[STAT CAN] Fail-Safe to Safe-to-Fail

By Traian Toma, Université de Montréal and Fiona Westin, Carleton University

According to Statistics Canada [1], 92% of today’s Canadian enterprises use digital technology to do business. With pervasive adoption of digital technology comes increased concern over its risks and threats. Virtually every business employs some form of cybersecurity measure to protect itself [1]. However, while Canadian businesses prioritize risk management, business continuity planning falls to the wayside. Organizations which aim to be “fail-safe”—that is, by focusing solely on prevention—ignore the fact that cybersecurity incidents are an undeniable part of an organization’s lifecycle. Truly effective cybersecurity must also be “safe-to-fail” [2]. In other words, organizations must learn to be cyber resilient.

Cybersecurity incidents’ hit on business productivity

Over one fifth of Canadian businesses were impacted by a cybersecurity incident in 2017, with rates of victimization increasing alongside business size [1]. Much as these incidents impact business IT’s availability, integrity or confidentiality in various ways, productivity loss stands out the most. Indeed, around 58% of businesses experienced downtimes in 2017, averaging at 23 hours. Furthermore, 54% of incidents prevented employees from carrying out their day-to-day work. Likewise, 53% prevented the use of resources or services (e.g., desktop, e-mail). 32% required the diversion of labour force to respond to the incident in question. Incidents’ trend towards productivity loss holds for all business sizes. According to Statistics Canada [1], monetary costs of cybersecurity incidents (e.g., additional repair or recovery costs, loss of revenue) come second, and reputational costs come last.

Cyber resilience, the transition from fail-safe to safe-to-fail

Björck et al. [2] define cyber resilience as: “the ability to continuously deliver the intended outcome despite adverse cyber events.” Considering the pervasive damage to business delivery resulting from cybersecurity incidents, enterprises must adopt cyber resilient best practices. Just like traditional cybersecurity, cyber resilience commends prevention (fail-safe), but it also acknowledges the need for organizations to bounce back from adverse cyber events when they happen (safe-to-fail) (Björck et al., 2015). Its recognition of the intersection between IT and business implies that measures are rooted in the firm’s mandate and not simply added to the existing IT infrastructure. Consequently, everybody in the organization should be involved in their fulfillment. Yet, Statistics Canada data show that there is a blatant disregard for cyber resilience amongst Canadian firms [1]. Only 8% of them have a cybersecurity incident reporting policy in place. In addition, around 10% have business continuity planned out in the event of an incident. 19% think all employees are responsible for cybersecurity to a certain degree. 16% undertake activities to identify cyber risks and threats after a cybersecurity incident. Cyber resilience is especially lacking in small businesses, the latter comprising 98% of the labour force in Canada [3].

If a business wants to become cyber resilient, it must satisfy four criteria according to Hollnagel’s  Resilience Analysis Grid [4]. A firm first needs to anticipate potential disruptions and constraints that accompany changes in technology and preplan safeguards afforded by today’s opportunities. For example, workshops can be held to identify cyber risks, threats and solutions [5]. Secondly, an organization needs to monitor the main identified risks facing its operations and deploy the respective defense measures. Leaders can be assigned to oversee these risks and communicate the findings with the higher-ups. Thirdly, a business must be ready to respond to incidents that slip by. A well-thought-out continuity plan is crucial here. Lastly, it must learn from the experience: what went wrong? How can the enterprise adapt? Holding workshops on the subject is recommended. Following this advice, a firm can thrive in today’s tough cyberspace.

Watch Fiona and Traian present their poster!

[1] Statistics Canada (2018). Canadian Survey of Cybersecurity and Cybercrime (CSoCC).
[2] Björck, F., Henkel, M., Stirna, J., & Zdravkovic, J. (2015). Cyber Resilience—Fundamentals for a Definition. In A. Rocha, A. M. Correia, S. Costanzo, & L. P. Reis (Eds.), New Contributions in Information Systems and Technologies (pp. 311–316). Springer International Publishing.
[3] Innovation, Science and Economic Development Canada. (2019). Key Small Business Statistics.
[4] Hollnagel, E. (2015). RAG—Resilience Analysis Grid. 1-16.
[5] Touhill, G. J., and Touhill, C. J. (2014). “What To Do When You Get Hacked.” In Cybersecurity for Executives, 293–322. John Wiley & Sons, Ltd. https://doi.org/10.1002/9781118908785.ch9.