Global Leadership Forum (GLF) Summit delegates concluded the first day of the summit with a discussion of cyber security, led by Advisory Board members, Aurecon CEO Bill Cox and Geneva Airport CEO André Schneider.
Infrastructure has become one of the primary areas of focus for bad actors involved in cyber-attacks. This has seen some groups act geopolitically, while others act criminally with their focus on money, but both groups need a strong response from the infrastructure industry.
Delegates noted that large numbers of people and companies have now experienced some form of cyber-attack and while these vary in target and impact, the implications for society are huge if infrastructure failed to prepare and prevent.
Embedded systems are extensive and diverse in infrastructure and represent a very different and highly challenging cyber risk profile well beyond the conventional risk associated with IT systems. And while these might seem innocuous, managing functions environmental controls, they are each a potential access point that can disrupt and even shut down infrastructure.
Industry leaders used the summit to share some of their experiences from around the world. This included examples of attacks that had, or had almost, been successful. That led to an agreement that the days of cyber risk being treated as an IT issue were over – they were a business-critical matter with implications for productivity and safety.
Prevention
Summit delegates recognised that this was very much a human issue. Technology can play its part but the vast majority of cyber breaches begin through a human interface – such as clicking on an email attachment. As a result, there was agreement that it had to be made as easy as possible for people to abide by best practices, with training and ongoing reminders throughout.
Some delegates highlighted opportunities to help people with that by replicating cyber-attack practices by a friendly penetration agent. This could result in staff occasionally receiving a note from the specialists who do it, telling them when they had been faux-hacked, which in turn should lead people to being far more aware and improving over time.
Looking to the wider market implications of cyber risk, delegates noted a disconnect between clients and suppliers despite growing focus from both. There seemed to be a strong view of the importance of cyber risk to clients and suppliers that had not always been apparent to each other in procurement and bids, while there was also a concern that clear standards don’t exist to help inform everyone about each other’s capabilities, or set out how to test those capabilities.
Preparedness
While good practices can help minimise cyber risk, there was a strong view that 100% safe was unlikely to be achieved by anyone. As a result, it was agreed that a focus on response and resilience mattered as much as prevention. Companies needed to assess, for example, how many months of payroll they could cover without any revenue if their systems had been compromised and would take time to re-secure.
At the same time, delegates noted that preparedness was about communication too. Clients, governments and media were an important part of every company’s response to cyber attacks. The right response and openness about an attack can help to negate some of the worst reputational impact by ensuring good information is provided proactively.
That preparedness also had to include table-top planning, stress-testing, and allocating roles well in advance so that everyone knows who is supposed to do what and can act quickly and with confidence the moment a breach happens. the coming months.
