HBO’s recent ‘Chernobyl’ series, which re-told the story of the nuclear accident that threatened much of Europe in 1986, made for compelling viewing. The accident was said to have helped prompt the fall of the Eastern block and bring about a fundamental shift in global politics.
On April 26th, 1986, reactor number 4 exploded, throwing radioactive material into the night sky. We may never know how many people suffered as a result of this accident. The official death toll was 31. Or 54. Or several thousand. Or 93,000.
It’s important to understand what contributed to the accident. Official reports cited the following:
The human factor was considered a major factor in both official reports into the accident, with much focus on an inadequate “culture of safety” – which was prevalent not only in operations, but in all stages of the power plant’s lifespan, including design, engineering, construction, manufacturing and regulation.
“The accident can be said to have flowed from a deficient safety culture, not only at the Chernobyl plant, but throughout the Soviet design, operating and regulatory organizations for nuclear power that existed at that time.”
If we apply a cyber lens to the contributing factors to the accident, we can learn a lot about how to keep our organisations safe, not least by generating a culture of security. At a minimum, ask the following questions:
I’d advise CISOs to take an unbiased view of their security culture. This is one area where bringing in external support can really help – because the human dimension can have a massive impact on your management of cyber risk, yet it is easy to be blind to deficient culture, especially when compliance reviews might have shown that on the face of it you have all the right pieces in the right places!
Your security culture needs to be built on shared security values and behaviours which are promoted and understood across the organisation. At the very least, staff should:
When push comes to shove, you might have the best workforce in the world when it comes to business dynamism and a thirst to drive business growth. But remember that this will count for nothing if your people aren’t equipped to play their part in protecting the business from the cyber threat. Learn from Chernobyl, and don’t consign your organisation to the cyber wasteland.
For part 2 in ‘Chernobyl and its Cyber Lessons’ click here.
About the author
Principal Consultant, CRMG
Former Cyber Security Policy Manager, Bank of England
Industry of Expertise: Banking, Healthcare
Areas of Specialism: Cyber Security Governance & Policy Management