HNWs can't expect our lax governments to protect them from cyber crime and other cyber threats, warns Robert Amsterdam
The recent worldwide malware attack, known as ‘WannaCry’, was regarded by many as a seminal event in the age of cyber threats. The virus, which encrypts a computer’s files and demands payment to unlock them, spread to almost 250,000 computers in 150 countries. The attack fostered critical emergencies across a range of organisations, including the NHS, companies such as FedEx, Telefónica, and Hitachi, and even the Russian government.
This was neither the most sophisticated nor the most damaging act of cyber crime in recent years, but it focused the world’s attention on the massive threat we are facing. While the threat of mass cyber attacks has long been a concern for both government and enterprise, WannaCry was a stark reminder that these attacks can actually threaten human lives.
In a desperate search for a response, many are dismayed to see the deplorable lack of preparedness on behalf of governments. Unlike the recent spate of election hacking cases,
or even terrorist atrocities committed by extremist groups, cyber risk is both rootless and stateless, pertaining to no known organisation, making any policy response notoriously difficult. Offensive options are not available, leaving only risk mitigation and long-term resilience measures, which governments appear unwilling or incapable of developing.
This means that it is just us, as private citizens, business persons, and members of organisations, to undertake the necessary strategy to keep hackers and cyber criminals at
bay. What should be the responsibility of our governments has fallen on to our shoulders, requiring our own investment of time and resources into crisis management planning – for organisations both large and small.
The first steps toward personal risk management are straightforward: invest in your infrastructure, pay attention to ensure all software is regularly updated, and reduce the risk of complacency by automating many processes, such as file backups and password changes. But this alone is not sufficient to plan for crisis.
Businesses and HNWs should carefully consider establishing designated crisis management teams in order to anticipate and navigate these kinds problems as they arise.
These teams are ideally small, multi-disciplinary, and experienced in both ex-ante and ex-post risk management situations, and with sufficient funding and decisionmaking authority in order to make and implement decisions within
hours rather than weeks. This will ensure more effective responses, while also adding value to the decisionmaking system and business model.
I’ve worked with a number of international clients whose businesses have been exposed to a vast range of crises, from natural disasters to terrorism, politically motivated
attacks, and cyber security breaches. It is clear that the root cause is most often people and process, rather than technological deficiencies.
A number of lessons can be drawn from these examples. Firstly, managers and decision-makers who have incomplete and inaccurate information are prone to set in motion an uncoordinated chain of actions which makes the crisis much worse. Secondly, when crisis hits, many executives are overly eager to act quickly and ‘boldly’, often without proper consultation or scenario simulations, leading to more damage. And thirdly, experience shows that organisations which find themselves in the worst crisis situations almost
always lack a culture of risk management, and had almost always failed to perform a proper exposure and vulnerability assessment.
A company or a country needs to invest early on in prevention, preparedness and emergency response. They must promote an internal culture and mindset around
risk mitigation, focusing on being proactive rather than reactive, and use risk management to drive competitive advantage, reduce damage and loss, and sustain future
profitability and growth.
Two conclusions from the WannaCry attack are very clear: first, we are profoundly unprepared and exposed, and second, this will not be the last, nor the worst, mass cyber
attack to strike the international community indiscriminately. When it happens next, we should at least be able to have a plan in place to minimise the damage.
Robert Amsterdam is the founding partner of the international law firm Amsterdam & Partners LLP and a longstanding Spear's columnist