The world is likely to suffer Internet failures in 2014 for reasons similar to those that put the global financial system at risk in 2008–including a nearly absolute dependence on an overly complex, interconnected system. Disruptions affecting the dependability of supply chains, contractors and subcontractors will gravely affect the construction industry, but there are solutions.
Zurich Insurance Group and the international think tank Atlantic Council released Risk Nexus: Beyond Data Breaches: Global Interconnections of Cyber Risk, which offers new risk management specific insights (including recommendations) on cyber risk, shocks and resilience. As the Internet increasingly connects with real life and permeates all facets of society, it can be a source of global shocks for which risk managers, corporate executives, board directors and government officials might not be prepared.
“To help protect the integrity and reliability of cyberspace and the bottom line for businesses, governments, the private sector and civil society must work closely together,” said Dan Riordan, CEO Zurich Global Corporate North America. “We need a clear plan of what to do in the case of an event–both at the individual company level and also holistically, and hopefully this report becomes a catalyst for developing such a plan.”
Complex systems, unexpected risks
The Internet has proven to be incredibly resilient, due in large part to a stable technology platform and dedicated technicians who work behind the scenes to keep things running reliably. This has allowed the construction industry to increase efficiency and lower costs, making it possible to maximize profitability while deploying fewer resources. But this type of reliance exposes companies to significant risks that they tend to overlook; not just those posed by data breaches or theft of trade secrets, but larger global shocks.
Companies are rapidly connecting critical business functions and infrastructure systems to the Internet, making them dependent on humankind’s largest and most complex system, one that itself is very poorly understood.
Past Internet incidents and attacks have only disrupted ones and zeros, or things made of silicon. All these can be recreated or replaced with relative ease. Future cyber incidents will break things made of concrete and steel, as the Internet increasingly connects with real life. As the trend continues, “there is no separate ‘digital’ economy, only a single economy where even the mundane comes to depend on distant digital perfection,” in the words of Dan Geer, a noted Internet risk expert.
The Internet of tomorrow almost certainly will be less resilient, available and robust than today. Current cyber risk management ignores the risks arising from dependence on that “distant digital perfection,” aggregations of cyber risk that lie outside an organization’s internal servers and firewalls: counterparties, outsourcing or contractual partners, supply chains, upstream infrastructure, disruptive new technologies and external shocks.
Recommendations for the Construction Industry
Push out the risk horizon
Perhaps even more than other sectors, the construction industry is heavily dependent on a wide group of subcontractors, each of which can be disrupted by cyber incidents, with grave impact on already tight deadlines. Companies with more advanced risk management should extend their horizon beyond simply their own internal technology risks to include subcontractors and outsourcing agreements as well as upstream infrastructure. Each of these risks can be at least partially controlled through contracts, service-level agreements, or in-depth site visits and audits. For example, one financial institution implemented a complete vendor security management plan that reviewed every contract and outsourcing agreement to assess the impact of disruptions or data breaches.
Improve Basic Cyber Security
Regardless of the size of an organization, a relatively small set of actions can protect against most cyber risks. The Council on Cybersecurity maintains a list of critical security controls that presents the most important set of actions that can be taken for cyber defense. Companies should especially rush to adopt the “First Five Quick Wins.”
Shift from protection to resilience
Unfortunately, a single set of principles will be insufficient. Organizations can no more “secure” themselves against these interconnected and complex cyber shocks than they can hope to forever stack sandbags to protect from the damage caused by more frequent and severe hurricanes. The main goal is for companies to be agile and resilient, and able to bounce back from disruptions through redundant systems and processes under the leadership of meaningful corporate governance.
Incident response, business continuity and exercises
Because not even the best companies can protect against the increasing frequency and severity of cyber attacks, companies should rely on response teams to quickly identify and respond to incidents affecting their own systems (or those of their subcontractors). Exercises and simple scenarios can help companies identify vulnerable parts of their supplier network and build “muscle memory” for responding to disruptions.
Board-level risk management
Some boards might lack knowledge about their information assets, the impact of disruption or loss, or which third parties have access to sensitive corporate data. Boards may hold executives to account and become smarter on cyber risks by taking a broader view of global interconnections, while continuing to focus on issues related to compliance and auditing.