Andrew Scott, of the Business Continuity Institute, analyses how likely it is that your organisation will suffer from a cyber attack and the best ways to combat the danger
Cyber security incidents seem to be more commonplace these days. It is rare to open a newspaper, switch on the news, or scroll through your social media timeline, without hearing about some poor unfortunate organisation that has suffered the consequence of such an event. Of course, usually the poor unfortunate organisation is a huge multinational that has invested millions into protecting its IT and the data behind it, so that doesn’t give much hope to the rest of us who don’t have such resources to invest.
That being said, it is not always big multinationals. There has recently been a spate of ransomware attacks on hospitals in the US, whereby the hacker encrypts data held within the IT system and only unencrypts it once a ransom has been paid. A ransomware attack creates two hard choices for businesses – either spend multiple days recovering locked files from backups that may not be up-to-date, or pay a ransom to criminals who will then be incentivised to launch further attacks.
But these are the high profile incidents, how likely is it that your organisation will suffer from a cyber attack?
Are you at danger?
In the Business Continuity Institute’s (BCI) recently published Cyber Resilience Report, it was revealed that two-thirds of respondents to a global survey had experienced a cyber security incident during the previous twelve months, and that 15 per cent of respondents had experienced at least ten during that same time period.
Phishing and social engineering attacks were the main cause of attack with three-fifths of respondents claiming their organisation had fallen victim to the theft of information by hackers masquerading as a trustworthy source. This was followed by malware (45 per cent), spear phishing attacks (37 per cent), denial of service (24 per cent) and out-of-date software (21 per cent).
It is easy, therefore, to see why cyber attacks are worrying for business continuity professionals, as identified in another piece of research published by the BCI – the annual Horizon Scan Report – which identified that the number one threat to organisations was cyber attack. 85 per cent of respondents to a global survey expressed concern about this type of attack materialising, while 80 per cent expressed concern about the possibility of a data breach.
It does not seem to matter the size of the organisation when it comes to cyber attacks. The findings of the Cyber Resilience Report echo those of another study carried out by the Federation of Small Businesses which revealed that two thirds of small to medium sized businesses (SMBs) had also experienced a cyber security incident during the past year. Likelihood may be the same, but what about impact? The main disadvantage that small businesses have is that they are less likely to have the resources or skills required to combat such a threat, and so potentially leave themselves more vulnerable to the consequences of such an incident.
It has even been suggested that SMBs are deliberately targeted as they are considered to have weaker security than larger businesses, but then provide a backdoor into those larger businesses. And just because a disruption is in the virtual world, it does not make it less disruptive or less costly than one that occurs in the physical world.
UK government figures from the 2015 Information Security Breaches Survey indicated that the average cost of the most severe online security breaches range from £1.5 million to £3.1 million for big business and from £75,000 to £311,000 for SMBs.
The good news is that there is something that can be done to protect your organisation from the impact of cyber attacks – invest in business continuity. A study by the Ponemon Institute showed that companies that have predefined Business Continuity Management (BCM) processes in place are able to find and contain data breaches more quickly, discover breaches on average 52 days earlier and contain them 36 days faster than companies without BCM.
The Cost of Data Breach Study found that the longer it takes to detect and contain a data breach, the more costly it becomes to resolve. While breaches that were identified in less than 100 days cost companies an average of $3.23 million, breaches that were found after the 100 day mark cost over $1 million more on average ($4.38 million).
How to combat the cyber threat?
Very often the intrusion into your systems comes down to human error so what is most important is to improve user awareness of cyber security. Make sure that your employees are able to recognise suspicious links, emails or activities and know how to report it. Make sure they know to use passwords that cannot be easily guessed, or aren’t written on a Post-It note next to their computer. Have a robust password policy which requires password changes at regular intervals.
Conduct anti-phishing user training – this starts with awareness, but some companies go so far as to send fake phishing emails as training exercises. If the user clicks on the link, they are taken to a short training film. If they report the email to the security team, they receive a congratulatory response.
Make sure that you have email filtering and controls – blocking certain types of attachments or file extensions, or not allowing links in emails to open when clicked. Ensure that users know to control all the assets in their possession, and keep them in their possession. Create a bring your own device (BYOD) policy which guards against employees introducing viruses to your network through their own mobile devices.
If your systems have become disrupted then you need to assess whether they are completely out of action, and whether they could be replicated elsewhere? If so then make sure that these back up systems aren’t prone to the same attacks as the main system. Conduct regular data back-ups, and segregate them from production data. Many organisations moved away from tape back-ups to mirroring or live replication between production and disaster recovery environments due to availability needs. Organisations should look to increase the separation between those environments through either firewalls, restricted access, additional security scanning, or a type of ‘tape delay’ whereby the data from production is held in a ‘safe mode’ for some period of time.
If no IT is available then you do have the capability to operate manually. Like Lincolnshire County Council did when they experienced a ransomware attack last year, get the pens and paper out and use these. Business continuity is not necessarily about working normally during a crisis, it is about working in as normal a way as possible.
Whatever the crisis, it is essential to respond swiftly as the longer you delay any action then the more disruptive it could become. Communicate to all your stakeholders what is going on and what you are doing to resolve it. People are a lot more understanding when you’re being transparent and they can see you’re making an effort to sort things out.
Managing the threat
How well would your organisation be able to manage a cyber incident? There are two ways to find out. The first is during a cyber attack, but this is probably a bad time to find out that you have no effective response. The second is during an exercise, so always make sure you exercise your plans. This can be done as a table top exercise where the main players sit round a table and discuss the response. This way is quicker and cheaper, but it may not accurately reflect how you would handle a real incident. You could therefore run a live exercise where an incident is simulated in real time. This would take more time and resources, but would give a more accurate reflection of your response.
Disruptive events will always occur, whatever form they may take. By having an effective business continuity programme in place, it should mean that, in the event of an incident, a drama doesn’t turn into a crisis.