Imagine you’re sitting in your office and the phone rings. It’s your CISO or IT head. “We’ve suffered a cyber attack,” he tells you.
What you do next very much depends on your role within the company but, assuming you’re in charge, are you prepared? If your company is hit by a ransomware attack that takes everything down, do you have a plan? If your website is under a DDoS attack, how do keep operating?
Business and cyber resilience. They’re equally as important as having a robust defence against cyber attack, but it’s worrying how few companies take that next step beyond simple defensive measures, even after the introduction of the NIS Directive, which is intended to push companies towards cyber resilience.
So just what is it? As cyber criminals develop new techniques and adapt to combat cyber protection, it’s now a matter of when and not if you will suffer an attack. Your ultimate defence against any breach is your ability to continue operating, your cyber resilience and business continuity plan. Assuming all of your defences have been compromised, good information security practice should ensure the damage is minimal. If you don’t have a cyber resilience plan, then you absolutely need one.
Ideally, it will identify the threats against your particular business (which obviously depends on the sector in which you operate) and the means in which they can be mitigated. The UK government has produced a Cyber Essentials scheme which we would recommend reading.
It lists five simple controls any company can introduce to better protect its systems and business from attack.
According to government figures, one in six SMEs fell victim to a cyber attack within a 12-month period. Of those affected, over 20 per cent reported that it cost their business more than £10,000 and, in one case, £50,000. Clearly, these are sums most small and medium businesses can ill afford to lose.
Following best practice from government is, of course, one step. The others are more logical in terms of good business management. Over and above your cyber security measures, do you:
- Use physical media to back up server data
- Have paper copies of important documentation and contact details
- Web email service
Old fashioned, physical media back ups may save your business. Not convinced? In 2017, shipping company, Maersk, was hit by the WannaCry ransomware. With its systems down, it needed a back up. They found one on a hard drive in their Nigerian office… It may well have saved them even more than the over $250 million the incident is said to have cost.
Paper copies of documentation sound like a backward step but, in reality, if your most important contracts are stored electronically, the chances are that you won’t be able to access them following a breach. A filing cabinet may ensure you can keep trading. And you’re going to need that list of client phone numbers, aren’t you?
With your system compromised, you need to keep trading. You also need to contact clients and suppliers to explain what’s happened. By setting up a web-based email system, which you can use on your mobile phones, you’re already 30 minutes ahead of the game. You’re able to maintain business while the tech support staff try to get things back up and running.
Business and cyber resilience isn’t about having a spare room with air-gapped PCs waiting to be used. It’s about simple, common sense steps to make sure you can continue trading when the worst case scenario happens.
By David Rider – CRC Research Director