In this time of COVID-19, many people have used the term “Black Swan” to describe the pandemic and its global and national impact. But “Black Swans” are defined as “Events that are highly improbable, difficult to predict, and have massive impact.” Our current situation has had massive impact, but it certainly wasn’t improbable or difficult to predict. The US has been game-planning for pandemics for decades. Movies have been made about the scenarios that are now unfolding. Bill Gates raised the flag several years ago. COVID-19 is actually a Gray Rhino. James Lam, a corporate security and governance expert (and independent director at OVP portfolio company RiskLens) defined Gray Rhinos presciently in his cover article for the National Association of Corporate Directors in February 2019.
What are Gray Rhinos? These probable, high-impact trends are clearly observable but often ignored. Disruptive technologies are great examples of gray rhinos. Gray rhinos could also be considered “known unknowns”: we know these emerging trends could have massive impact, but we don’t know how to react appropriately. Examples of current gray rhinos include artificial intelligence, blockchain, cybersecurity, and climate change. These megatrends have been brewing for years, with visible risks and opportunities, but many companies have yet to respond effectively.
Maybe our mistakes on this pandemic will lead to better forethought in other areas where we have been kicking the can down the road. Climate change – possibly. Infrastructure collapse – hopefully. But what worries me right now is the heightened risk of cyber-attacks at the corporate, the infrastructure, and the national level. Our national and state focus is, appropriately so, on disease management, health, supply of critical PPE products, and food distribution. Yet ignoring the Grey Rhino of cyber attacks could have grave implications, demanding greater preparation.
Employees at many companies are working from home and connecting through unsecure or less secure networks. Our reliance on the cloud and in many cases on a small set of cloud providers has intensified the concentration of this risk. Our telecom and cable infrastructure that enables us to communicate through mobile, internet, and wifi is stretched to the limit.
In this environment – business continuity risk is increased. Vulnerability at the employee level, the corporate network level, and the cloud provider level cannot be ignored. Decisions were made in many companies to accept security risk to get teams productive, but with that initial – and often rushed – decision behind us, are corporate security teams moving fast enough to plug the holes.? Have companies that are increasingly reliant on the cloud focused sufficiently on disaster recovery and management of redundancies across multiple cloud providers?
At the broader infrastructure level and the national level one hopes the right people are focused on the threat of a coordinated foreign government sponsored cyber attack. Much of our economic activity that has not shut down and is not focused on food supply chain, healthcare, or safety is working from home. Major attacks on the power grid, on internet providers, on cloud providers like AWS, and on the telecom space, could paralyze much of the remaining economic engine. If you wanted to hurt us (our company, our community, our country) with a cyber attack, is there a better time?
If we have learned anything from COVID-19, it should be that Gray Rhinos are dangerous and people or countries can get trampled. Let’s learn from the mistakes to the current challenge.