Steve Durbin, managing director of the Information Security Forum, calls on organisations to set up cyber-resilience teams
Every year, we spend more money and time combatting the dark forces of cyber space: state-sponsored operatives, organised crime rings and super-hackers armed with black-ops tech. The attack methods mutate constantly, growing more cancerous and damaging. Massive data breaches and their ripple effects compel organisations of every kind to grapple with risk and security at a more fundamental level.
The harm done to brand reputation can be long lasting and hard to control. Breached companies are liable for significant restitution to customers and suppliers, face closer scrutiny and higher fines from regulators, and often struggle with a sudden drop in sales or loss of business.
The appearance of negligence, repeat attacks or unpredictable fallout from a breach can significantly unravel public goodwill that took decades to build. The trust dynamic that exists among suppliers, customers and partners is a high-profile target for cyber criminals and hacktivists.
The attack on US retailer Target is a fascinating example of the myriad ways a breach can turn nasty for even the most established brand with repercussions from the boardroom to the technology department, marketing and beyond.
Take it to the board
Information risk must be elevated to a board-level issue and given the same attention afforded to other risk management practices. Organisations face a daunting array of challenges interconnected with cyber security: the insatiable appetite for speed and agility, the growing dependence on complex supply chains, and the rapid emergence of new technologies.
Cyber security chiefs must drive collaboration across the entire enterprise, bringing business and marketing needs into alignment with IT strategy. IT must transform the security conversation so it will resonate with leading decision-makers while also supporting the organisation’s business objectives.
Cyber resilience is crucial
Every organisation must assume they will eventually incur severe impacts from unpredictable cyber threats. Planning for resilient incident response in the aftermath of a breach is imperative. Traditional risk management is insufficient. It’s important to learn from the cautionary tales of past breaches, not only to build better defences, but also better responses.
This is the only way a comprehensive and collaborative recovery plan can be implemented in a timely fashion
Business, government and personal security are now so interconnected, resilience is important to withstanding direct attacks as well as the ripple effects that pass through interdependent systems.
I strongly urge organisations to establish a crisis management plan that includes the formation of a cyber-resilience team. This team, made up of experienced security professionals, should be charged with thoroughly investigating each incident and ensuring that all relevant players communicate effectively. This is the only way a comprehensive and collaborative recovery plan can be implemented in a timely fashion.
Today’s most cyber-resilient organisations are appointing a co-ordinator – for example, a director of cyber security or a chief digital officer – to oversee security operations and to apprise the board of its related responsibilities.
The new legal aspects of doing business in cyberspace put more pressure on the board and C-suite. For example, an enterprise that cannot prove compliance with regulations, such as the upcoming EU’s General Data Protection Regulation, could incur significant damages even in the event of a breach or face more severe penalties after a successful attack.
We no longer hide behind impenetrable walls, but operate as part of an interconnected whole. The strength to absorb the blows and forge ahead is essential to competitive advantage and growth, in cyberspace and beyond.
Here is a quick recap of the next steps that businesses should implement to prepare themselves:
- Reassess the risks to your organisation and its information from the inside out. Operate on the assumption that your organisation is a target and will be breached.
- Revise cyber-security arrangements: implement a cyber-resilience team and rehearse your recovery plan.
- Focus on the basics: people and technology.
- Prepare for the future: to minimise risk and brand damage, be proactive about security in every business initiative.