When cyber crisis strikes… what do you do?

Written on 13 May 2019

This piece explores the cyber risks faced by companies and how best to mitigate them.

In the current business climate, most companies don’t have a choice as to whether they digitally transform their businesses to compete. But the more businesses embrace internet-enabled technology, the more security risks arise. Cyber attacks and data breaches are now business as usual for large companies, but the large ones can be crippling.

This piece will explore some of the cyber risks faced by companies and how they can mitigate against them.

What are the security risks of digital transformation?

Many aspects of digital transformation, such as business process software, require internet connectivity. With more internet connection comes more access points for cyber criminals. Those criminals are using increasingly sophisticated methods and even the most robust defences are being penetrated, so companies must be on high alert to ensure they are not leaving themselves open to attack.

There have been a number of recent examples of small to medium sized businesses being caught out by not updating office software or applying the right settings to detect phishing and email hacking scams. In this case, the failures are not just in falling for a phishing email but then failing to spot that the emails are being forwarded to an unknown email address.

Businesses are also increasingly partnering and sharing data with technology companies (such as SaaS platforms and cloud providers), which opens up further vulnerabilities in the supply chain in relation to data and information security. Whilst much of the focus in the last couple of years has been on the protection of personal data and the GDPR, what is of most concern to many businesses is confidential information and business continuity. Many malware attacks are not targeted at particular businesses but instead travel across networks looking for weaknesses. The consequences can include damage to IT systems, failure to fulfil contracts, operational chaos, reputational damage and the loss of intellectual property or trade secrets.

How can these risks be mitigated?

In order for digital transformation projects to be successful, security needs to be considered from the very start and involve all key stakeholders in the business. Cyber security is no longer just an issue for the IT team; everyone including Legal, Communications and HR must be a part of the discussion. So when it comes to designing cyber security strategies, whilst they must be multi-faceted and tailored to the business in question, the need for company-wide involvement in setting and implementing the strategy is a common thread. It is also important to consider the language used in any plans and strategies. When it comes to a real life crisis, non-technical decision makers must have access to plans on mobile and in plain English, avoiding complex IT jargon and acronyms. And the work doesn’t stop once the plan has been agreed and communicated; these plans must be regularly updated if they are to be of any value in a real crisis. If you can’t access them quickly on a Sunday morning, they may not be of any use at all.

Carrying out regular security audits must be a key component of any cyber security strategy. A thorough audit should assess the security of the system’s physical configuration and environment, software, information handling processes, and user practices. It is also important to consider carrying out these audits on any third parties the business works with, as this could be another opening for hackers.

There is a growing market for cyber security tools that are constantly improving and adapting to the latest threats. Some of these tools can be used to predict, and therefore help mitigate, cyber security risks. Attack graphs reveal the potential vulnerabilities that could be exploited by a hacker to break into a network of a computer system, while another technique for threat prediction is COI analysis. This estimates the capability, opportunity, and intent of the attacker and is widely used in military and intelligence communities for threat assessment.

Having said this, strategies and plans will only get you so far. In the event of a crisis situation, incident response plans are quickly discarded and instinctive decision-making must kick in. More often than not these days the question is when, not if, the business will face a crisis, so practising those decisions in a hypothetical environment will ensure the company has the best chance of handling a real crisis.

How should organisations respond to a real cyber-attack?

Once crisis strikes, the race is on to patch the vulnerabilities and get business back on track. But that is only part of the battle. In previous high-profile cases, the spotlight has quickly shifted from the reasons behind the attack to how the company has responded, including its communications with customers and stakeholders. This is when the hypothetical scenario practise comes into play, as companies who are well versed in their crisis response will usually fair better.

When it comes to issuing comments externally such as to the press and regulators, companies may be tempted quickly to respond to detailed requests in order to appear in control. But with the growing complexity of cyber-attacks, the details of an attack may quickly change, so speaking out too early on could do more harm than good. Therefore, it is sometimes more sensible to establish all the facts and get to the bottom of the problem before commenting publicly. Publicising an attack before the systems have been secured can also highlight an opportunity for hackers to try a follow-on attack.

There are also a number of tools on offer to companies that can help manage security incidents when they happen. For example, victims of the Marriot data breach were very quickly offered a bespoke website where they could find out information about the breach but also sign up to identity monitoring services from their mobiles.

Conclusion

Digital transformation will continue to impact how organisations approach business and technology in the coming years. With networks becoming increasingly complex and connected, businesses must adjust their approach to security to ensure there are no gaps in protection. By taking steps to improve awareness, training and system security, organisations can reduce the threats that accompany digital transformation.

This article was first published on Digital Supply Chain’s website in April 2019.