NASHVILLE, Tenn.–All of those zeros and ones can add up to some real dollars and cents, especially when it comes to cyber incidents, but the biggest costs often don’t come from just a ransom that must be paid or from lost revenue, according to one person.
Speaking to the Edge Conference here sponsored by Trellance and Filene, Mark Sangster, VP, chief of strategy with Adlumin, urged credit unions to think about “risk in a new way,” including the implications of all the related decision-making after an incident has occurred.
The issues, he said, go beyond just accountability for the system engineers who may have made a mistake or not patched a vulnerability and include obligations to employees, members and the community.
The Pyramid
“You have to put all of those things together when it comes to cyber security you can't fixate on the top of that pyramid,” he said, referring to the graphic at right (all of Sangster’s presentation graphics were created using generative AI). “In fact, you should put (adversaries) down at the bottom here. Yes, the bad guys are trying to steal information, conduct fraudulent transfers and shut you down with ransomware, but they're going to take advantage of the technology…They're going to find vulnerabilities and exposures they can exploit, and they’re good at exploiting accountability. They now know who you report to. They can even quote various regulations about your obligations. So, if you’re not going to pay them, they can say, ‘Well, we're going to report you ourselves. We're seeing a lot of that kind of double extortion.”
What It’s Really About
Cybercrime, said Sangster, is not an IT problem to solve, “it is a business risk to manage. There is far more at stake than buying some tool for cybersecurity.”
But there is a management piece, the components of which, he said, include:
- Awareness: Understand the impact of cyber risks and trends
- Risk: Identify protected assets and obligations
- Program: Establish budget, staffing and prioritized programs
- Reporting: Dashboards, periodic reporting and value proofing
- Incidents: Incident response planning, teams and testing.
“I have heard over and over again from people who have been hit by cybercrime that ‘You have to self-manage cybercrime. You’re on your own.’ You have to deal with it on your own, while also having six armchair quarterbacks telling you what to do. You have competing interests all bearing down on you telling you want to do or wanting an answer.”
While it can feel easier to pay a ransom than to lose revenue, Sangster advised, “You can either negotiate as a victim or negotiate as a business person. I think that’s huge. We become emotional in these moments. You are going to have to make the tough decisions in moments like this. It’s not the IT people. Focus on the business. Make more money than they took You can’t do that until you get back up and running. So, it’s important not to take your foot off the gas.”
Understanding VUCA
Sangster shared the abbreviation “VUCA” to describe cybercrime incidents, which stands for volatility, uncertainty, chaos and ambiguity.
Organizations, he said, must understand how they are going to deal with all of that while at the same time people are looking to leaders for answers.
“There is the ambiguity that comes in not knowing what the right answer is,” he said. “Some of this is in our control and some is not, so it’s good to prepare. There are so many decisions in this that are not technical decisions, they are dollars and cents.”
A key question to have already answered ahead of time, Sangster advised, is who is going to be the face of the credit union in the face of a data incident.
Advice From The Bunker
Sangster shared the advice of Bob Darling, who formerly oversaw information security at the White House and who is author of the book, “24 Hours inside the President’s Bunker.”
Darling’s advice:
- Understand your role
- Gather the right people. “The smart people always gather smarter people around them. You shouldn’t be the smartest person in the room.”
- Understand their expectations.
- Listen to your team of experts. “You’ve hired them for a reason. Make sure they are there and you are taking all that information and assimilating that.”
- Provide the what, not the how. “When you’re dealing with this as a leader, you don’t have to tell IT what to write on the whiteboard or how to shut down a system, because you don’t know. But you want to clearly and concisely describe what you want done. It’s a team effort.”