Cyber: The impact of failure and how to avoid it
- Creating a Secure Organisation
- Cyber Security
Middle East Risk Watch - Issue 9 - March 2018
Cyber: The impact of failure and how to avoid it
Cyber security has three key elements – people, process and technology. In recent years the focus on investment for many organisations has been the technology aspect of these three. Organisations invest in technological tools to protect their systems, or detect attacks etc. However the most vulnerable element of any organisation is its people and ensuring processes that are designed to protect the systems environment are being adhered to.
For many organisations the costs associated with implementing an effective information security, cyber/digital security programme can be daunting. With the increasing importance and inter-connectivity of systems and supporting infrastructure used by organisations and their supply chain - the headline is simple: any organisation needs to have a cyber readiness capability in place in order to identify, prevent and minimise consequential losses following an incident, be it a hack, data breach or ransomware.
For organisations, having these capabilities is critical to protecting investor and customer confidence. But why is it that so few organisations across the Middle East have a joined-up cyber security programme, particularly one that is complemented by a comprehensive incident response and crisis management capability?
“Our experience has shown that a lack of budgeted funds directed at developing such a capability is the result of the poor understanding of the threat and a lack of publicised regional analysis of the likelihood, impact or associated costs of these attacks and the business interruption it creates.
To compound this further, many organisations still consider cyber security to be “an IT issue”. It is not! It is a business issue and impacts all aspects of an organisation.
The cyber threat
Any high profile cyber event creates global headlines (the recent breach for a regional bank and the Shamoon 1 and 2 attacks, for example). These types of attack severely impact the reputation of the organisation as well as its financial performance either with lost revenue (not being able to serve their customers, or customers not being willing to use them for fear that their data is not safe), or from discounts to share price and usually both. It is worth remembering both of these incidents primarily materialised as a result of human error.
Following a recent survey completed by Control Risks interviewing over 480 CEO’s CIO and CTO’s, 87% of GCC respondents believe it’s an “IT only” issue?
Not having a joined up “business led” response in place is the equivalent to regarding a fire in your headquarters as only being a facilities issue or having 50% of your staff unavailable through illness as solely being a problem for your Human Resources team.
Criminals in all walks of life, whether it’s cyber security, street crime or common burglary will target the easy option. Ensuring your organisation is less vulnerable to attack than your peers or competitors is a key element of reducing the likelihood of an attack on your systems. Someone looking to steal from a house will look for an open door or window rather than having to put effort into breaking a lock. From your systems perspective cyber security is exactly the same.
There are organisations who sell malware for as little as $150. And perhaps surprisingly, just like any software purchase, this comes with a helpline and customer support to assist in the deployment of an attack. In essence, this means the technical barrier to entry is low – you don’t need to be technologically advanced to initiate a cyber attack, you just need to have the intent.
The strongest defence an organisation can have to the cyber threat is an informed and vigilant workforce. Ensuring your staff are effectively trained creates a “human firewall” which in conjunction with technical solutions and a joined up “business led” response capability provides the best protection for your organisation
The impact of failure
One of the issues cyber security leaders have had over the years is the articulation of the costs associated with a major incident to other stakeholders in their organisations.
Some elements of impact are fairly straightforward, such as the costs associated with the physical replacement of assets or lost revenue from business activities that couldn’t be completed during the outage. However, others are more difficult to establish. For example, how do you assess the cost of the deterioration in customer confidence or brand damage due to a data breach and loss of customers’ personal data, which might not immediately affect your revenue? A good example of the cost of ensuring customer confidence is Target, the US-headquartered retailer that suffered a data breach in 2014. The company initially spent $40m to replace its customer’s credit cards but a recent article reported that their additional associated costs have since totalled approximately $300m.
The brand and reputation of an organisation are intangible aspects of value. However, an organisation’s prestige, brand recognition and customer loyalty all have a dramatic impact on performance prospects over the longer term. If damaged, the consequences do not necessarily materialise financially at the time of the incident.
How can you ensure your organisation does not become a cyber incident statistic
Build a business case
Ensuring that the management team, the C-suite and the company executives understand the potential impact and likelihood of an event, in simple and easily understandable terms, is the most effective method of ensuring the appropriate top-level of buy-in.
Use language they will understand, link potential impact to your organisation’s objectives and those of the associated budget holders. Minimise scare-mongering as this is a short-term strategy which is unlikely to ensure budgets are sustainable year on year and where possible use proven figures and statistics to support your case.
Complete an investigation of your systems and the data you hold. Make sure, as an organisation, you understand which are your most critical information assets and ensure they are appropriately protected. Ensure that patch and change management processes are in place and adhered to. The largest ransomware attack globally to date (wannacry) was pre-warned by Microsoft weeks before the attack – only those organisations who didn’t apply the appropriate patch were affected.
Think like an attacker
A compliance based assessment of cyber security can create a false sense of security. You are not going to be hacked by your auditor. Instead use a threat lead approach to understand your weaknesses and assess the various control measures you have in place to mitigate those threats.
“There are two types of organisations – those who have been hacked and those who will be”. FBI Director Robert Muller, 2012
Plan for the worst
Ensure you have a joined up incident response capability in place. This needs to involve your senior management team, you information security/IT team, corporate communications and your legal counsel. The key to effective incident response comes in five steps:
- Rapid recognition of the incident – ensure you have clearly identified trigger points and an escalation process to invoke the appropriate stakeholders
- Investigation and containment – ensure your team can identify and control the incident
- Threat eradication – once identified enhance controls, renew or update passwords, encryption keys or lock down access points
- Recovery – restore data from a previously unaffected back up initiate an appropriate crisis communications process
- Resolution and lessons learned – learn from incidents and mistakes and improve your readiness and your defences
All of this needs to be supported by a comprehensive communications plan with messaging tailored to your respective internal and external audiences.
Having an established capability in place which incorporates these elements will significantly reduce the impact of an attack and provide you with a competitive advantage. Stand apart from the pack – enhance your awareness and be prepared.
- William Brown, Director