Cyber reflections: By failing to prepare, you are preparing to fail.

Why is crisis management so important?

Crisis management involves the process by which organisations deal with malicious, disruptive, and unexpected events. Incidents can have a huge impact on an organisation in terms of cost, productivity, and reputation.

When the number of IoT devices worldwide stands at over 15 billion, is it any wonder that cyber-attacks are at an all-time high, and showing no signs of slowing down?

Internet of Things (IoT) has dual meaning, and is defined by NIST as follows:

1.  User or industrial devices that are connected to the internet. These devices include sensors, controllers, and household appliances.
2. The network of devices that contain the hardware, software, firmware, and actuators which allow the devices to connect, interact, and freely exchange data and information. This can be achieved with or without the use of the internet.

IoT demonstrates the rapid convergence of technology into our lives and thus the importance of ensuring vulnerabilities cannot be exploited as we move forward.

Organisations must prepare for crises.

As a society, we are recognising and accepting that threats like data breaches and cyber-attacks are increasingly common, and will not be stopping anytime soon. Preventing and detecting attacks and/or reducing the impact of an attack has to be the main focus.

Technology, the internet, and the commercialisation of it has changed the face of society, how we communicate, work, shop, bank, etc., but sadly, there will always be those who will abuse the good for bad.

IT systems are now ubiquitous, ransomware attacks can be truly devastating for victims and their customers; this is why ransomware remains an acute cyber threat for most businesses and organisations. 

What if organisations do not prepare?

Attacks can affect every aspect of an organisation’s operations, hitting finances, compromising customer data, disrupting operational delivery, eroding trust, and damaging reputations. 

The impact will be felt in the short and long term, particularly when organisations are unprepared. Recovery is often lengthy and costly, but organisations are realising the answer doesn’t lie in crossing your fingers and hoping for the best, but in the preparation, reminiscent of fire drills.

In an article published by NCSC in November, 2023, the UK’s cyber chief signalled that the threat to the UK’s most critical infrastructure is “enduring and significant” amid a rise of state-aligned groups, an increase in aggressive cyber activity, and ongoing geopolitical challenges. In its latest annual review, the NCSC, part of GCHQ, warned that the UK needs to accelerate work to keep pace with the changing threat, particularly in relation to enhancing cyber resilience in the nation’s most critical sectors.

There are 2 types of companies, those who know they’ve been hacked, and those who’ve been hacked, but don’t know about it yet. This statement rings true more than ever, so why is this element of business being neglected until it’s too late?

Long gone are the days where cybersecurity was thought of as a problem, solely for the IT department. We must prioritise our cyber health to proactively approach this changing cyber landscape.

Cybersecurity is an inherent business risk.

The first step to prepare for this changing landscape is to acknowledge this key point, then put steps in place, execute said steps, take the time to explore lessons learnt, and continuously work to move and progress the cycle forward.

It’s impossible to eliminate cyber-risk, so working to reduce the impact of an attack must be the aim of the game.

Cybersecurity is a forever problem, there is no start and end point, and there is no manual – it’s a business risk that needs constant monitoring and attention.

Knowledge is power after all, and it’s a good thing that organisations are now being recognised for how well they manage cyber incidents, and lessons learnt published in the public domain.

Cyber resilience is a never-ending journey of improvement, and in times of crises that overwhelming fight or flight feeling will engulf you. Are you ready to fight?

Addressing cyber risks.

There are a number of ways organisations can combat growing cyber risks and creating a crisis management plan is at the forefront of this. Creating a crisis management plan is a necessity for Critical National Infrastructure (CNI) where the impact of a cyber attack can be detrimental. 

So what comes into a crisis management plan?

A crisis management plan should adapt to an organisation’s needs, and what the plan consists of will completely depend on the organisation itself. 

It’s easy to fall down the rabbit hole when Crisis Management Plans/Response, Business Impact Analysis, Risk Assessments, and Disaster Recovery Plans/Response are all relevant and interlinked. Therefore, defining the scope and boundaries will allow you to remain focussed on the job-in-hand. Crisis management is a continuous cycle of improvement, striving for perfection first-time around will only end in defeat!

I know I’m stating the obvious here, but the most advantageous time to prepare a business for a crisis is before it occurs! If this is the case, then why are so many organisations averse to putting the critical preparation work into ensuring their business is able to continue operations in a degraded manner? It’s estimated that a cyber-attack occurs every 39 seconds, and according to IBM’s Cost of a Data Breach report 2023 (p.14), it takes approx. 204 days for an organisation to discover a breach, and up to 73 days to contain it.

When thinking about and preparing a business for crises, a good place to start is at the worst case scenario. For example, a complete IT outage, where all services and applications are defunct, and there is no way business operations can continue in their normal mode of operation. This should be for a defined period of time, let’s say for example 4 weeks minimum.

The first thing you’d need to consider is the impact to the business should the above scenario transpire, and start asking questions, for example:

• How long can the business afford to be completely non-functional?

1. How does the downtime affect other core business functions?
2. What impact does this downtime have on the supply chain?

• Which operations are critical to the business?

1. Prioritise these on a scale of 1-10 (1 being the highest priority, 10 being the lowest)

• Of the critical business operations you’ve identified, which applications and services do they rely on:

1. What data do these operations process?
2. Where is the data stored? (Physically and virtually)
3. How is the data stored?
4. Is the data encrypted? At rest? In transit?

• Have you considered alternative provisions for the loss of your nominal solutions

1. Are all the key stakeholders aware of the degraded mode plan-of-action?
2. Are they all aware of their responsibilities?
3. Who’s responsible for activating the Business Continuity/Crisis Plan?
4. You’ll need to continue to communicate with your stakeholders and customers – how do you anticipate communication when in a degraded mode of operation?

Preparing your business for a looming cyber crisis is daunting, but you don’t have to do it alone.

The questions above provide a good baseline for digging deeper into the people, processes, and technology of a business, and understanding just how a business ticks. And remember, a plan isn’t a plan unless it’s been put to the test!  

This is by no means an exhaustive list of all things to consider when preparing a business for a crisis; each and every business is unique in its own way, which adds to the appeal for cyber-criminals.

If you enjoyed this article and would like to find out how we can support your business contact us.

Sources:

National Cyber Strategy 2022 (HTML) – GOV.UK (www.gov.uk)

NCSC warns of enduring and significant threat to UK’s… – NCSC.GOV.UK

internet of things – Glossary | CSRC (nist.gov)

• Share