Organizational Resiliency & Disruptive Event Response Capability Review
Organizational resiliency is focused on ensuring that core business functions continue to be available during a disruptive event. There are no indicators that the frequency or sophistication of disruptive events that are continually testing the resiliency of our organizations is expected to diminish. The only factor associated with disruptive or destructive events any group can seek to influence is the potential impact. A resilient organization is capable of adequately responding to a wide range of anticipated events and agile enough to effectively mitigate the impact of unanticipated events. As our organizations and their stakeholders become more interconnected, our attack surfaces, and the number of threat vectors increases.
Physical, political, factional, and socio-economic threats to national security-relevant industries have been around for centuries but remain a real concern, as seen in the recent bombing of the refineries in Saudi Arabia using autonomous and unmanned drones delivering explosive payloads. New, more sophisticated attack vectors have emerged that cross even more boundaries (aka cyber hybrid warfare). This new category of disruptive events was demonstrated in Iran with Stuxnet. Foreign intelligence sources were able to use maliciously modified software code to effectively impact the operation of centrifuges used to manufacture weapons-grade nuclear material. NotPetya was malware that was initially used to compromising a small software firm in Ukraine called the Likos Group that ultimately provided access to their client’s computers that included utility companies, banks, airports and government agencies. It provided the foothold for follow-on attacks on the country’s utility infrastructure using malicious code to manipulate the interfaces between command and control devices and the electrical grid’s physical infrastructures using cyber warfare techniques. In the US, there is frequently a dangerous tendency to infer distance, and no specific intelligence suggesting a firm is being targeted by a similar attack or bad actors somehow implies reduced risk to our own organizations. The fact that a small private firm was used as the beachhead for this attack was no accident. It should serve as the proverbial ‘canary in the coal mine’ for other small firms that are seen as weak links in digital supply chains. The same malware used to compromise the small Ukrainian firm, Likos Group, was late repurposed and used to crippled large multi-national organizations such as Danish shipping giant Maersk, logistics juggernaut FedEx and pharma company Merck amount others. Industry estimates put the clean-up for NotPetya in excess of $10B.
With threats and impacts as dramatic as those mentioned above, every organization should dust off a copy of Sun Tzu’s Art of War and verify their Continuity of Operations (CoOP) is current, tested, and ready to support the strategic goals of the organization even during a disruptive event. Building on other aspects of the readiness portion of our analysis techniques, Risk Neutral works with organizations to make sure their critical business processes, infrastructure, supply chain, and resiliency plans are up to meeting modern challenges and sophisticated threats. Two of our favorite lessons from Sun Tzu as it relates to this type of analysis include:
Every battle is won or lost before it is ever fought, because it reinforces the importance of preparation, being aware and well informed about the capabilities/motivations of the bad actors and threats they represent to your organization.
Know yourself, and you will win all battles, because it reinforces the importance of ‘practicing as you play’ so that responding to disruptive events becomes a strategic organizational capability, not a once a year, paper tiger, check the box exercise.
As senior leadership advisors, we work to make board-level tabletop exercises, 3rd party penetration testing, purple team simulations, and cross-functional response team training as realistic as possible. These activities will raise the risk, cyber, and physical asset protection IQ of your leadership team and key stakeholders. It will increase the level of confidence in your team’s ability to meet the demands of advance persistent threats (APTs) and deliberate campaigns by highly skilled, well-funded, bad actors.