Despite cyber attacks seemingly becoming the norm in mainstream media, organisations are still failing to properly prepare for cyber incidents and are being caught with their pants by their ankles. The 2017 UK Cyber security breaches survey (from which all statistics in this post originate from) reported that 74% of businesses say cyber security is a high priority for their senior management, with 49% having experienced an attack or breach within the year - however only 11% have a formal cyber security incident management process in place.
Planning after an attack is not planning
Of all organisations that detected and prevented a breach within the year, only 6% updated their policies and procedures after detection. Of those which actually fell victim to a breach, 11% updated their policies and procedures after impact. The survey also found that small organisations are much less likely to make changes following a breach than large organisations.
What do we want to do?
We want to introduce incident security incident response management and response plans into our overall cyber security strategy to deliver maturity and resilience against unforeseen attacks and breaches when (not if) they occur. I've detailed what an incident response plan should include in a previous post.
Why do we need it?
Failing to respond promptly and effectively to a cyber incident can have serious impacts on business functions, reputation and ultimately profits. Where the cost lies will depend on the type of incident. The investment in an effective cyber security strategy must include incident planning - there's no point building a perimeter wall around your barracks if you don't have soldiers inside ready to fight when the enemy break through - and they will break though.
57% of organisations who experienced a breach were impacted by way of staff having to work extra hours and staff being taken away from their day-to-day duties. This not only drives extra costs but also a lack of assurance that any threat is truly eliminated - are these staff trained well enough to deal with the incident?
The impact on the staff of a cyber incident is not to be played down either. Expecting staff to deal with an incident without direction or planning is likely to strain skills and demoralise a workforce. Providing pizza through those long hours can only go so far - even with extra garlic and herb dip.
Losing customer data can deliver a hefty blow of hard regulatory costs and softer (but eventually noticeable) reputational costs. When GDPR is fully enforced, you will be expected to have had appropriate controls in place to protect personal data and also policies to deal with any threat of losing it. Losing any data permanently, like in the case of a ransomware attack, without a way to restore it (I'm looking at you, dusty backup tapes), can have a massive business function impact - your operations could grind to a halt short term while restoring from backups or long-term if you don't have appropriate backups and procedures for disaster recovery.
Despite only 8% of organisations reporting a breach to customers, a reputational loss has potentially the largest financial cost - it's very difficult to quantify. As a result of publically disclosing their cyber attack, TalkTalk reportedly lost 101,000 customers and suffered costs of £60m. Alva calculated that TalkTalk received a 57% decrease in it's "sentimental score" from customers following its breach, and it took three months before their score returned to its pre-breach level - however, this does not account for the long-term loss of customer trust. You can only go so far to putting numbers on brand perception.
If you're in a position of management for cyber security within an organisation, consider the reputational damage inefficient incident handling could cause you personally. It could be your head rolling around the boardroom when you have to explain how the best-in-class security product wasn't able to stop the breach and you didn't plan on that.
How much will it cost?
It'll take some time to put together an effective incident management and response capability. It'll need constant tuning and testing, and initially a team of people who have experience of dealing with cyber incidents.
Training up existing staff is possible. You don't need a dedicated incident response team whose sole purpose is to wait for something to happen. You need existing security or IT teams with the capability to respond when required. If you would rather, you can have a conversation with a reputable incident response provider to build that relationship ready for when you do have an incident.
The overall outlay will depend on existing skills and policies. If you have neither of each, there could be a significant outlay but in the long run, it will be worth it.
What's the business benefit?
Avoidance of all those costs should be benefit enough. Your organisation likely has a continuity plan for disaster - environmental events, terrorism, national emergencies - so the reason for those is the same reason for cyber. It's resilience and maturity - an organisation can only stay afloat if it plans ahead, and your board should be sold on that.
For more information around putting a cyber security planning strategy in place for your organisation, contact us.
To develop your knowledge and skills in CSIR techniques, then find out about our expert-led cyber security incident response training courses.
# # #