Cyber security is critical but the next challenge is to build true cyber resilience and business continuity into our organisations, says Richard Huison, Regional Manager at Gallagher Security.
I wrote a lot last year about cyber security and am delighted to say that it had the desired effect.
Far less now do clients give it the ‘Scottish play in theatre circles’ treatment, nor the ‘He Who Must Not Be Named’ from Harry Potter. As with Macbeth and Voldemort, if you can name the cyber threat out loud, then you can start mitigating against it.
So, while that’s a great start that organisations are now taking the cyber threat seriously and are working hard to block intruders, I’m sorry to say that with the best will in the world and cyber security aplenty, people are still going to break in!
And if they can continue to get in, you still face the risk of a catastrophic system outage or failure at huge cost. We have all become so data, systems and technology reliant that we must also build in resilience for when security is breached.
After all, just consider the impact on the world if I could take down the internet for just one day. It would be like returning to the Dark Ages without warning.
Just look at the catastrophic impact on foreign currency business Travelex caused by a ransomware cyber-attack only days ago. Travelex took their computer systems across the world down and started using pen and paper after hackers demanded a huge ransom in return for customer data.
The problem cascaded on from there as high street banks and supermarket forex booths – including Lloyds, Barclays, Royal Bank of Scotland, Sainsburys and Tesco, all of whom get their foreign notes from Travelex – reported a drying up of their supply.
On 8 January the BBC said that the hackers – known as Sodinokibi or REvil – had told the BBC that they had downloaded 5GBs of valuable customer data and would sell it online in six days’ time unless Travelex paid them an ever-rising ransom, which stood at $6m on that day.
So, even this early in the New Year perhaps I’m already too late. But my message for 2020 is to move beyond purely introducing cyber security into your organisations and start to build real cyber resilience and business continuity.
Please don’t think I am arguing against myself. Cyber security is still critical, and you need robust cyber policies, firewalls and other defences to protect against known and predictable attacks.
These are the first two steps in the globally-respected US National Institute for Standards and Technology (NIST) Cyber Security Framework, which sets out five stages in the cyber security v cyber resilience continuum – Identify, Protect, Detect, Respond and Recover.
So, such steps are critical to improving your cyber resilience, but prevention alone is not sufficient. And you must consider this all within your wider organisation’s risk management and business resilience strategy.
Many security specifiers and business owners fail to realise the benefits that good security can have on changing the outcome of a crisis. Organisations typically don’t think through how the security controls they have in place during regular operation might cope in the event of a disruption.
Security measures such as access control, CCTV, IT security, intruder alarms and physical security should be tailored to the types of threats your organisation is most likely to encounter in both normal operational and crisis scenarios.
Evaluate regularly how robust your security measures are to ensure you know how they will cope under stress and attack. Cyber security best practice will prevent the great majority of attacks. But even with great cyber security, you are still likely to suffer some kind of attack.
Check this out: the latest UK Cyber Breaches Report found that 60% of medium sized firms and 61% of large firms suffered a major breach in the previous year.
A cyber resilient organisation is equipped to respond to and recover from a cyber breach – and critically to keep operating through it and ultimately get back up and running and be more capable of withstanding future disruption.
Cyber resilience also involves things like business continuity management – indeed Google search results often include cyber resilience and business continuity together. Good systems and processes will mitigate against the risk of fraud or theft by employees, clients, suppliers or contractors.
Utilise your security and HR teams’ skills in vetting and checking and ensure you give them and their colleagues thorough training in how to respond and what to do in the event of a disaster.
Their rapid and appropriate response will be your first line of defence during a crisis to liaise with emergency services, help with evacuations and start coordinating a response.
The recovery team can also review security footage and logs to collect as much information about the incident as possible for insurance companies and law enforcement. Make sure your recovery team is familiar with your security system setup if you do not have a dedicated security team.
Protestors, rioters and terrorists have inflicted untold damages and disruption to organisations around the world in recent years, with many poorly prepared to manage this kind of emergency.
Take a proactive approach in developing rioting policy and procedures and outline them into your company’s business continuity plan. This may include implementing lockdown procedures, activating your business security system, and defining roles and responsibilities for when these type of events occur.
After you have developed your business resilience plan, test it thoroughly to identify any weaknesses. Walk your recovery team walk through each element of the plan before involving the rest of your employees in testing.
For organisations operating in critical environments, the risks of a breach are high and the consequences can cascade way beyond the organisation itself – even threatening life itself.
That’s why the WannaCry ransomware attack three years ago received such widespread media hysteria – not because 230,000 computers in over 150 countries in organisations from Honda to FedEx were affected in just one day, but because our good old National Health Service was hit.
When human life is under threat, it makes it easy for us all to take cyber resilience seriously.
So, stop putting your business continuity plan on the back burner because of the day-to-day demands of running your enterprise. This genuinely could be a matter of life and death – or at least the financial viability of your organisation.
