The subject of internet blackout risk receives relatively little attention. It is often drowned out by tales of the risks associated with state-sponsored cybercrime or sophisticated malware attacks. As a consequence, companies could be in for a shock, at any point, if it fails.
Businesses have experienced an extremely unlikely and unusual period of stability of core internet services. This good luck has meant most organizations don’t take the threat of long-term internet outage seriously enough. Yet the biggest IT risk facing business is the combination of capacity and complexity issues causing the internet to fail.
Internet as a Utility
Organizations are so used to the internet working that it has become normal to think of it as a utility – such as power, telecommunications or water – where a service is paid for with contractually agreed service levels. Given that no single entity is responsible for making the internet work, it is surprising that many businesses do not have contingency plans for if and when it fails.
Businesses do protect their connection to the internet – up to a certain point, that is! For example, by using ‘dual pipes’ from two providers, but out of sight, the internet is cobbled together in a whole series of insecure, outdated technologies that are lashed together with the sweat and tears of network engineers.
An Unregulated Environment
The internet is also dependent on numerous factors that cannot be controlled by end-users. Reliable power, access to cooling, and the global network of cables are not all under business or ISP controls. These factors need to be protected by third parties from being damaged by construction machinery overland or fishing trawler nets in the seabed. There are also risks caused by malicious intent. Various ‘worms’ have been spread across the internet by criminals, resulting in significant disruptions.
Nevertheless, organizations so heavily bet their business model on the internet, which is managed with little in the way of formal controls. It is a huge leap of faith for business to rely on an ‘unregulated’ infrastructure where, usually, businesses are more cautious. It appears that the internet is seen by many to be more robust than highly regulated systems, such as power or financial networks – which have rare, but very significant outages.
Internet in an M2M World
The loads and complexity of internet usage is growing exponentially, while the skills and capability to manage the systems is growing (at best) in a linear fashion. Last year passed the point where more than half of all internet traffic was created by machine-to-machine communication – the number and criticality of connections facilitated by the internet is far outpacing the resources dedicated to maintain it. More and more data is being transferred by an ever-more exotic collection of devices, from smartphones to smart TVs, and from fridges to pacemakers.
In the near future, there may be substantial disruption to organizations and entire businesses failing by not appreciating that relying on the internet means relying on third-party services for which there are no contracts or clear owners.
No Excuses
Adding another item to the already daunting list of IT risks is not something businesses really want to think about, but they have to be mindful and tactful of it. Regardless, heavily internet-dependent businesses that have processes and procedures in place to respond to an internet failure for a number of days are likely to be in the minority. A question that businesses need to consider is what the impact would be if an extended internet outage took place beyond the business’ (or ISP’s) control?
It could be argued that organizations should celebrate the miracle that is the internet proving to be so robust for so long, and press ahead with business as usual. Yet having contingency plans in place to survive a sustained loss of internet access is probably wise – from maintaining access to business-critical information to interacting with customers and having appropriate insurance to cover losses. The internet is incredible, but this shouldn’t blind us to the fact that it isn’t a traditional utility and the possible risk of prolonged failures.
Stephen Bonner is a partner in the Cyber Security team at KPMG, where he leads a team focused on financial services. Before KPMG he was group head of Information Risk Management at Barclays. Bonner was inducted into the Infosecurity Europe Hall of Fame in 2010. He ran the London Marathon in 2011, raising over £15k for Whitehat/Childline and is in training to climb Mount Kilimanjaro for Shelter this year.