Just like the finance sector prior to 2008, there is too much focus on cyber risk at individual organizations and too many challenges associated with the stability and resilience of the system as a whole. To address this, Zurich Insurance and the Atlantic Council, who discussed this very issue at the RIMS 2014 Conference in Denver this month, recommend taking these steps to help make the Internet less prone.
11 Tips for Governments and Organizations with Systemic Responsibilities
- Expand risk management to third-party providers and partners: Looking outside of your own four walls for cyber security is definitely costly, and a definitely a challenge, but doing so will address many of the aggregations of cyber risk.
- Restore trust: International trust is going downhill. The United States and Europe, along with other nations, need to restore confidence in each other, and provide a solid front in Internet governance.
- Pursue a private-sector centric strategy: Governments must understand their limited role in managing cyber risk. They can’t scale as easily as the private sector and lack agility and subject matter expertise.
Work at scale to give defenders the advantage over attackers: For decades, it has been easier to attack than to defend on the Internet. But, to master cyber security, we need to make defending easier than attacking.
- Fund non-state groups: Funding groups already involved in minimizing the frequency and intensity of attacks can help reduce cyber attacks. Groups like the Forum of Incident Response and Security Teams and Spamhaus are stopping and responding to attacks every day, but are usually under-funded, lacking permanent staff, according to the report. These same groups should also be in charge of policing best practices.
- Better filtering of attacks: Major providers should block obvious attacks entering, leaving, or crossing within their networks. This is a no-brainer.
Borrow ideas from finance-sector governments: Banking and finance is the other critical infrastructure sector that has a strong, active global governance to deal with fast-moving crises.
- Improve system-wide incident response: Create a playbook for “what if” situations.
- Recognizing important global Internet organizations: We want to do this in hopes of giving them a bigger voice in the system and better governance. Creating a “Cyber Stability Board,” which might include a representative from several nations, could help bolster Internet governance and help set up a team of accountability to create and protect security standards.
- Addressing “Too Big to Fail”: Address companies that have become “too big to fail.” Consider if an Internet provider had a “Lehman moment,” (discussed more in-depth in this post – hyperlink) there with everyone’s data on Friday and gone on Monday. This is also a good opportunity to introduce stress tests to see how companies would perform in various stressful situations.
Work towards building a sustainable cyberspace: Global stakeholders should work towards making cyberspace sustainable over decades.
- Tie goals for a sustainable Internet to development goals: Nations could agree on a basic promise, such as “clean food, clean water, clean Internet” to bring together thinking on development and security.
- Goals tied to measurement: Just like how we strive to keep pollution to a minimum, we can also strive to be the nation with the fewest infected computers. This kind of change in mindset could allow new solutions.
- Use sustainability goals for smarter governance and incentives: Instead of a brute-force regulation to enforce standards, companies could be taxed for any attack above a certain level or even use a trading scheme so the cleanest companies might profit from good practices.
Looking for tips to protect your own business? Read 12 Ways to Help Protect Your Business from Getting Hacked.