Cyber threats: ignore at your peril
It’s one of those situations where you could easily think, my data is backed up, we have firewalls, passwords and other IT kit to protect us so we’ll be OK. And then it happens ..
A message pops up on a colleague’s device: Your data has been encrypted, you’ve been hacked, a ransom is demanded in bitcoin to prevent a release of data onto the internet.
Businesses, large and small, are subject to cyber attacks every day. Many attacks are disarmed at the outlying defences of the organisation’s IT network, but one day an email with an unassuming attachment marked “Invoice” from a vaguely familiar email address is opened by an unsuspecting member of staff and indeed, no one may think any more about it after that.
It could be weeks later before the system suddenly closes down, and shuts you out. All that time since the attachment of the seemingly innocent email was opened, the malware has been doing its best to inveigle its way into your systems below ground as it were, undermining your defences and penetrating every aspect of your system, including your data. Not just current data, but last week’s back up and the two before that, all now corrupt and unusable.
What happens next?
If you have a business continuity plan, this is where it kicks in. This is a resource loss scenario for which business continuity planning is designed to deal with the consequences. Ideally the business has already identified its critical activities and their recovery time objectives (RTO), as well as recovery point objectives (RPO) for data. Workarounds and contingencies have been documented and tried out during regular scenario exercising. Insurance cover is in place.
It goes without saying that this situation is likely to be a massive headache and could take months to sort out, but at least there’s a plan of action. Colleagues know what to do, who to speak to and just as importantly what to say. The company’s reputation, and possibly finances, may be knocked off course temporarily, but a well-managed recovery goes a long way to restoring confidence.
On the other hand, if there is no plan for this scenario, what happens now? As is well related in many news articles concerning organisations of all types who have been on the receiving end of crippling cyber attacks, money and a lot of effort are required to sort things out and time is of the essence. New hardware, new software and licences, recreating months or even years of data, loss of customers, reparations, reputation, the list goes on.
For those with deep pockets and insurance, it is likely that there will be light at the end of a long tunnel. For the others, it could be the end of the road, the end of years of hard graft building up a successful business to be brought down because there was never the time nor the money to pre-empt this situation.
The risk of a cyber attack is very real and needs a very realistic solution including investment, time and budget. Remember to take this outside your own environment and check your principal suppliers do not have holes in their cyber security response process.
The Business Continuity Institute’s Supply Chain Resilience Report 2023, states 55.6% of respondents, the highest number, reported that cyber-attack and breach were the main concerns in the next five years, in terms of supply chain resilience.
Cyber insurers have a much better understanding of the risk and recognise the importance of choosing carefully who they insure. It is becoming more difficult and expensive to find the right cover and not necessarily straightforward to find a specialist.
From a business continuity planning perspective, this is not just a focus on security risk controls to stop the threat, but also transferring as much of the risk as possible by thinking through the implications of a cyber attack including a data breach. Putting in place an on-premise response capability, testing systems against a range of scenarios, tracking actions to ensure nothing falls through the gaps.
The UK's National Cyber Security Centre has plenty of advice and guidance on what you can do to increase cyber resilience now. A good place to start is to implement Cyber Essentials a Government backed scheme that will help you to protect your organisation, whatever its size, against a whole range of the most common cyber attacks. Annual certification gives confidence that you are taking steps to protect your IT systems and data against unauthorised entry.
Data is the beating heart of an organisation and it deserves the best protection. Can key data be exported regularly to a secure location? For backups, think about the how, when and where. If the backups are in the same line of fire as the production data, work out a strategy for extra protection, for example, increase authentication parameters, physically move backup data regularly to a secure provider with no access to your systems. Be aware how much data your organisation can afford to lose, if any, as this will focus decision-making.
Ask your IT manager whether there are any technology or security staff who have the ability to delete all production and backup data. If the answer is “yes” then an experienced cyber criminal may well have the same capability through gaining access to the necessary admin rights.
Equally important are workarounds and contingencies. Coping strategies can be thought through, implemented and exercised in advance which will make the world of difference when the time comes. A weekly report of key operational data exported to a separate IT environment does not necessarily cost you anything, but could be enough to keep your critical business activities running if systems are down.
Much of this knowledge is likely to be in people’s heads if not already documented. Always assume that the person who knows how to do this stuff is unavailable on the day of a cyber security incident. Remember that someone else with limited knowledge could be picking up the pieces and they need to hit the ground running; not deciphering handwritten notes or trying to find passwords when management is clamouring for action and answers.
BC planning is there to help, alongside IT disaster recovery. Work out what is critical to you, when you need to be doing it and with what. If the resources are not there for whatever reason, dealing with the consequences in a logical and efficient manner will go a long way to reassuring staff, customers and stakeholders that the company knows what it is doing in the face of adversity, cyber or otherwise. It may even give you a competitive edge.
Please don’t assume it is not going to happen.
Teed is here to help. Every day we work with organisations to prepare their response to possible cyber security threats. We have the experience and we know how to make it work for you.
Learn more here
- Date: 11th July 2023