What if an invisible attacker tried to bring down your business? Companies need to think about the unthinkable when it comes to cyber threats.
We spend most of our lives blissfully unaware that one day we will cease. It’s too depressing – so we simply don’t think about the inevitable. That willful suppression of facts gives us some measure of peace. We don’t spend our days torn apart in existential crises. But it also leaves us with a false sense of permanence. We believe every day will be just like the next.
Until that’s no longer the case.
In her groundbreaking work, On Death and Dying, Elisabeth Kübler-Ross identified the psychological stages we pass through as we come to terms with our own mortality: denial, anger, bargaining, depression and acceptance. Given the chance, before the end we all find a way to think about the unthinkable.
Listening to Carl Woerndle tell the horrific tale of the sudden and absolute destruction of Distribute.IT, you can actually hear him pass through each stage. It begins with disbelief – how can this be happening? Followed by anger – who is doing this? Next comes bargaining – perhaps we can make it through this. Then into depression – we’ll never get through this. Finally there’s acceptance – the fire sale of the business as the best way to do right by Distribute.IT’s resellers.
The progression from denial to acceptance often takes many months. No-one should be forced through it in a span of three weeks. There’s just not enough time to process all of the trauma. But that’s just what happened to Carl.
As Carl makes clear, there’s nothing particularly special about his case nor any real reason why Distribute.IT was singled out for this attack. For Carl, this was as senseless as a car crash - out of the blue, and then everything changes.
Our first instinct may be to shudder and thank our lucky stars it happened to someone else. Yet, as Carl says, “It’s not a matter of if, but when.” Lightning will strike. Hackers will come. They will get in, they will maraud, and you will not be able to stop them.
We put great value on IT security because we want to believe that it can save us. It allows us to live with the unthinkable. Security vendors know this. They play on those insecurities, promising that vigilance - and a hefty payment - equals peace of mind.
But the threat of cyber attacks remains very real. The power of networks to enhance collaboration and productivity are equalled by the vulnerabilities they facilitate. These are two sides of the same coin.
It’s easy to have a secure IT infrastructure - if you air-gap every computer in your organisation. Sure, productivity will plummet – but at least you’ll be able to sleep at night.
Denial is not an answer. Nor anger, nor bargaining with security vendors for that magic talisman to hold the hackers at bay. Depression is not a strategy. The only way forward is acceptance.
Accept that all your network systems are vulnerable. Accept that they are constantly being probed, and that these probes are more successful than you will ever know. Accept that your business continues only on the sufferance of hackers who can’t be bothered to wipe the data off your drives.
Accept all of that as ground truth, and prepare.
If your entire IT infrastructure disappeared tomorrow - corrupted, hacked into uselessness - how long would it take to rebuild? How long before employees could get back to work?
How long before you could trade again? Would your business survive an extinction-level event?
Distribute.IT didn’t - even with a rescue plan in place, backups and a well-trained staff. Will your rescue plan survive an encounter with the enemy?
You need to find out.
Make it a priority to run the full fire drill: Starting from nothing, rebuild a workable IT infrastructure. Do that, learn from your mistakes, improve the plan, and run the drill again, so that when the attack comes - and the attack will come - your organisation will be able to meet the challenge.
While planning your fire drill, take an inventory of the value of all of the data of all of your systems, and get that insured in full. Perhaps the biggest takeaway from Carl’s story is the mismatch between insurance and risk. That’s a fatal mistake in any business – but at least it’s one that can be remedied.
The world is a dangerous place and companies need to think about the unthinkable when it comes to cyber threats. Denying those dangers leaves us unprepared, granting those dangers a terrible power over us. Only in acceptance - and vigilant preparedness - can we rest assured that we’ve done our best.