For many businesses the cost of setting up an effective cyber/digital security programme can seem high. However, systems and their security are increasingly important to organisations and their supply chain. The headline is simple: every organisation must be cyber-ready to identify, minimise and prevent losses due to a hack, data breach or ransomware.
For businesses, these capabilities are critical to investor and customer confidence. Few organisations across the Middle East have a joined-up cyber security programme. Our experience is that poor understanding of the threat means that too little budget is set aside for this issue. This is partly due to a lack of publicised regional analysis of the possibility of a cyber-attack and the damage one could cause.
The cyber threat
High profile cyber events create global news (the recent breach for a regional bank and the Shamoon 1 and 2 attacks, for example).
A recent survey by Control Risks interviewed over 480 CEOs and executives and found that 87% of GCC respondents believe cyber risk to be an “IT only” issue. It is not! It is an issue that impacts your entire business.
Not having a joined up “business-led” response in place is like seeing a fire in your office as only being a facilities problem or having 50% of your staff unavailable through illness as a problem for Human Resources alone.
All criminals, whether in street crime or common burglary, choose the easy option. If your organisation is more difficult to attack than your competitor, you are less likely to be attacked. Someone stealing will look for a house with an open window, rather than having broken a lock. Cybersecurity is exactly the same.
Some organisations sell malware for only $150. Cybercriminals can even use a helpline and customer support to help start an attack. This means the technical barrier to entry is low – you don’t need to be technologically advanced to start a cyber-attack; you just need to want to do it.
The cost of failure
One of the difficulties for cybersecurity leaders over the years has been to make stakeholders in their businesses understand the costs resulting from a major incident.
Some elements of cost are fairly clear, such as those from physical replacement of assets, or lost revenue from business activities that stopped during the outage. However, other costs are more difficult to identify. For example, how do you assess the cost of lost customer confidence or brand damage caused by a loss of customers’ personal data by a security breach? This might not affect your revenue today but could be very damaging over time. A good example is Target, the US retailer which had a data breach in 2014. The company spent $40m to replace its customers’ credit cards, but a recent article reported that its extra costs totalled approximately $300m.
How can you ensure your organisation does not become a cyber-incident statistic?
Build a business case
Ensure that the management team understands the potential damage and probability of an event, in simple and clear terms. Link potential damage to your organisation’s objectives. Do not try to create fear but use proven figures and statistics to support your case.
Check your systems and data. Make sure you understand which information assets are critical and ensure they are well protected. Ensure that change management processes are in place and followed. Microsoft warned users about the largest ever ransomware attack (wannacry) weeks before it happened, and only those which did not apply the correct patch were affected.
Cybersecurity has three key elements – people, process and technology. Many organisations focus on technology, investing in technological tools to protect their systems, or detect attacks. However, the most vulnerable parts of any organisation are its people and therefore the processes they use. It is vital to ensure that people follow processes that are designed to protect the systems environment.
The strongest defence for an organisation to the cyber threat is a workforce which understands and watches for risks. The best protection is training your staff, creating a “human firewall”. This, plus technical solutions and a joined-up “business-led” response capability, provides the best protection for your organisation
Think like an attacker
“There are two types of organisations – those who have been hacked and those who will be” (FBI Director Robert Muller, 2012).
A compliance led assessment of cyber security can make you feel safe when you are not. You are not going to be hacked by your auditor. Instead use a threat led approach to understand your weaknesses - Plan for the worst.
Make sure you have a joined-up incident response capability. This must include your senior management, IT team, corporate communications and your legal counsel. The key to managing an incident well comes in five steps:
- Rapid recognition of the incident –clearly identify trigger points and have a process to alert the right people;
- Investigation and containment – ensure your team can identify and control the incident;
- Threat removal – enhance controls against the threat, renew or update passwords, encryption keys and/or lock down access points;
- Recovery – restore data from an unaffected back up and begin an appropriate crisis communications process; and
- Learn lessons– learn from incidents and mistakes, and improve your defences
All of this must be supported by a comprehensive communications plan with messaging which helps both your internal and external contacts.
Having an established capability in place which covers these items will greatly reduce the damage of an attack and provide you with a competitive advantage. Stand apart from the pack – improve your awareness and be prepared.
For more information, please visit www.controlrisks.com.