Prepare for the worst

Cyber security has an air of mystery to it. Something hidden in the shadows and only able to be understood by technologists and spies.

But the truth is rather more prosaic – it’s just another potential disruption to a business and should be seen in that context. Industrial action, floods, pandemics, power cuts and cyber security all cause disruption – we need to think of cyber security in the same context and build security into our overall risk management and business continuity thinking. And plan accordingly.

The Covid-19 crisis has taught us a number of things: how easily disrupted our supply chains are, how broadband is as much of our critical infrastructure as water, and that home schooling isn’t as easy as it looks.

But first among these is the importance of business continuity planning – and a very pressing need to update, review and rehearse it with the assumption it’s not a work of fiction but a very real, very important weapon in protecting your organisation is disrupted times. Sadly very few organisations are able to demonstrate a full grasp of their exposure to cyber threats let alone the plans in place to mitigate the risk. As a result responses remain largely reflexive rather than strategic.

And as increasing parts of our operations move into the cloud, this brings a new and different set of security challenges. It raises a whole new series of questions and challenges who is responsible for what, where is my data actually stored and in whose legal jurisdiction, what is the threat profile and how do I prepare for it?

Adapting to this requires a thorough rethink of how we approach cyber security. First, by explicitly embedding cyber risk management considerations into existing core risk management processes and assigning responsibility for this at executive level.

Secondly, improving and enhancing any existing monitoring and reporting work. This is at the heart of becoming cyber resilient - the ability to acquire, understand and act upon cyber threat intelligence, at speed and with finesse.

Thirdly, plan for it as if it was a ’definite’ not a ’maybe’. The most resilient organisations are making sure that threat scenarios are regularly explored and then rehearsed for – and the lessons learnt captured and documented. Responses, roles and responsibilities should all be clear and so familiar that they are second nature across all levels of the organisations. Collaboration across divisions as part of this ’gaming’ process is crucial. Successfully responding to a cyber threat isn’t just the job of IT security, but also HR, finance, crisis management, business continuity, fraud/ investigations, media relations, corporate affairs, legal and so on.

This third element is perhaps the most crucial. The perception of resilience is as important as the resilience itself in deterring attacks, and surviving them when they do occur. Being thought to have been ’caught out’ – through lack of preparation or systemic failure – is as detrimental to shareholder value as the security breach itself.

And, as there is no such thing as 100% secure, it’s better for organisations to accept and understand this – and prepare for the worst case scenario. Most organisations suffer security incidents every day – better to focus on incident management and response, and maintaining business continuity than to pretend it will never happen.

One of the principal reasons why security breaches occur isn’t a failure of technology or software: it’s people: from leadership who aren’t as fully up to speed as they should be on the need for investment or the associated risks, to individuals with insufficient training, to facilities that are unsuited to home working or organisations that don’t provide the right upgrade at the right time.

Making the solution the responsibility of every part of the business, not just IT – will be at the heart of cyber resilience.