SEPTEMBER 13, 2018
By Hilary Collins, Specialist, Publications and Research, Financial Managers Society
Preventing and surviving cyber attacks is a major business concern in 2018, with breaches holding the potential to exact enormous costs in terms of both resources and public trust. While most executives probably have a pretty solid understanding of the new world of cybersecurity and what to do when their institution is hacked, sometimes looking at things from a different angle can help. For example, it may be beneficial to start thinking of your institution’s defenses in terms of a concept known as cybersecurity time, which is comprised of protection time and exposure time.
Protection time is the length of time an organization’s security can hold out against a cyber attack. That is, when all resources are brought to bear – all systems, procedures and personnel – how long can the institution protect itself from a cyber incident?
Exposure time, then, is the length of time it takes the organization to detect, contain and recover from a cyber attack. In the mathematics of cybersecurity time, if a company’s protection time is long enough and its exposure time short enough, it should be able to act quickly to protect information and other assets from hackers.
Protection time can be lengthened by spending more on barriers and detectors, of course, but it is limited not only by budget, but also by how business is conducted in 2018. Institutions have to balance the need to protect systems and information with the need to serve a customer base looking for fast, transparent service. While adding complex security procedures and firewalls may work to lengthen protection time, it may also frustrate customers and employees.
On the other side, institutions can focus on shortening exposure time. Assuming a cyber attack happens (and you really should be assuming that), how can your institution find and neutralize the threat as quickly as possible? A good cybersecurity plan should focus not only on strengthening fortifications against attacks, it should also work on achieving a speedy and effective shut-down for any bad actors that worm their way through.
Understanding cybersecurity time may not dramatically change an institution’s procedures, but it can help provide a helpful framework for measuring how effective they are.