elevenM’s Jonathan Topham explains why cyber resilience is so essential for responding to and managing the impact of cyber incidents.
In the world of cyber security and privacy, we have a lot of conversations about how it’s not ‘if’ but ‘when’ — businesses will experience cyber attacks and data breaches, and hoping yours won’t will only hurt you in the long (and sometimes not-so-long) run.
Good cyber security is as much about managing and recovering from the impacts of incidents as it is about preventing them in the first place. However, many organisations, particularly small and medium-sized enterprises (SMEs), continue to under-invest in the controls and processes that would help them manage the impact of cyber security incidents. This is leading to some poor outcomes for both companies and their customers. We should probably talk about it.
Why worry about something that isn’t going to happen?
The most recent reporting from the Australian Cyber Security Centre (ACSC) and the Australian Bureau of Statistics (ABS) shows that the volume of incidents impacting organisations of all sizes continues to rise. Yet, many organisations seem to struggle with the concept that they will be attacked and, at some point, the security controls they’ve implemented are going to fail.
There are many reasons for this thinking: from the inherent optimism bias many organisations’ have in their perception of risk, to security leaders not wanting to sound defeatist, to security industry marketing driving an illusion of control that all incidents can be prevented, and all the points in between.
Regardless of the exact factors driving this thinking in any particular organisation, the outcome is typically the same: under-investment of time and resources into planning for when an incident occurs.
That under-investment can have real financial implications to the increasing numbers of organisations who will suffer an incident. Response and recovery costs can be significant (the most recent Cost of a Data Breach report puts the average cost per data breach at UDS4.35m) and, according to the ACSC’s annual threat report, medium-sized enterprises are hit disproportionately hard compared to small and large enterprises.
Whilst many organisations rely on insurance as a mitigation, it’s increasingly expensive, sometimes hard to get coverage, and isn’t necessarily going to cover all the costs if the organisation hasn’t taken reasonable steps to mitigate damage.
So, where should organisations start if they want to build organisational resilience and be prepared to manage the impact of an incident? I’d argue that, regardless of their size and complexity, there are two broad areas where organisations should be spending time and resources:
- identifying opportunities to develop organisational resilience to the impacts of cyber incidents
- developing procedures for handling incidents before you are forced to deal with a real one.
As we’ve discussed previously, common types of cyber security incidents such as ransomware, Denial of Service (DoS) or data breaches are so much more than the “IT Thing” many senior leaders continue to think they are. The loss of access to data and technology often undermines an organisation’s ability to generate “value”, which makes cyber incidents cross-organisational challenges. So, like most good cyber security activities, the first step is to work with the rest of the organisation to identify:
- the important sources of value to your organisation
- opportunities to reduce the severity of an incident to those sources of value.
If you already look at cyber security in the context of threat and overall enterprise risk, you probably already have an idea of which activities are important to your organisation.
Understanding where value comes from allows you to identify the assets (people, processes and technology) which underpin that value. You can then work with people who manage those assets to build further resilience around them through mutually supportive Business Continuity Plans (BCPs) and Disaster Recover (DR) processes.
BCPs and DRs are often conflated, but they serve different purposes:
- BCPs are the plans that the business will use to keep operating if the usual people, process, and technology aren’t available. E.g., Falling back to a paper-based form if an online one isn’t available.
- DR processes are the plans to “restore” the usual people, processes, and technology. E.g., a recovery process for an IT system to restore it to operational state.
It’s important to remember that the business owns and is accountable for BCPs (the clue is in the name) while IT and facilities typically own the DR processes. Security is just an interested party and shouldn’t own either BCPs or DR.
Most DR plans relevant to cyber revolve around backups. Whilst backups are undoubtedly useful, you need to apply some forethought to what you want to back up, how often you do so and how you are going to recover from that backup. There is probably little business value in being able to restore a database to a state it was at seven years ago, and even less value if you can’t restore a system from the backups under realistic emergency conditions.
The benefits to your organisation from good, regularly tested, BCPs and DR processes go well beyond cyber security. BCPs and DR processes will cover your key assets for other types of business interruption, such as unplanned outages and natural disasters. And as an added bonus, your insurers will also love it.
Handling the incident
While building resilience gives you options that you can draw on to reduce the impact of an incident on business operations, you also need to invest time in developing a coherent plan to manage the incident as it unfolds.
As anyone who’s been through one knows, cyber security incidents are often confusing and stressful experiences. Trying to get the data you need to understand what’s happened and take the actions needed to contain and recover is hard enough without the added challenges of managing stakeholders. Trying to learn how to do this “in the moment” isn’t a recipe for a good time.
If you have nothing in place, a good place to start is by building and exercising a cyber incident response plan:
- Define a cyber security incident response team — Enlist a group of people from across the organisation (not just security and IT teams), and don’t forget to include the people who create and distribute information in your organisation, like the comms team and the Executive Assistants/Office Managers.
- Build an Incident Response Plan — Work with that team to define how you’ll respond to an incident and then set out a process. At a minimum, that process should include clearly defined roles for the team, who makes decisions, how the response is kicked-off, how you are going to communicate and with whom (don’t forget those third-parties!), how you are going to document and track the incident, and how an incident response gets closed out. Like all first drafts, it won’t be perfect, but you’ll work to refine it over time.
- Exercise your plan routinely — Arguably the most important step. You need to exercise the plan with your incident response team and other stakeholders regularly. Running through some likely threat scenarios for your organisation will build familiarity with the plan and surface the sorts of questions you are going to need to answer in an incident. Document any gaps you find in the plan.
- Review the plan regularly — Take what you’ve learned from your exercises or real incidents and refine the plan. Keep the plan concise, don’t try to have a detailed answer for every possible permutation, just make sure the processes cover the most likely issues.
Cross-organisation participation in the plan is very important. Cultivating the ability to treat cyber incidents as whole-organisation problems rather than just a security or IT team problem will lead to better outcomes. Especially in a business interruption scenario like encrypting malware or denial of service.
If your organisation is organised and mature enough to already have a Crisis Management, Data Breach Response plan or IT Incident Response Processes, you’ll need to make sure that your incident response plan has points of integration into these (and if not, that’s probably the next difficult conversation).
Worth the effort?
To build out organisational resilience to incidents and the institutional muscle memory of how to respond to them is a long-term commitment for any organisation. However, the value of the work (in terms of time and people) far outweighs the financial cost of an incident and has benefits beyond cyber. That doesn’t sound like failure to me…