Cyber Attacks: Play the game, not the occasion

Is there such a thing as too many defensive measures when it comes to cyber security? Could an attack, no matter how sophisticated the defence, still break through? In some ways it is a bit like managing a team in sport; the opposition may be difficult, there is a balance between defence and attack, and at the end of the day the board will have a view of the return on their investment.

Leading cyber security professionals are clear: nation state attacks can be of such scale and sophistication that it is inevitable that sometimes one will beat the defences of even the most sophisticated outfits.

Avoiding cybersecurity relegation

In some ways it is a bit like managing a team in sport. The opposition may be difficult, there is a balance between defence and attack, and the board will want to know what the money has been spent on.

When it comes to cyberattacks, we often hear language focused on shifting blame or claiming there was nothing to be done to prevent them. A distant echo of the common sports excuse: the opponent was ‘unstoppable’ or ‘unplayable’.

For any event, re-treading every sequence of events, regardless of the field, can reveal an action or inaction that can be identified as a mistake.

To continue the football metaphor, a pundit recently criticised Liverpool during a Premier League game for giving an opposition forward too much space. Later, he accused the team of marking the other side too closely. In the same way, a business risks cyber security breaches for inaction and then being pilloried by other parties for doing too much. It’s a delicate balance.

Parking the bus

We must consider the competing demands of the business. Repeatedly, more forthright insureds explain that they can never make their businesses 100% secure. There is a trade-off between enabling the business to trade and cyber security.

Making their cyber posture impregnable at the expense of everything else would be simpler. But that is not feasible – businesses need to operate. So, the trade-off will always exist between making systems functional for employees and customers, and making them secure.

If football teams focused completely on defending, there would never be any goals. If businesses took the same approach to their activities, it could affect their ability to conduct business. The fact that they need to do both at the same time is what makes it such a challenge, perhaps one that is unlikely to disappear soon.

The scale and intensity of nation state attacks would seem analogous to playing against the current English Premier League champions, Manchester City. They are a highly professionalised and well-drilled opposition packed with such skill, intensity and hostility that you have to be constantly on your guard in order not to be overcome.

With this persistent pressure, it’s inevitable that the strain will tell, and a mistake may occur. The key here is for the team to remain calm and not let a mistake become a crisis. This seems to be a significant focus for leading companies; conceding the first goal must not lead to a rout. This is key to reducing the severity of cyberattacks that are not stopped.

Talent management

Finally, just as most coaches have limits on their budget for talent, companies can only commit so much of their spend to cyber security versus other areas of the business.

Every department will always want additional resources to aid their task. To quote Jose Mourinho, two-time champions league-winning head coach: “No eggs – no omelettes! It depends on the quality of the eggs. Some give you better omelettes. So, when the class one eggs are in Waitrose and you cannot go there, you have a problem.”

The question is, will companies invest in top class security or cut back and risk relegation, as well as the accompanying threat to their survival?

Don’t blame the ref

Every company will draw the line differently. It will no doubt ebb and flow with the cyber security environment and the state of the economy. Preventing and minimising the impact of nation state attacks and behaving responsibly is vital.

Nothing will improve while the stock response to these events continues to be the equivalent of blaming the referee or the state of the pitch.