Cyber security – moving from prevention and detection to response

The National Crime Agency (NCA) and the Strategic Cyber Industry Group (SCIG) have released the ‘Cyber Crime Assessment 2016.'  The findings make for distressing reading, but are not wholly surprising and support the recent report published by Symantec.

With the ONS estimating 2.46 million ‘cyber-incidents’ last year alone, businesses and law enforcement agencies are losing the ‘cyber arms race’ with online criminals, and the technical capabilities of criminal gangs outpacing the UK's ability to deal with their threat.

But for many businesses the ‘risk’ of a cyber-incident is nothing new. A series of high-profile hacks and data breaches has shown any organisation is at risk when it comes to cyber-incidents. The NCA report clearly shows that criminal gangs are agile and working around businesses’ defences in this ‘tit for tat’ game. There is now general acceptance amongst both FTSE-listed companies and SMEs that it isn’t a matter of ‘if’ but ‘when’ you are targeted.

Cyber-attacks can have a significant commercial impact on an organisation, including loss of customers, recovery costs, loss of intellectual data and service disruptions, not to mention significant reputational damage and compensation. As a result, organisations, particularly those in the financial services sector, have invested heavily in their prevention and detect strategies. But it is becoming clearer that organisations can only go so far to mitigate their exposure to cyber risk. In recognition of this, the focus is shifting to preparing executive and technical teams to better deliver an integrated cyber response.

This might include investing time and budget in understanding the risks, knowing what the ‘information crown jewels’ are – what data and information they own, how it is protected, and what can be done with it. Also, putting in place cyber response procedures and ensuring that operational, technical and executive teams are all cyber aware, well-trained and thoroughly rehearsed and integrating cyber security into the broader crisis management framework.

While organisations must still continue to focus on ensuring their defence and monitoring processes are as robust as they can be, we at Regester Larkin suggest six measures an organisation can take to prepare its response for a cyber security incident:

• Train senior executives on the world of cyber. This informs their understanding so they can ask information security and IT the right questions and in turn make the right decisions.
• Spend time scenario planning, identifying the unique cyber challenges and developing strategies to manage or mitigate them. 
• Align operational cyber preparedness with strategic crisis management.
• Develop a playbook to guide decisions depending on the cyber threat e.g. internal vs external, DDoS vs data hack and regularly test the agreed response through crisis exercising, bringing in suppliers and partners where necessary.
• Prepare a cyber communications plan to be able to rapidly respond to customers other key stakeholders as well as implement your media response strategy
• Should a cyber incident occur, undertake a post-crisis review to ensure lessons are learned.

For a better understanding of how to prepare for the unexpected, join us at our Crisis Management Conference in London in September or Houston in October.