The Harvard Business Review recently ran a (fictional) case study suggesting that cybersecurity challenges might be met by taking mission-critical systems off-line. In fact, the lead article in a special section entitled “The End of Cybersecurity” did more than simply suggesting this, it called, in bold terms, for an end to the concept that cybersecurity could protect organizations all the time.
For decades now, businesses have been focused on repeating the considerable benefits of the digital world. Technology news and innovative products have been nearly synonymous with the future.
Organizations have innovated both products and services by moving to the digital realm. They have streamlined operations, increased revenues, and cut costs. Consumers, both business-to-business and people on the street, have embraced digital products and digital methods.
Systemic Insecurity Is a Fact
But the online world is simply increasingly hard to protect. In fact, it’s impossible to protect fully.
Mind you, the HBR didn’t call for a complete end to cybersecurity measures — far from it. It pointed out that cybersecurity is successful in thwarting targeted attacks 87% of the time. (HBR defines “targeted attacks” as those intended to get information or resources meaningful to the attackers. In other words, not nuisance spam or phishing scams.)
Although thwarting is successful, the fact is that the number of successful breaches (targeted attacks that get through cyber defenses) is on the rise. Most saliently, even one successful attack can disrupt and potentially cripple an organization. In the worst case scenario, attacks can cause organizations to fail.
Say cybercriminals breach the defenses of the U.S. military, or steal major assets from a bank, or disrupt a utility’s ability to supply water or power. Depending on the nature and reach of the attack, effects could range from disruption to catastrophe.
In addition, ongoing cybersecurity measures are costing U.S. companies an increasing amount of money. Costs totaled $11.7 million in 2017, up 62% from 2013 levels.
The threat of insufficient cybersecurity has grown due to two major factors. The first is the growing number of sophisticated attackers. Some attackers are nation states. Others are terrorist groups. Some are large criminal rings, not unlike urban criminal organizations responsible for physical crimes.
The second is the Internet of Things (IoT). While the IoT has been hailed as beneficial for businesses and consumers, and its benefits are clear to see, IoT technology has also meant that cybercriminals can now disrupt or cause a catastrophe to entire networks. In other words, the effects are not simply organization-wide, they are network wide.
One solution might be taking mission-critical online systems off-line.
Given the nature and extent of potential problems, the solutions are likely to be multiple and ongoing.
Some are likely to be oriented toward taking mission-critical systems in any organization off-line. In some instances, solutions may include a move away from digital methods and networks. This is a business strategy measure akin to war measures: protect the resources from a determined and sophisticated set of enemies.
Others are likely to be offensive measures. Rather than using cybersecurity and other measures defensively, organizations may begin taking the war to the cyberhackers.
Still, other solutions are likely to combine cybersecurity and physical security strategies. Cybersecurity is not going away. But, in a stunning reversal, the online world may no longer be the only world of the future.