News

EXPERT OPINION: The bigger they are, the harder we will all fall

Paul Watts, Distinguished Analyst, ISF
Published 25 - July - 2024
risktechnologygovernancepeople

“It’ll never happen to us.”

Most security and risk practitioners have faced this argument at some point in their careers: that security and business continuity manifests merely as a fear, uncertainty and doubt (FUD) ‘tax’ on business, grudgingly paid by organisations compelled to do so by box-ticking legal and regulatory pressures, rather than through any lingering concern that one day, perhaps, it could.

It can be argued that this argument has been largely defeated, at least for now, due in part to some real-world unavoidable examples:  the exponential increase of indiscriminate cyber crime such as ransomware, a proliferation of data breaches, and broader ‘black swan’ societal events such as the global pandemic being three of them.

Whilst there remains the odd dissenting voice, most now appreciate the reality of the situation; business disruption events could happen to any one of us, at any time. And the impact of these events is amplified by our increasing reliance on the interconnected technology and supply chains observed in modern business – hence the reality of the ‘Extinction Level Attack’; a phenomenon both feared and frequently discussed by ISF Members around the globe.

So, that’s great, right? Progress has been made. Let’s take the argument a step further.

What if it happened to many of us at the same time?

Until last week this scenario would have been considered by most to be largely preposterous. Such a Threat Horizon-style notion would have been met with eye-rolling and accusations of FUD-play from many. And on the face of it and without substantiation, I concede that such a reaction could have been considered justified.

However, it has been recently demonstrated that such a scenario is both real, and increasingly likely. Both in terms of frequency AND impact.  And that has troubled the world. Greatly.

So, have we seemingly sleepwalked into this position overnight?

No. Not really.

Digital transformation now impacts every facet of modern life. Technology is anywhere, and everywhere. There isn’t an industry sector or community that it doesn’t touch. Society is increasingly reliant on interconnected technology, whether it wants to be or not. And despite a real concern from some that this pushes us into a rather dystopian future, the truth is that there is no coming back from this position.

But here’s the thing: technology can – and will – fail. What does that mean?

The reality is that we live in an increasingly interconnected digital world that we do not completely understand, nor truly control. In parallel, we have seen a marked consolidation of not only the critical components of the internet itself, but the technology companies that leverage it to serve the global market. We have been putting more and more of our eggs into a decreasing number of baskets, some of which we don’t even own, control or understand. And when one of those baskets breaks, the consequence is increasingly and inevitably more brutal.

The blast radius of the most recent interconnected business disruption event makes for grim reading. Affecting 8.5 million assets – less than one percent of the global Windows estate – it saw aviation grind to a halt, retail stopped in its tracks, manufacturing stagger, health and emergency services flounder, and money markets shriek in horror. For days.

What if this had been five percent? Or ten? Or more? What if this had been a malicious act rather than an unfortunate accident?

The fragility of the digital world we live in is now in sharp focus. A topic that has been speculated upon in ISF papers such as Threat Horizon as future uncertainties now feel a little bit more certain. For once, the FUD feels somewhat justified. Society is looking for answers, as are our boardrooms and regulators. Answers to questions such as “Could this happen again?”, “How can we predict it?”, “What would the impact be?”, “How can we better prepare?”, and of course, “Whose accountability is all this?”.

Whilst no one solution, or organisation, or entity, is the key to unlocking or controlling all of this, there are practical steps that organisations can and should be taking to better understand, better prepare, and more easily recover from such a future event.

Resiliency should be a key strategic objective of any organisation now. There can be no avoiding or sidestepping such an important topic anymore.

To do so could be putting organisations – and society – on the brink of negligence.

Over the coming weeks, the ISF will be demonstrating how its research and tooling can help Members to understand and improve their business’ resiliency, providing advice and guidance on how best to prepare for, and anticipate, future threats to their business operations such as the one observed recently.

Complementing this are our award-winning consultancy services, available to Members and non-Members alike, providing organisations with the help and support they need to translate technical insight into a clear business-focused delivery plan.