Connection Science, and MIT Sloan’s (IC)3 have worked together to identify, design, and test methods to effectively engage boards and other senior stakeholders on the critical and complex issue of cybersecurity. In addition to the robust principles to be followed and tools to be employed both to help prevent attacks and to deal with attacks that have occurred, we have found one medium that is particularly well suited to boosting the engagement and preparedness of top management and board members: tabletop exercises that simulate cybersecurity events and their fallout in real time.

These exercises can be useful in at least three ways. The first is practicing incident response, business continuity, and disaster recovery plans, as well as decision making under pressure, so that top leadership is not introduced to the far-reaching ramifications of a cyber breach only when one has just occurred. Second, immersive and interactive exercises can be the most effective (and memorable) method of teaching the basic concepts of cybersecurity. Third, these exercises can be used as a laboratory for developing and testing cost-effective strategies for cybersecurity defense and mitigating the consequences of cyberattacks.

Practicing Incident Response

Military commands play war games (including cyber war games). Schools and office buildings practice evacuation procedures and fire drills. The goals include improving performance, learning from doing, and saving lives. Captain Chesley “Sully” Sullenberger attributed his successful emergency landing of US Airways flight 1549 in the Hudson River, after the plane lost both engines on takeoff, to the extensive drilling and rehearsal he had under gone in flight simulators.

In similar fashion, by practicing the implementation of incident response, business continuity, and disaster recovery plans in a simulated cyberattack, board members and senior executives can gain a comprehensive understanding of how these attacks unfold, the variety of potential impacts, and their individual roles during a response, including potential interaction with law enforcement, regulatory officials, shareholders, employees, and customers. For this reason alone, such an exercise ought to be an essential part of any cybersecurity program.

Learning by Doing

The most effective way of learning is by doing. Think about kids learning to play soccer, for example. Studies by BCG and MIT have shown that the same theory applies to learning basic cybersecurity concepts. “Doing” via immersion in a simulated cyberattack gives executives a working knowledge of the wide variety of cybersecurity concepts that they need to understand to properly support the cyber resilience of their organization.

Cybersecurity is a complex field. The first step is defining a standard syllabus of subjects that need to be covered, which can include liabilities, mandatory regulations, voluntary guidelines, common threats, assets, methods of protecting assets, risk management, methods of detecting intrusions, forensics, and other key capabilities. The second step is taking teams of executives and board members through immersive scenarios using interactive simulations in which the concepts of the syllabus come into play and the impact of board decisions on the organization’s P&L is modeled. For example: What are the liabilities to the company (and to the board members) if the company continues operations in the face of a known cyber breach? What systems and protections does the company have in place to redress a cyber incursion? What are the legal and regulatory (and common-sense) requirements for notifying customers, shareholders, employees, and other stakeholders?

In our exercises, participating executives may operate as a single collaborative team, or they may be divided into two or more teams that compete to see which obtains a better score and finishes the exercise with the highest profits in its virtual P&L. Using such a hypothetical business case approach, the board and senior management learn cybersecurity concepts by experiencing them, and our research shows that they emerge with an excellent understanding of what otherwise seems like a daunting technical challenge.

Developing a Cybersecurity Strategy

Companies use laboratories to test products and processes before they are put into production. In a similar vein, tabletop exercises enable companies to test, evaluate, and refine cybersecurity strategies and, in so doing, to convert ideas and invention to systematic and scientific discipline.

When executives are immersed in a properly constructed scenario, they see how the cyber defenses they have built, or plan to build, actually perform, and they see the benefits that can be achieved by investing in further vulnerability prevention, attack detection, attack mitigation, and recovery. By living through a simulation using the company’s own cybersecurity investment plan, the board and senior management can experiment firsthand with the impact of each proposed investment, from training to technology. At the end of the exercise, they can consider changes and improvements—and whether a different cybersecurity investment plan might have provided a better outcome. For example, would a greater investment in multifactor authentication, advanced biometrics, or both have negated the attack? Would a larger investment in supply chain cybersecurity have made a difference? What would be the benefit of implementing a company-wide training program over 6 months rather than over 18 months? The goal is tangible output from the workshop, including a roadmap of next steps and a set of action items that optimize investments for cyber defense.

These immersive exercises allow organizations to focus on how to plan and budget to maximize the business resilience, including the cyber resilience, of the company. Sometimes the best investments may be ones that reduce the consequences of an attack, rather than trying to prevent the attack outright. A properly designed exercise enables board members and senior management to make more informed tradeoffs and decisions on how to best invest in cyber resilience.

Handling cyberattacks is a company-wide concern. Building an effective cybersecurity strategy and culture is an essential competitive differentiator and business enabler. Culture starts with leadership, and leadership starts at the top. Through immersive tabletop exercises, leaders will gain understanding and can start to create in their organizations a culture of cyberresilience.

This article was originally published on the World Economic Forum’s Agenda blog.

 

About the Authors

Michael Coden is head of the Cybersecurity practice at BCG Platinion, a company of The Boston Consulting Group. He advises clients that use digital technology on how to achieve the most cost-effective cyberresilience by integrating cybersecurity as a business enabler into their overall organizational strategy. Coden is also a cofounder and an associate director of MIT-(IC)3. You may contact him by e-mail at coden.michael@bcgplatinion.com.

Shoaib Yousuf is a project leader in BCG’s Sydney office. His BCG engagements, for diverse private- and public-sector organizations, include cybersecurity consulting on enabling transformation, building capabilities, and defining target state architecture and enterprise-wide governance. You may contact him by e-mail at yousuf.shoaib@bcg.com.

Alex “Sandy” Pentland directs the MIT Connection Science and Human Dynamics labs and previously helped create and direct the MIT Media Lab and the Media Lab Asia in India. He is one of the most-cited scientists in the world, and Forbes recently declared him one of “the world’s 7 most powerful data scientists.”

Stuart Madnick is the John Norris Maguire Professor of Information Technologies at the MIT Sloan School of Management and Professor of Engineering Systems at the MIT School of Engineering. He has been studying cybersecurity since the 1970s, when he wrote several journal articles and coauthored the book Computer Security: Problems and Solutions. He is a cofounder and the director of the MIT Interdisciplinary Consortium for Improving Critical Infrastructure Cybersecurity, known as MIT-(IC)3, which focuses on the managerial, organizational, and strategic aspects of cybersecurity.

The Boston Consulting Group (BCG) is a global management consulting firm and the world’s leading advisor on business strategy. We partner with clients from the private, public, and not-for-profit sectors in all regions to identify their highest-value opportunities, address their most critical challenges, and transform their enterprises. Our customized approach combines deep insight into the dynamics of companies and markets with close collaboration at all levels of the client organization. This ensures that our clients achieve sustainable competitive advantage, build more capable organizations, and secure lasting results. Founded in 1963, BCG is a private company with 85 offices in 48 countries. For more information, please visit bcg.com.

© The Boston Consulting Group, Inc. 2016. All rights reserved.