By Dr. Öykü Işık, Dr. Tawfik Jelassi and Valérie Keller-Birrer
The public sector’s many years of experience fighting for cybersecurity offers unique insights for businesses to increase their resilience against cyber-attacks.
In May 2021, Belgium’s parliament, universities, and scientific institutions were victim of a coordinated cyberattack, forcing the Federal Parliament to cancel committee meetings. More than 200 organizations were impacted, having significant disruption on operations. The internet service provider, Belnet, was able to react quickly, activating its crisis procedures and contacting the Center for Cybersecurity Belgium, so that the attack could be brought under control within a few days. Nevertheless, the threat actors were able to disable public service systems, forcing government to shut down web services to Parliament, universities and some scientific institutes, with the result that citizens were unable to access the websites of certain administrations –such as the online services for coronavirus vaccination, among others.1 This is just one out of many examples of the cyber-attacks both government and private companies are increasingly facing, especially since the start of the Covid- 19 pandemic.
The pandemic has contributed to the acceleration of the digital transformation of both the private and the public sector. Work-from-home has soared following the need for social distancing, as our vital infrastructure is progressively digitalized and sensitive data stored online. While digitalization presents many advantages and opportunities for businesses, it also comes with increased risks, as both governments and businesses are increasingly vulnerable to cyber-attacks. The reasons of this surge include the increasing attack surface due to digital transformation, as well as the cyber extortion growing as a lucrative criminal industry. The number of cyber incidents has increased significantly and in 2020, 75% of organizations worldwide have experienced phishing attacks.2 The cost of cyber-attacks has skyrocketed as well: the ransomware attack against Colonial Pipeline, the largest fuel pipeline in the U.S. that led to fuel shortages across the U.S. East Coast cost the company $4.4 million. Indeed, the average cost of a data breach has increased to $3.86 million in 2020,3 while global losses due to cybercrime are estimated to be as high as $6 trillion in 2021.4
It is not a matter of if, but a matter of when an organization will be hacked, as former FBI director Robert S. Mueller once said.5 World Economic Forum (WEF) 2021 has recognized cyberattacks as the fourth biggest global risk, just behind infectious diseases, livelihood crisis, and extreme weather events.6 Government agencies are frequently a target of these attacks: In September 2020, the Norwegian parliament was the target of a significant cyber-attack which breached the email accounts of several elected members and staff. Between March and December 2020, several US agencies, including Homeland Security and the Department of Defense, together with dozens of private security and technology firms, were the target of a massive cyber-attack said to be perpetrated by, allegedly, Russian groups. The data breach went undetected for months, resulting in significant theft of data, as well as costly months-long decontamination procedures. But cyber-attacks are not limited to government agencies, private businesses are a target as well. In the first quarter of 2021, the business world saw a surge in major cyber-attacks across sectors and countries: CNA Financial – one of the biggest cyber insurance firms in the US, airplane manufacturer Bombardier, computer maker Acer, and even Microsoft exchange, to name just a few.
The growth in the number and intensity of threats together with the rising cost of cybercrime has led to a steady increase in cybersecurity investments across the globe: According to IDC, cybersecurity spending is expected to grow 8.1% annually and hit $174.7 billion by 2024.7 Yet, cybersecurity is still a struggle for many organizations. Research conducted by the Portulans Institute shows that despite the high risks and stakes, only few companies – mainly in the high tech and finance sectors – are dedicating enough resources to reach a high level of cybersecurity maturity, while most companies retain a poor level of protection against cyber-attacks.
The public sector is often criticized for its lack of agility, and businesses do not necessarily turn to government institutions for best practices in digital. Yet, as the Portulans Institute points out, governments are more concerned about cybersecurity than the private sector, especially in advanced economies. One reason is that the stakes are particularly high in the public sector: breach of public- sector information might threaten national security as well as citizens’ trust. The public sector, dealing with highly sensitive data and matters of national security, have long made cybersecurity a priority, dedicating significant resources and developing best practices, from which the private sector can largely benefit.
With this in mind, we studied several nations’ approaches to cyber-security, with a special interest in finding best practices from which the private sector can learn and reapply. We set the foundation by conducting desk research on cyber-security practices in both public and private sector. We then conducted interviews in five countries with selected high-ranking members of the public sector cyber- security community and gathered their perspective on government best-in-class approaches as well as success criteria for fighting cyber-crime. We looked at best-in-class countries in terms of cyber- security, such as the USA, the UK and Singapore (respectively ranked number 1, 2 and 6 in the 2020 Global Cybersecurity Index from ITU), Switzerland as the top country in the 2021 IMD World Competitiveness ranking, as well as Tunisia as a developing country. We also conducted interviews with more than 20 Chief Information Security Officers from organizations in different sectors. Our conclusions include relevant learnings from the public sector for preparation, response, and resilience against cyber-threats. Five lessons that emerge from our research can change businesses’ approach to cyber-security.
LESSON 1. BALANCING PROACTIVE VS. REACTIVE CYBERSECURITY
In the private sector, cybersecurity is still often seen as the ‘necessary evil’ and strictly considered within the IT domain and as an element of risk. Nevertheless, most of the breach incidents in the last few years could have been prevented, if only the company had been better prepared: incidents were either caused by an unpatched system despite the availability of the patch, or a password stolen from an employee falling victim to social engineering. In 2018, Marriott was the victim of a massive hack resulting in millions of sensitive customer data such as credit card and passport numbers being compromised. The company was mostly unprepared for such an incident and waited 11 weeks to disclose the leak, a delay considered by many as unacceptable.8 According to a recent survey by Proofpoint Inc., two-thirds of chief information security officers (CISOs) feel their companies are unprepared for a cyber-attack; most of these organizations only make proactive cyber-security investments following an unpleasant experience such as a breach.9
Most governments seem to approach cybersecurity differently; cyber threats are taken very seriously as they are closely linked to national security. As a result, most governments put cybersecurity at the top of their priority list and allocate a significant amount of resources to cyber defenses in terms of financial resources, talent with better skills as well as superior infrastructure, in order to be proactive. The US government, for example, is believed to have budgeted $18.78 billion for cybersecurity in 2021,10 while in 2020 Singapore set aside $1 billion over the following three years to enhance cybersecurity capabilities.11
The US and the UK, ranking # 1 and # 2 in the recent Global Cybersecurity Index (ITU), are considered best-in-class when it comes to cyber preparedness. What these two countries have in common is a strong commitment to making cybersecurity a top defense priority, combined with a clear cybersecurity agenda and a well-defined cybersecurity strategy. Following several high-profile cyber incidents, US President Biden issued in May 2021 an Executive Order to improve the Nation’s cybersecurity, emphasizing the need to heighten efforts and increase resources to defend against cyber-attacks. The UK is among the countries most committed to cybersecurity and its government provided close to two billion pounds to support its National Cybersecurity Strategy launched in 2016. The purpose was to make the UK “secure and resilient to cyber threats,” and was built around three broad objectives: to defend, deter and develop. The National Cyber Security Centre (NCSC) was set up to help people manage cyber risk. As well as providing advice, the NCSC actively combats cybercrime. It responded to over 700 cyber incidents in 2020, up from 658 in 2019 as well as helped almost 1,200 organizations handle cyber-attacks in 2020. 12
Israel is also often mentioned as one of the best prepared countries when it comes to cybersecurity. The small country is not only successful at protecting itself against cyber-attacks; it also markets its services and expertise to other countries. The country has adopted a comprehensive cybersecurity strategy with specific focus on developing cyber robustness, cyber resilience, and capacity. To reach its objectives, Israel has primarily focused on building human capital, dedicating a significant amount of resources to developing an outstanding education system. Cybersecurity education in Israel starts as early as middle school and it is the only country in the world in which cybersecurity is offered as an elective in high school. Israel was also the first country in which one could receive a doctorate degree in cybersecurity. Additionally, several government-sponsored programs are aimed at finding promising youth and providing them with specialized training before and during their military service.13 As a result, Israel has become a cybersecurity powerhouse in the industry.
LESSON 2. CREATING A DEDICATED CYBERSECURITY ENTITY WITH DIRECT LINK TO TOP MANAGEMENT
In the private sector, organizations seldom consider cybersecurity from a strategic point of view and often look at it as a mere technical issue to protect IT systems. Consequently, companies rarely appoint a dedicated cybersecurity team. A survey from 2019 found that 38% of the Fortune 500 did not have a Chief Information Security Officer (CISO) and fewer than 4% of those listed the CISO on their company’s leadership pages.14
At government level, a key success factor for effective cybersecurity is for the cybersecurity strategy to be executed by a dedicated agency. Most governments – 131 according to ITU – have a special cybersecurity unit which coordinates response at national level and takes the lead in case of major incident targeting critical infrastructure or any other government institutions. That entity is responsible for cybersecurity and collaborates with all organizations within government.
Governance of governmental cybersecurity agencies greatly differs across countries, as each government has developed its own unique solution based on culture, needs, strategy and existing structure. In the US, the Cybersecurity and Infrastructure Security Agency is located under the department of Homeland Security, reflecting the US government’s position towards cyber-attacks as a key security threat to the country. In Switzerland, the National Cyber Security Center is located under the Department of Finance, giving the agency a neutral position, providing it with the ability to coordinate with all departments, thus avoiding a political statement about priorities. In Tunisia, the National Cybersecurity Agency is reporting directly to the Ministry of ICT (Information and Communication Technologies), in order to be close to the decision makers.
The same learning applies to the private sector: location and reporting line of a dedicated cybersecurity unit will largely depend on the existing organizational structure, legacy as well as the company’s strategy and needs. No matter where in the organization the cybersecurity unit is located – in the finance department, the IT department, or as a stand-alone unit reporting directly to the CEO – the cybersecurity team is best positioned as close to top management as possible, ideally with a direct (dotted) line to the CEO, or to a senior executive. A direct link to the key decision makers is particularly crucial in case of a cybersecurity incident to allow for timely and effective reaction. Possible delays due to lengthy hierarchy lines, lack of decision authority, or failure to quickly coordinate could have dire consequences. Yet, McKinsey research has found that in most companies, cybersecurity professionals are at least two layers from the CEO in the corporate hierarchy, with few opportunities for direct discussion about protection issues and priorities.15
Independent of the organization solution they have chosen, governments with best-in-class cybersecurity have ensured the agency has a direct link to either the Prime Minister or President. In Singapore, the Cybersecurity Agency (CSA) reports directly to the Prime Minister office, while administratively, the Minister for Communication and Information is in charge. As the Assistant Chief Executive at Singapore’s National Cybersecurity Agency explains: “the birth parent is the Prime Minister office and the nanny – the minister who oversees us – is the Minister of Communication and Information”. This approach reflects Singapore’s position that cybersecurity is important enough to need the prime minister’s direct backing, while delegating the day-to-day management to another ministry. In the US, the new Biden administration has sent a strong signal with the recently created position of First National Cyber Director, reporting directly to the White House, and advising the President of the United States. This makes it the highest cyber official within government ever.
LESSON 3. COLLABORATION & TRANSPARENCY
Cybercriminals are clever and fast, and many businesses do not have the resources to fend increasingly complex attacks on their own. To gain true leadership in cybersecurity, it is in businesses’ best interest to share intelligence, best practices, and lessons amongst a network of trusted peers. Collaboration can take place within an industry, as well as across industries, between private companies, government agencies as well as other organizations. Open collaboration will allow all players to pool resources to fight increasingly complex and global cyber threats. This requires organizations to be more open in terms of data sharing and information exchange. While it is somewhat counterintuitive to collaborate with competitors, this is critical to effectively fight cybercrime. Belgian Cybersecurity Coalition (BCC) is a good example of such a collaboration initiative. BCC represents a partnership among academic, public, and private institutions where more than 100 active members contribute to building a strong cybersecurity ecosystem at the national level. Facilitating learning networks, fostering information exchange, and implementing joint actions are among the missions of BCC, where the original initiative started as a collaboration among several organizations from the banking and telecommunications industries.
In a world where everything is connected, both governments and businesses must ensure they keep their security systems up to date. If one company is the victim of a cyberattack, other companies around it – suppliers, customers, partners – become vulnerable as well, and it is only a matter of time before others find themselves susceptible to the same attacks. According to the European Union Agency for Cybersecurity, supply chain attacks are on the rise. They represent an increasing concern as the chain reaction triggered by one attack on a single supplier can compromise a whole network of providers.16 The Swedish supermarket chain Coop, which was forced to temporarily close 500 stores due to a major cyber-attack, was not itself the target. Instead, the ransomware attack targeted a software supplier the supermarket chain uses indirectly, and then managed to access the supermarket’s servers.
Government agencies are leading the way when it comes to establishing partnerships in cybersecurity, recognizing that a high-level public-private collaboration is the best strategy to address the growing threats. Indeed, there is an interdependency between the public and private sector, as national cybersecurity agencies depend on cooperation from the private sector to voluntarily report cyber- attacks. Cybersecurity agencies then compile that information in order to share current and potential threats with all players. As the Swiss National Cybersecurity Center points out: “we cannot know what’s happening in the private sector, so the center is dependent on private companies reporting cyber-incidents on voluntary basis”. The Swiss Reporting and Analysis Centre for Information Assurance (MELANI), active since 2005, is considered a success story: The Public Private Partnership is a hub for information sharing provided by the public sector, with the goal to share information with the private sector. Over the years, the center has built a relationship of trust between government authorities and the private sector, thus boosting information sharing and incident response efficiency.
An example of successful partnership between the public and the private sector is the way Singapore has addressed the cybersecurity talent shortage. As the public institutes of higher learning were not able to educate sufficient manpower in a short period of time – a full education takes a couple of years – the Singapore government initiated a collaboration with private companies, asking them to run an education program to train mid-career professionals from various fields such as product management, computer science, IT administration and computer management. This approach had the advantage of being much faster as it trained experienced talent and converted them into cybersecurity professionals. The government provided funding for the training program, while in return, the company running the education program committed to training double the number of professionals they needed, releasing the excess manpower into the industry.
LESSON 4. MOVING TOWARDS DATA-CENTRIC CYBERSECURITY
In view of the increasing complexity of cyber-attacks, no matter how hard governments and private companies try to protect their systems and data, a 100% protection is not possible: once a system is connected to the internet, no barrier will ensure full safety. Current cybersecurity measures – aiming at protecting networks and systems – are increasingly ineffective against sophisticated cyberattacks and are not able to stop cybercriminals from accessing high-value data. The situation has been exacerbated by the growth of remote access, particularly through home-office practices because of the pandemic, as well as the migration towards cloud-based infrastructure. The only way to ensure full protection would be to take core systems completely off the internet. In the US Defense Department, as well as other US Government Agencies, but also in nuclear power plants and in the aviation industry, some highly sensitive networks or systems are totally isolated from the internet, thus ensuring the highest possible cybersecurity. Ultimate protection can be applied at national level as well: as an option to defend against cyber-attacks, the Russian Federation is considering the creation of a ‘domestic’ internet – a Russian internet called ‘RuNet’, which would technically isolate the internet within Russia from the rest of the world, thus effectively protecting it from foreign attacks.
These are drastic measures that may come at the expense of usability. In an increasingly digitized world, protecting everything equally may not be realistic. In any given enterprise, some of the data, systems, and applications are more critical than others, while some are more exposed to threats and more likely to be targeted. A bank will want to protect financial transactions at all costs, while less protection is needed for its marketing material. A health care provider will first be concerned about its patients’ medical records and less about the accounting. According to Singapore’s National Cybersecurity Agency, “The right balance depends on the nature of the business, because, owing to the nature of the data, a bank will balance the tradeoff differently compared to a paper supplier”.
With limited resources, cybersecurity is a risk management effort. Thus, top management teams must prioritize defenses by identifying and protecting critically important data as part of an integrated strategy, assessing both the risk of data being compromised as well as data sensitivity. As suggested by the Portulans Institute, organizations need to identify what their core data is, knowing they cannot protect everything. Data-centric security is about applying encryption technology to protect data no matter where it is located or transported, without increasing complexity or undermining usability. Rather than only building layers and layers of preventive technologies to protect systems, organizations should consider moving towards an “assume beach” mentality and a data-centric approach, focusing on protecting highly sensitive data.
LESSON 5. BUILDING THE HUMAN FIREWALLS
Countering cyber threats represents a growing challenge to our society, and one of the biggest weaknesses in digital defenses is the human factor. Employee behavior today represents the most targeted attack surface in organizations. Indeed, up to 95% of cybersecurity breaches are believed to be caused by human actions,17 because of negligence or malicious intent. The cyber-attack against Colonial Pipeline is believed to be the result of a single compromised password and the hackers gained access into the networks of Colonial Pipeline using an account password that had been leaked on the dark web.18
Most users are unaware of the consequences their casual behavior could have on cybersecurity. The pandemic has exacerbated the problem with remote workers representing a perfect target for cybercriminals, while cloud service providers are increasingly vulnerable to breaches. With the human factor as the weakest link in cyber defenses, countering cyber threats will require a focus on people and behaviours, not just technology. While employees present a significant risk to corporations, they can also play a key role in helping protect the company they work for.
One approach government institutions have chosen is to educate the population about cybersecurity and the right preventive behavior through awareness building and prevention campaigns. According to the Global Cyber Security Capacity Centre (GCSCC) in the UK, “One of Governments’ key success factors when it comes to cybersecurity is to focus on the human dimension: skills and education, mindset, usage, behavior, etc.” GCSCC aims to increase the national cyber hygiene through initiatives such as Cybil, a publicly available portal created in partnership with The Global Forum on Cyber Expertise (GFCE), where members of the international cyber capacity building community can find and share information to support the design and delivery of programs and projects. One example found on Cybil is Ukraine’s new cyber hygiene project launched in September 2021, which aims at building cyber awareness for employees of state institutions.
In the US, the Cybersecurity & Infrastructure Security Agency (CISA) sets up an annual “Cybersecurity Awareness Month” campaign, a collaborative effort between government and industry to raise awareness about the importance of cybersecurity across the country. Resources include blog posts, short videos, and various cybersecurity events hosted by agencies. Among others, CISA provides a toolkit available in six languages which includes a wealth of resources – sample emails to stakeholders and staff, sample social media posts, engagement ideas, tips to share during cybersecurity awareness month, etc. — which organizations of any size or industry can use to promote cybersecurity awareness.
The best education campaigns have translated cybersecurity issues into simple stories that are easy to understand and remember for people who are not tech-savvy. While cybersecurity is not a simple topic, trying to bottle down the issues into simple key messages has been most impactful. The best efforts include initiatives creating stories translating a specific issue into something easily understood by anybody, including children. For instance, one idea being considered in the US to generate cybersecurity awareness for the American population with simple, easy to understand message is to revive the Schoolhouse Rock campaign – a US education program featuring animated musical educational short films. The cartoon initially playfully educated American children on math, grammar, science and later about how government works. The project is still being discussed.
The Cyber Readiness Institute in the US developed a series of guidelines and tips for small business during the pandemic, focusing on cybersecurity for remote or hybrid work. The online materials and programs are free and designed specifically to help small and medium-sized enterprises, particularly vulnerable to cyber risks. The goal of such an education program should go beyond information sharing and education of the right procedures. Instead, it should aim at a culture change which would significantly reduce negligence or malicious risk, putting the company in a preventive, rather than reactive position.
CONCLUSION
No organization, public or private, is fully prepared for a cyberattack. With the crime groups and nation-state actors getting more professional by the day, assume breach mentality may provide the right mindset and shift the leadership focus to much needed strategic alignment between cybersecurity teams and the rest of the business. The above lessons illustrate several proactive cybersecurity initiatives such as early talent development, transparency and data-centric security practices which are actively applied by some of the top performing government agencies. For institutions with such broad reach and impact, one reason behind this could be that they never lose the bird’s eye view.
One of the unintended consequences of digital transformation today is organizations’ divided attention on multiple digital fronts. This seems to have caused cybersecurity to be deprioritized and organization to get into a reactive mindset on cybersecurity. What these organizations can learn from the successful government institutions is the importance of building proactive defense mechanisms and establishing a crisis plan in case of a cybersecurity incident. If a competent hacker really wants to get into a company, they will find a way, and the impact of the attack on the company will depend on the way the incident is handled. Take Travelex, for instance. After experiencing a breach due to an unpatched vulnerability, Travelex struggled with transparency and proper communication. At the end of the incident, it took almost two months for Travelex to bring back all their systems up and its owner group, Finablr, took a big hit as its share price tumbled down by nearly 80%. The reputational damage caused by mishandled cybersecurity incidents may be much higher than the clean-up cost they require.
As organizations speed up their digital transformation initiatives, cybersecurity should have a place on the senior management table. Only through collaborations and proactivity, cybersecurity can become the strategic partner it needs to be for sustainable digital initiatives.
About the Authors
Dr. Öykü Işık, Professor of Digital Strategy and Cybersecurity, is an expert on digital resilience and the ways in which disruptive technologies challenge our society and organizations. Named on the Thinkers50 Radar 2022 list of up-and-coming global thought leaders, she helps businesses to tackle cybersecurity, data privacy, and digital ethics challenges, and enables CEOs and other executives to understand these issues, which she believes are too important to be left to technical specialists alone.
Dr. Tawfik Jelassi is Professor of Strategy and Technology Management at IMD. He has been since 2016 Co-Director of the Orchestrating Winning Performance (OWP) program in Lausanne and Singapore/Dubai, which is IMD’s largest executive education program with over 600 participants enrolled per year. His major research, teaching and consulting interests are in the areas of digital business transformation and leadership in turbulent times. He was granted in Europe and the USA several excellence awards for his teaching and research, and the President of Tunisia awarded him two national decorations: “The Order of merit in the fields of education and science” and “The Order of the Republic”.
Valérie Keller-Birrer is a research analyst and market research consultant with more than 20 years experience in market research and 10 years as a research associate for IMD International. She started her career at Procter & Gamble, as a market research manager in Switzerland, then in Germany, leading global quantitative and qualitative research projects. She spent 10 years living abroad in Mexico, Chile and Italy that gave her a strong international perspective and sensitivity to cultural differences. She have a broad expertise in quantitative and qualitative methods for consumer goods and services.
References
- https://www.euronews.com/2021/05/05/belgium-s-parliament-and-universities-hit-by-cyber-attack
- https://www.tessian.com/blog/phishing-statistics-2020/
- ProofPoint
- International Telecommunication Union (ITU). Global Cybersecurity Index 2020
- https://archives.fbi.gov/archives/news/speeches/combating-threats-in-the-cyber-world-outsmarting- terrorists-hackers-and-spies
- WEF’s Global Risks Report 2021
- https://hbr.org/sponsored/2021/01/how-to-make-cybersecurity-a-top-priority-for-boards-and-cfos
- https://hbr.org/2019/03/the-marriott-breach-shows-just-how-inadequate-cyber-risk-disclosures-are
- https://www.globenewswire.com/en/news-release/2021/05/12/2228131/35374/en/Proofpoint-s-Voice-of- the-CISO-2021-Report-Reveals-Two-Thirds-of-Global-CISOs-Feel-Unprepared-to-Cope-with-a-Cyberattack.html
- https://www.hstoday.us/subject-matter-areas/cybersecurity/u-s-government-to-spend-over-18-billion-on- cybersecurity/
- https://www.straitstimes.com/singapore/singapore-budget-2020-1b-over-next-3-years-to-shore-up-cyber- and-data-security
- https://www.cybsafe.com/community/blog/how-successful-was-the-uks-national-cyber-security-strategy- ncss-2016-2021/
- https://www.forbes.com/sites/gilpress/2017/07/18/6-reasons-israel-became-a-cybersecurity-powerhouse- leading-the-82-billion-industry/?sh=2440dd78420a
- https://www.helpnetsecurity.com/2019/10/01/fortune-500-ciso/
- https://www.mckinsey.com/~/media/McKinsey/McKinsey%20Solutions/Cyber%20Solutions/ Perspectives%20on%20transforming%20cybersecurity/Transforming%20cybersecurity_March2019.ashx
- https://www.enisa.europa.eu/news/enisa-news/understanding-the-increase-in-supply-chain-security- attacks
- https://www.varonis.com/blog/cybersecurity-statistics/
- https://www.bloomberg.com/news/articles/2021-06-04/hackers-breached-colonial-pipeline-using- compromised-password