Despite prior warnings that infectious disease pandemics presented a high-impact threat, COVID-19 seemed to catch governments and companies off guard. What other threats exist which the world can and should prepare for? Peter Groucutt says that top of the list is a global cyber attack – such as on a major cloud provider…
In November, AWS experienced an outage affecting a number of companies using its services, including Adobe, Roku and Glassdoor. The disruption lasted several hours, bringing to light not only our reliance on cloud, but also the risks to businesses when these services are no longer available.
For context, Infectious disease pandemics have been in the top ten of the World Economic Forum’s highest-impact risks since 2018. They have also appeared as one of the likeliest threats in the UK’s National Risk Register, and in regional Community Risk Registers. Despite this, prior to COVID-19, the majority of organizations didn’t have a plan for how to respond to a pandemic (66 percent according to my company’s recent Data Health Check survey). The reason we have Risk Registers is to identify the most significant threats to your organization – so you can plan and prepare for them. From a business continuity point of view, COVID-19 is a wake-up call to revisit those lists to see if anything else is being neglected.
A global cyber attack – like one affecting a major cloud provider – could have a huge impact. This pandemic has shown the greatest continuity challenge is when everyone is impacted at once. These crises affect not only your own operations but your customers and entire supply chain all at the same time.
We’ve not yet seen a successful cyber attack on a major cloud provider, but it is inevitable: the recent attack on SolarWinds is an example of how far-reaching an attack can be. The cloud computing market is an oligopoly owned by a few key players, namely AWS, Microsoft, and Google. These services are very well defended, but they’re also a target, and if they do get hit, the knock-on effect for all the companies hosted on them will be severe and long-lasting. If the breach is severe enough, the impact could affect businesses around the world – like a WannaCry but without the killswitch. So how do we take the lessons from the pandemic and apply them to preparations for a major cyber attack?
Firstly, diversify your supply chain. Make sure you’re not dependent on a single geographic area: a state-level attack could severely impact a single country, so having an alternate supply increases your resilience. At a minimum, be able to run your IT from multiple Availability Zones, Regions or consider going further and using a separate cloud provider as a backup.
More significantly, think about whether you could cope without IT for an extended period. This is something businesses that have suffered ransomware attacks have learned. Could your organization operate without IT for a month? What if the cyber attack in question affected a large number of businesses, or your customers and suppliers lost their IT too?
Technology has made businesses much more efficient by automating manual tasks. However, this has also meant we’ve lost a lot of the manual processes we used to revert to. We need to put some of these back in place in response to this threat. Manual alternatives – such as helping customers place orders when your website is down – will always be less efficient and more expensive, but they can keep you operating.
Business continuity and risk professionals can take one positive from 2020: when they speak now, the organization will listen. Let’s learn the lessons of the pandemic and make companies more resilient.
Peter Groucutt is managing director of Databarracks.