It used to be that only death and taxes were certain; we can start adding to that list.
At some stage we will all suffer a breach of our security systems – personal or corporate. A few years ago, a breach that impacted several million people would have been big news. In 2019 roughly 3.5 billion people saw their personal data stolen in the top two security breaches of that year alone.
The question isn’t if, but when, and how you respond will be what determines success or otherwise.
Planning, preparing and rehearsing for the inevitable data breach will be the difference between serious and lasting damage to your business and its reputation, and creating corporate resilience that treats a challenge to your systems security like any other disruption to business.
Investing in business continuity and disaster recovery planning around cyber is rooted in pragmatism – who are I trying to protect, and what? From whom? What is the value of the material I am protecting to me and to a potential hacker? The answers to these questions are at the heart of your response to the inevitable breach.
Organisations tend to be in four very different places on the cyber security journey:
- Passive - meaning that the business is not prepared for a cyber-attack – but are just keeping their fingers crossed it won’t happen to them.
- Reactive - meaning that while they aren’t ready to protect against a cyber-attack, the business is prepared to react to one.
- Proactive - the organisation is prepared to respond, while also seeking to avoid future attacks.
- Progressive - these organisations have deep cyber-attack prevention, protection, and reactive capabilities in place and rehearsed.
And while people rather than technology are usually the point of vulnerability that allows a breach to happen, people are also at the heart of a successful response. As with all good productions, rehearsing allows people to become confident and secure in their roles. Ensuring that everyone knows their part in the face of security breach is an essential component of the risk playbook. Developing procedures for each job role that describe exactly what the employee is expected to do if there is a cybersecurity incident will mean you can act swiftly and mitigate the potential damage, before moving onto recovery mode.
Following a breach, the first key step from a technical perspective is to secure the IT systems in order to contain the breach and ensure it is not ongoing. This could mean that an organisation has to take the painful step to temporarily isolate or suspend a compromised section of its network or possibly even the entire network. This can, of course, be extremely disruptive and potentially costly for the business, but sometimes putting a tourniquet on the limb is essential to the health of the body.
Another pain point is the speed with which organisations notify the rest of the world about the breach – both those immediately affected and the wider market. Again, speed is of the essence – organisations that hope they will dodge the bullet of consumer/citizen wrath at the loss of private data, will only compound the problem. Transparent and open communication – outlining the breach, the risk to the individual and the ’fix’, build a trust in the organisation that can mitigate the breach itself. Market reputation is destroyed not by the breach itself, but by a failure to be honest about it and the actions you are taking to fix it.
And while GDPR legislation demands notification of the local data protection authority within 72 hours of a known breach, having a robust communication plan in place, both internally and externally, that goes beyond obligation demonstrates control of the situation and builds trust and loyalty. Again rehearsal plays a crucial part here – executives and spokespeople need to be prepared and ready to face the media, shareholders, customers and employees and answer tough questions about the who, why and what of a failure.
There is also, of course, the potential risk of legal or criminal investigation in the wake of a breach. As part of the rehearsal and planning process organisations need to think about possible criminal and civil legal proceedings that may result. Forensic investigations may be required to a high evidential standard and local law enforcement might be required to be involved. All of these things need to be factored in during the planning stage and become part of the DNA of any response.
Cyber security (and its failure) can be made to sound very complex. But in the end, it’s not. It is a series of practical, pragmatic decisions that involve both people and technology, with people as both the biggest vulnerability and greatest asset.
As budgets constrict post Covid-19, executives are going to be keener than ever to understand the value of the investments they are being asked to make in cyber. In a world of metrics, only the following questions really matter - the rest are distractions: What am I trying to protect and from who? What’s the value of it and the impact if something bad happens to it? What do I do when it goes wrong?
Having a robust, well-rehearsed and well-resourced plan that combines both technology and people means that when the worse happens, organisations will be able to be resilient enough to fight the fires and minimise the damage. Success comes not from avoiding the disaster – but from responding to it.