Are you concerned about the resilience of your business in the current market? There are sometimes things we have little control over when it comes to factors that effect our business, but one area where we can make steps towards security and safety is cyber resilience.
The Boston Consulting Group report State of UK Business 2023 highlights cyber resilience as a key predictor of success for organisations, with cyber resilience being one of its vital components. In fact, the online technical newspaper, The Register, recently revealed that businesses typically experience a whopping 25 days of disruption following a cyberattack. You, like most business leaders, probably have a figure or 24 to 48 hours in mind!
Steps Towards Cyber Resilience
So, the ability to recover from such an incident is undeniably crucial in the resilience equation, but how can you be sure that your IT department are prepared for the worst case scenario to you business. Here are 5 points for you to discuss with your IT team to ensure you are up to date with cyber resilience:
1. Protection
Protection is all well and good, but the criminals need only to score one goal, you need to successfully defend all goal attempts to win. Under these circumstances continuing to win over the long term is looking a bit, well, unlikely.
- Ask your IT Team what protection they have in place and when was it last updated and last tested?
- What risks are on the IT risk register and when were they last reviewed by your board? Are they in line with the risk appetite of your organisation?
2. Incident Response Plan
Imagine your business trying to operate without key data or systems for up to four weeks. It’s a nightmare scenario, isn’t it? You might have an incident response plan in place, but does your disaster recovery plan adequately address this type of event?
- Ask your IT team, what is your incident response plan, including for a crypto-virus incident and when was it last reviewed?
- What is your disaster recovery plan and what are the priorities for recovery?
- Are those the right priorities?
- Has the plan been tested?
3. Recovery Plan
If your recovery plan involves paying the ransom demanded by cybercriminals, it may be worth revisiting your strategy. Shockingly, according to Sophos, only 65 per cent manage to recover any data, and (reported in the Register) a mere 4 per cent are able to retrieve all of their data. This raises serious doubts about the efficacy of ransom payments as a reliable recovery method.
If your insurance forms part of your recovery plan, it’s essential to consider whether the risks you face are truly insurable. A severe loss of business can have a significant impact on your overall cyber resilience across the five measures identified by the BCG group and therefore longer-term performance. For some companies, especially those in the B2B sector, cancelled contracts could leave them without a viable business, causing financial and personnel hardships and affecting wider supply chains.
- What does your insurance cover? How would that help in the event of an incident and is it adequate?
- Have the T&Cs changed recently if so, what are the implications for your business?
- What help would you get in the event of an incident?
- Which board member reviewed and agreed on the Cyber Insurance?
4. Suppliers
Crucially, Have you ever contemplated the impact of a cyber attack on one of your key suppliers? They might play a crucial role in your supply chain, provide essential processes or BPO capabilities, support key systems or projects, or even be responsible for distribution partners or vital sales channels. The ripple effects of their disruption could be far-reaching and potentially catastrophic for your business.
- Have you discussed what measures your suppliers have in place?
- What level of certification do they have – cyber resilience essentials, ISO27001, …?
- What Cyber insurance do they have and how would it support you in the event of an attack on them?
5. Technology Changes
As you change your technology as your IT projects and programmes deliver, are you keeping your cyber resilience arrangements and response plans up to date? Updating and retesting your business continuity plans is often outside the scope of the programme. The traditional ‘penetration test’ as a part of projects which involve a website is no longer sufficient for more advanced cloud-based infrastructures, remote working and interoperability with partner organisations.
- How do the changes in technology affect the cyber risks and the operational implications on your business if one of those risks occurs?
- Have you completed a Data Protection Impact Assessment (part of the GDPR regulations) to consider privacy and security implications of the work you are doing / changes you are making?
The Role of the Part-time IT Director
Now, we don’t want you lying awake at night worrying about these risks. After all, there are plenty of business challenges (and opportunities) in these turbulent times. In order to ensure that your company’s cyber resilience is where it needs to be, it may be worth bringing in a part-time IT director. They can help you navigate through it all, empowering you to make informed decisions and focus on running your business.
A part-time IT director can help you identify and implement controls that significantly reduce the likelihood of such scenarios occurring, while assisting you in minimising the impact through faster detection and response, implementing technical recovery mechanisms, and creating comprehensive recovery plans that involve collaboration with your partners.
With experience working at senior and board levels, including in regulated industries where “operational resilience” is a top priority, part-time IT directors can engage them so they understand the risks, implications, costs and business case which allows for transparent, informed decision making which is super important when there are competing priorities for funding and the margins are already under pressure.
Why not contact us and have a free discussion with one of our experienced part-time IT Directors to talk about how to improve your cyber resilience?