Firewalls are never enough

Greater connectivity heightens businesses' vulnerability to attacks for financial gain, data theft, or industrial sabotage.

It's the title of your very own James Bond cyber security drama - but be careful. Your firewall could end up being the villain if you rely on technology alone. Like all great edge-of-your-seat thrillers, it’s who controls the technology and its intended use that matters most. Like the movies, actors and the scripts they follow are the essential elements in combating cyber risk and maintaining business resilience. 

Problems emerge when too much trust is placed solely in technology. Too often the conversations we have around cyber security fixate on the systems you need or the reputational damage that ensues for companies on the wrong end of a data breach. As it turns out, the story is more complex, with plot twists and cliffhangers to contend with. 

The digitalisation of our economies has seen greater connectivity between information technology (IT) and operation technology (OT) systems that run a company’s industrial equipment and processes than ever before. We've evolved from Sean Connery to Daniel Craig, in more ways than one. 

It’s one of the great blockbuster technology stories of our times. But while connecting IT and OT systems has created significant leaps in improved operational efficiency and productivity, real-time monitoring and data-driven decisions, it also exposes what were once closed and secure OT networks to the risk of a catastrophic cyber attack, sparking near-term bottom-line impact and longer-term reputation damage. 

The need for greater connectivity has left businesses more vulnerable to attacks for financial gain, data theft or industrial sabotage. This also increases the risk of significant physical damage and disruption to critical services. In the recent past, attacks on OT systems have attacked major defence and automotive manufacturers in India, muddled the travel plans of thousands of travellers in Vietnam, as well as disrupted major port systems and loading schedules in Japan. 

The trust in technology has left many organisations without an effective response plan in place to identify, manage and ultimately recover from a cyber attack without suffering material business impact. 

For some organisations, that might mean the absence of a comprehensive approach to vendor management, where vendors may inadvertently have access to sensitive information and systems they shouldn’t, or where malware-infected devices intentionally or unintentionally may spread malware when connected, impacting a sensitive production environment.

For others, under-preparedness might mean having no clear action plan in place to deal with a cyber incident, such as a compromised firewall, unusual network traffic, system errors or anomalies or other indicators of compromise.

More concerning, some companies do not have an incident response plan in place for quick activation, which leaves them unprepared for cyber incidents. Without a clear action plan, a cyber incident can lead to serious disruptions to critical systems, physical damage to equipment and theft of sensitive data. No need for a Bond villain here, as these are akin to an inside job.

In our experience, too many companies first need to suffer a cyber-attack before they make significant enhancements to their processes. It’s more important now than ever before to get enhanced detection systems in place, because with the use of AI along with the usual cyber weapons, cybercrime is growing in frequency and sophistication.

AI is a powerful tool that offers numerous benefits, yet it also presents challenges as hackers become more sophisticated. According to the World Economic Forum, cybercrime costs are set to rise dramatically from $8.4t in 2022 to over $23t in 2027, based on data from the FBI and IMF. Asia-Pacific is particularly vulnerable, having experienced a significant surge in cyber-attacks. Check Point Research reports that during the first quarter of 2023, the region saw the highest increase in weekly cyber-attacks compared to the rest of the world, with an average of 1,835 attacks per organisation.

Focusing on the essential connection between people, processes and technology to effectively combat cybercrime and build and maintain business resilience has never been more important. Businesses need to be aware that despite the efforts of the MI6s of the world, some self-defence is a must.

The first step is better awareness of the safety requirements needed to protect OT systems. Many businesses are simply unaware or unable to identify the potential gaps in their defence strategies. 

Risk can stem from a lack of management of the OT system itself, which is often a resourcing issue. Some businesses lack internal resources to manage security, while others outsource the responsibility and have no real understanding of how well they are protected. 

Another important step is to assess and identify exposures, particularly when it comes to industrial control systems and information security assessments. FM Global research and our own experience tell us that most cyberattacks target the corporate network as a gateway to critical OT systems.

Having policies in place to manage passwords and hardware acquisitions as well as a consistent understanding of the elements of your security system is another important element.

For a company to be resilient against cyber attacks, it doesn’t need clever gadgets from Q, but simply a detailed understanding of the potential risks and scale of damages. 

The most successful businesses will be the ones that match digital investment with strong risk mitigation measures across their entire business operations and prevail against the ever-increasing odds of a cyber attack. 

Mitigation. Risk mitigation.