Fail to prepare, prepare to fail. In the case of cyberattacks, preparing to fail is exactly what organisations need to be doing. The ongoing threat of a cyber assault means that even the most secure networks will likely be susceptible to a breach of at least some degree of seriousness. Cyber security experts say it is simply pragmatic to prepare for the worst and have an agreed game plan in the event of a crisis that mitigates and minimises the fallout.
The threat of a cyber attack is ever present and inevitable, says David McNamara, chief executive of CommSec. “Everybody will be hit at some point. If a hacker wants to get you, they will get you. The key is not to panic and to work with security expertise, whether it is in-house or externally, to enact your incident response plan.”
The key to building a cohesive crisis response is to identify the obvious and known risks, but also seek external support to ensure full preparedness, McNamara says. “For example, you can pay an outside party to break into you to help further identify the risks.”
Without a strategic plan in place, a disabling ransomware attack could effectively shut down a business, he says. “If a key IT supplier goes down, what is your strategy with regard to that supplier, do you have an alternative ready to step in? This goes back to identifying the risks to your business and your third party suppliers too.” McNamara notes that in the event of a data breach, businesses will also have obligations in terms of external regulation.
‘A gas emergency would quickly turn into an electricity emergency. It is low-risk, but high-consequence’
The secret to cooking a delicious, fuss free Christmas turkey? You just need a little help
How LEO Digital for Business is helping to boost small business competitiveness
‘I have to believe that this situation is not forever’: stress mounts in homeless parents and children living in claustrophobic one-room accommodation
According to Noel Comerford, director with Deloitte, recognising and accepting that disruptive cyber events can and will happen is a foundational element to preparing for a crisis. “Organisations need to evaluate credible scenarios that could impact these key processes by directly or indirectly impacting on the confidentiality, integrity or availability of these processes and their underlying systems and data,” he asserts. “They need to evaluate and test the controls and the organisational capability to respond and recover from such incidents.”
In a best-case scenario, Comerford says, organisations will have a crisis response plan with clearly defined roles and responsibilities already defined. “It is important that there is clear accountability and leadership during a crisis to drive a consistent response,” he notes. “Decisions will have to be made often with limited data so it is important to document the decisions and their underlying basis as you work through the response cycle.”
But while cyber prevention is an essential component of an organisation’s cyber resiliency, it is simply not feasible to prevent all cyber attacks. “Organisations need to focus on having greater agility within their digital ecosystem to detect, adapt and respond to the increasing threat and sophistication of cyber attacks,” says Comerford. “If you know your own systems and how to reduce their vulnerabilities to cyber attack, you then design and implement cyber controls to minimise potential disruption from cyber attacks.”
Cyber resilience refers to an organisation’s ability to prepare for, detect, respond and recover from a cyber event with the minimum negative impact on critical business services and processes, regulatory conflict and reputational impact, explains Dani Michaux, head of cybersecurity with KPMG. “Our global framework has been developed to assume an attack will take place,” she says. “This is why our framework consists of three phases – recovery, resistance and resilience, and five stages across those three phases (assess, design, deploy, assess and sustain). All the preventive actions and tasks we recommend are focused on always expecting to be attacked.”
According to Michaux “cyber resilience by design” is core to KPMG’s thinking around cybersecurity. “Cyber resilience should be included from the very beginning of any new or recovered service, process or system. This means integrating cyber resilience as part of security architecture, enterprise architecture, systems, applications, service design, and third party cyber resilience.”
Recovery isn’t limited to initial recovery but extends into medium- and long-term actions and programmes that build more and more resilience based on experience, knowledge acquisition and regulations, she adds. “A key aspect is to ‘build back better’ – ensure that when an organisation builds or rebuilds a service, system or process, the new capability provides the organisation with a competitive advantage. For a large-scale organisational recovery, not only should the organisation technically recover to a better place, but the wider organisation should also be better informed, aware, prepared and better able to deal with cyber events.”
Cyber resilience is critical as cyber attackers grow more wily and sophisticated, says Michaux. “We know organisations will struggle to stay in advance of attackers all the time and it only takes one opportune moment to be infiltrated and exploited.”
According to James Baldwin, head of enterprise architecture and cybersecurity with PepsiCo Ireland, cyber resilience is a significant priority area for the multinational.
“Cyber resilience is a multifaceted discipline including constantly-evolving capabilities to protect against attack, ability to operate during an incident where appropriate, while ensuring the ability to recover in a safe and expedient manner,” he says. “These pillars have been and continue to be an area for constant investment and focus from a technology and process perspective. As our businesses continue to grow and develop, ensuring our resiliency programs grow at the same pace is key.”
Baldwin notes that with continued digitisation and automation of business processes, cyber security protects not only the data which organisations require to operate, but also the capabilities and processes to function. “In the fast-paced digital world we live in, employees are in a constant state of change and under pressure to deliver results in their roles within the business ... In the meantime, cyber threats continue to evolve, becoming more sophisticated and harder to detect,” he says.
Ongoing cyber awareness and training for employees is key to help remind them of best practices and also illustrate new types of threats they may encounter, he adds. “This training also adds value for employees in their personal lives, reducing their own cyber risk.”