Businesses around the world are targeted by cyber criminals every day. Thankfully, not all will be successful, but others may be successful...with significant consequences.
Imagine for a moment that today your business is hit by just such a cyber attack. Everything is normal, then suddenly people start standing up on the office floor complaining their computers have locked…demanding a ransom payment to allow system access. One by one every screen has gone blank; within 30 minutes every system is down. The IT department confirms it isn’t just laptops and office machines that have been hit, but all of IT operations, applications and systems too.
Weeks later somehow your business has recovered, it has been a challenging and costly journey, your people are exhausted, your share price may have fallen, but your business has survived. What happens next?
Many do not have the appetite to spend any further since the average cost of recovery from a significant cyber incident runs into the millions. Others see an opportunity to turn this into a competitive advantage. An opportunity to address and eliminate technical debt, to transform and optimise operations; becoming a more flexible and resilient business. Interestingly, the more damaging a cyber-attack is to business value in the long-term the more the business is motivated to invest in security for the future. As Winston Churchill once said, “never let a good crisis go to waste!”
Using an attack as a springboard to accelerate business transformation should be split into two categories; tactical and immediate changes, and longer-term transformation. What are the top three tactical considerations? How can you put the fires out while also building future foundations?
1. Phase out your old unsupported IT Smart businesses eliminate technical debt quickly then look to accelerate digital transformation. There is nothing like a cyber incident to drive the disposal of legacy IT. Now is the time to upgrade the IT you have been living with, the things that have been sitting on your risk register, not just for months but for years. Now is the time to stop sinking money on compensating security controls for old systems, it is not economical to continue. Agree a plan and retire the systems. 2. Go back to basics A Ponemon Institute study estimated that almost 60% of breaches were due to a failure to fix known weaknesses. Look at the Center for Internet Security (CIS) Top 20 Critical Security Controls. Refer to the top five and do them well. Don’t try to fix everything; seek help in determining your threats and make this an informed and threat-led process.
3. Look at risk, again Some of your accepted risks may have materialised during the attack. Review your risks with a different lens, think about your threats, think about how you measure and assess risk and review all of your accepted risks. Technology debt (I repeat!) is almost always one of them, now is the time to fix it. Whilst there are many other things you may seek to address in the short term such as response and recovery plans, most businesses would come to this conclusion themselves following a large incident. There’s nothing like a live rehearsal to tell you that you don’t know your lines!
Strategic considerations – build the future:
Whilst you may attract negative publicity in the early days of an incident, you can also use the spotlight as a way to show your customers and stakeholders how seriously you are taking your responsibility to protect them as a result. Use the incident to build a secure future in line with your business goals. What is the business strategy, are you prioritising the risks most impactful to that strategy? Review and reshape your cyber strategy. Think about how new technologies can be used to do more than improve your back office and behind-the-scenes functions, they can transform your business into a more customer-centric operation and with good security it can pay dividends with increased customer confidence and loyalty.
1. Look at your business model Paying off your technical debt will give you a foot-up to enabling innovation and adoption of new technology and services. By this I don’t just mean cloud I mean the use of AI and automation, and flexible supply chains; thinking differently about how you operate.
2. Embed security into everything Secure by design; it’s all about designing security into your technology solution from the start, not as a last-minute add on. Consider the security implications in any business change, it is cheaper in the long run and building in controls and resilience from the start will give you the confidence in your operations. If you embed a secure-by-design approach it then makes any change easier.
3. People Embed a sustainable culture where everyone feels they have a responsibility to keep the business secure. Make sure that you have ownership and accountability at board level, invest in awareness training, ensure that your people don’t fear reprisal for reporting incidents, and protect your business by keeping your IT and security teams up to date. This is one of the biggest challenges that all organisations face, it really isn’t easy and requires ongoing commitment. Cyber security in today’s world is a challenge, keeping up with the attackers is hard, getting ahead of them even more so. Strong and reliable baseline security controls are good enough for most businesses most of the time, and without them they risk being another statistic. Don’t let that be you… but remember if it does happen then think about whether you can use it as an opportunity for change.
