Planning for the fall out
Global terrorism and extremism have been high on the agenda since the start of the century and as the threats grow, so do the cyber elements.
A new report published by the Business Continuity Institute (BCI), in association with BSI (British Standards Institution), revealed that it is IT-related threats that are continuing to cause the greatest concern for organisations, ranking above other threats such as natural disasters, security incidents and industrial disputes.
The 2014 Horizon Scan, an annual survey of business continuity professional from across the globe, showed that 36 per cent of practitioners were concerned or extremely concerned about the possibility of a disruption caused by an act of terror – up from 33 per cent in 2013.
The changing nature of the threat
Of course the world of terrorism has changed over the years. Bombings and physical attacks still happen but as the world has moved into the digital age, so has the art of terrorism. We have seen terrorist groups using the internet to recruit, disseminate propaganda and assist in the radicalisation process. Therefore it’s no surprise that cyber attacks are becoming a popular tool for terrorists, or those who have a feeling of disenfranchisement or hold a grudge against an organisation. In fact the Horizon Scan report showed that 73 per cent of practitioners expressed either concern or extreme concern about the possibility of a disruption caused by a cyber attack – up from 65 per cent in 2013.
Furthermore, the report showed that the same percentage of business continuity practitioners (73 per cent) were concerned or extremely concerned about the possibility of a disruption caused by a data breach – up from 66 per cent in 2013. With data being such a valuable commodity, the prospect of leaving it vulnerable to attack is a big risk for any organisation to take.
High profile example
A high profile example of an organisation using a cyber-campaign for political reasons is that of the Syrian Electronic Army who, for several years, has used dedicated denial of service (DDoS) attacks against the websites belonging to opponents of Syrian President Bashar al-Assad and various western organisations. These sorts of attacks can cause maximum disruption to all sorts of organisations by stopping websites from functioning properly; they can prevent e-commerce transactions or just as importantly prevent access to information. Other tactics used by cyber criminals include hacking into websites and defacing them in order to cause embarrassment and reputational damage.
No business is free from risk
Loss of business and loss of reputation are two major issues for any organisations so attacks like these are a big issue as they have the potential to put organisations out of business. Therefore no organisation should consider itself exempt from cyber threats – so whatever the size or location, processes must be in place to be able to deal with them.
When Malaysian Airways Flight MH370 went missing, stories soon emerged of how technology could be used to hijack a plane remotely and these stories weren’t new. The fate of that particular flight is still unknown and these claims unfounded, however the threat of cyber hijacking remains real and should not be ruled out by organiSations in the security sector.
In 2011, the International Air Transport Association warned airlines to “remain on their guard” against cyber terrorism which is now described as “a distinct threat to the aviation industry.” In demonstrating the threat, Pascal Andrei, director of aircraft security at Airbus, described a scene from the film Die Hard 2 where the aircraft’s on‑board computer system was deceived into thinking it was 200 metres higher than it actually was, causing the plane to crash. Andrei‘s statement highlights the importance of safeguarding against cyber terrorism as scenes like this may no longer merely be fictional scenarios.
Historically we have always thought of cyber terrorism as being politically motivated, but this is just one of many reasons. In 2013, a group of men were arrested in London for attempting to steal £1.3 million from Barclays Bank by installing a piece of equipment that allowed them to take control over some of the bank’s computers. Although the men were caught, the incident demonstrates that the technology exists to do this and it will no doubt get more sophisticated over time.
The value of data
It is not just money that people attempt to steal but data too is an increasingly valuable commodity. Recently, Target suffered a major data breach that resulted in 40 million credit and debit card records being stolen, along with 70 million other records containing customer information such as addresses and telephone numbers. Two years earlier, a data breach at Sony resulted in the theft of personal details of up to 77 million customers which cost Sony an estimated $171 million, not to mention the significant reputational damage.
Aside from political and financial motives, personal vendettas are also popular reasons to attack an organisation’s computer network. ‘Hacktivist’ groups such as Anonymous are repeatedly conducting DDoS attacks in the same way that SEA do and these are not restricted to political bodies. MasterCard, PayPal and other financial institutions have also been the victims of their displeasure and more recently a children’s hospital in Boston was targeted due to the way it handled a reported case of child abuse.
Preventative measures can be put in place to protect an organisation from such attacks. Some of these can be controlled, for example making sure there is an effective firewall and anti-virus software in place, and ensuring that sensitive data is encrypted and not part of the public facing side of their network. It is also important to make sure that hardware is secure and cannot be tampered with.
Of course some things are less easy to control and the human factor is often the weak point where security is concerned. This can be minimised by introducing an employee education campaign to ensure users don’t download inappropriate material, or open suspicious attachments; or by enforcing security controls and managing user privileges to stop people accidently downloading malicious content.
With business continuity however, there is always the assumption that eventually the threat will materialise. Whatever measures are in place, nothing will ever be 100 per cent secure. Malicious software is constantly evolving so it is a possibility, or even a strong likelihood, that eventually you will be caught out. Organisations must therefore have an effective business continuity plan in place to deal with it.
The fall out
So what could the impacts be of a cyber attack? An organisation forced to take down their website as a result of an attack would immediately be impacted by the loss of business. They would need to consider what they could do if they were unable to make any sales or deal with customer enquiries through existing methods. One solution would be to set up a back-up system or persuade customers to return once the issue has been resolved.
This latter issue may be slightly more problematic when you consider that another major impact, one that could have long term implications, is loss of reputation. If customers don’t feel safe providing you with their personal information, they may be less inclined to deal with you in the future. Businesses need to make sure they have ways of protecting their reputation or rebuilding confidence in their brand.
Another impact that could have long term implications, possibly the main reason for cyber espionage in the first place, is loss of competitive advantage. Whether you’re a government having military secrets stolen by another, or a business having the designs to your latest product stolen, both will result in the loss of your competitive advantage. Potentially the investment you have put in will be wasted. As part of the business continuity planning process, organisations should identify what their most valuable assets are, which ones are most at risk from attack and what the impact would be if these assets were stolen.
Lessen the impact
The recommendation for all organisations is that they conduct their own horizon scan to assess what the threats are to their organisation. Using this data they must assess what the impact would be should these threats materialise and then develop a strategy that could help prevent them from happening or lessen the impact should it happen.
Testing your plan is just as important as developing a system for securing your computer network, and as important as producing a business continuity plan. You will never truly know if the plan works unless it has been put through the same rigours that any ill-intentioned person could.
Business continuity is about ensuring that disruptions don’t prevent you from operating effectively. Disasters do happen, but they don’t need to be a disaster for you. If you have an effective business continuity plan then your business should still be able to do business.
Visit www.thebci.org, where you can download the Horizon Scan Report