The challenges for cyber resilience in 2023
Given we've all been told that it's inevitable that we'll get hacked, or at the least we need to assume that we will, what does this mean for businesses? It's clear that investment in cyber security measures isn't slowing down the attacks, and in 2023 it feels like there's been a significant increase in reported cyberattacks already. And we've only just hit February!
It would also appear that cyber attacks are becoming more sophisticated and technologically advanced. Fundamentally, you can't prevent a member of your team from clicking a phishing link, and the attack surface remains expanded due to the current hybrid working arrangements in place at most companies. So, if we are being told to expect an attack, does this shift the emphasis from prevention and defense, onto preparation and response? How would you recover your business?
The very recent Ion Group ransomware attack seems to have been settled by a "philanthropist" (hmmm…) paying the ransom. I've no doubt the extreme impact this attack had on the financial sector will have been behind the decision to pay. Also behind the decision would have been the inability to restore services in a timeframe that doesn't cause intolerable harm to the company's customers.
So the old question rears its head again. Should you pay? Well, the CEO can (and should) debate this with the team, but until you're actually faced with that situation, you won't know for sure what you would do. But you will be funding criminal activity, or even worse, terrorism. You've got no guarantee of the return of your data, or of an encryption key. Reputational damage will be severe. Some hackers will be back in a couple of months to see if you've plugged the holes. And, it seems increasingly likely that insurance won't plug the holes.
The bottom line is that assuming you’ll be attacked, you will be judged more on the effectiveness of your response/recovery (based on preparation) than your ability to prevent the attack in the first place. Don't neglect your cyber security protection, but don't believe the hype, it's not THE silver bullet.
Your focus should be on reducing both probability and impact of an attack, and work out what you should do to Prepare-Respond-Recover to the attack. This includes good behavioral-based employee awareness training on a regular and ongoing basis. Also a sound understanding of your important business services, and the critical applications that support them. Prepare flexible, short, usable response plans for all levels from C-suite down -- don't try to cover every situation or scenario, just the most impactful ones (including ransomware!).
Do ensure you have suitable technology controls and procedures, such as an integrated SIEM, a SOC, with advanced monitoring. Good off-network, immutable backups and DR (appropriate to the criticality of the business services) are vital; make sure they are monitored, and even more important, make sure you know how to use them.
Finally -- practice, rehearse, test, exercise -- make sure everyone knows how the plans would work; and keep them updated.
Chris Butler is Managing Consultant, Business Resilience at Databarracks. He is a Fellow of the Institute for Leadership and Management, a Member of the Business Continuity Institute and a Certified Information Security Manager. Following 20 years as an Army officer, with numerous leadership positions within military aviation, Chris became a resilience and security consultant. He has worked within the UK high hazard energy sector, supporting leadership teams in the UK nuclear sector, from board level down to the operational front line in nuclear power plants.