Andrew Scott, senior communications manager at the Business Continuity Institute, discusses the findings of the recent Cyber Resilience Report and the growing threat of digital disruption to organisations
Our organisations face disruption all the time. Natural and manmade disasters can both have a devastating impact that can cost our organisations time, money and customers. But it's not just events in the physical world that we ought to be concerned about. In our digitally driven world, virtual disruptions can also have severe consequences. We are so reliant on our IT networks that work effectively stops when they shut down.
Such is the threat of digital disruption, that cyber attacks, data breaches and network outages were all considered the greatest concerns to business continuity and resilience professionals, according to the Business Continuity Institute’s (BCI) latest Horizon Scan Report. The level of concern far exceeds that of disruptions caused by adverse weather, fire, terrorism or human illness. This is perhaps justified given that another report by the BCI – The Cyber Resilience Report – revealed that two-thirds of organisations had experienced at least one cyber security incident during the previous year while 15 per cent had experienced at least ten. Additionally, 13 per cent experienced cumulative losses in excess of €250,000 as a result of a cyber incident.
So what makes the cyber threat so great?
In any one second it is estimated that over 10 Terabytes of data are being transferred across the internet, but the global IT infrastructure makes this a relatively easy task to handle. What happens, however, when a large chunk of that data is focused on one server? That was the position the UK’s largest broadcaster – the BBC – found itself in on New Year’s Eve a few years ago when a Distributed Denial of Service (DDoS) attack of up to 600GBps brought down their website including iPlayer for several hours. A DDoS attack involved an attacker using a series of compromised devices that are connected to the net in order to bombard a single target with data until it overloads and crashes.
Cyber attacks such as this one are becoming more frequent with some studies suggesting that half of all organisations are affected by at least one attack every year. Arguably, this increased frequency correlates with the rise of the Internet of Things as more and more devices are coming online, and many of these devices do not have effective security. DDoS attacks can be used as a form of activism; perhaps a smokescreen to hide a more malicious attack or theft of data; sometimes the impact on one organisation is just the collateral damage as part of a wider attack. In the case of the BBC it was reported that it was simply to test whether an attack on such a scale could be mounted. It could.
It is ransomware, and the encryption of all your data until a ransom is paid, that is currently gaining the most attention in the headlines however. The WannaCry attack back in May which affected about a quarter of a million computers in about 150 countries was soon followed up by the NotPetya attack which may have been smaller in scale but proved more costly to some organisations. The cost to Maersk as a result of losing its IT systems was reported to be in the region of $100 million.
Data is a valuable asset for organisations as they gather as much information on their clients or prospects as possible. As many products and services are now being sold online, this data is becoming easier to collect and organisations are building vast databases containing personal contact details and credit card information.
This data is worth a lot of money and there are plenty of people who would like to get their hands on it. Adobe, Sony, JP Morgan – all big names who no doubt invest heavily in IT security, yet all have suffered a data breach in recent years where information has been stolen. Reputation is another important asset to organisations and when customers see their personal information being lost or stolen then the reputational damage can lead to those customers taking their money elsewhere. The financial costs can also be high as fines or legal action can take their toll – the three organisations above were estimated by some sources to have lost over $1billion each as a result of these breaches.
Don’t assume that data breaches are always the result of sophisticated technology used by hackers - human error is often to blame. A recent study found that the most common passwords used are ‘123456’ and ‘password’, and the remainder of the top twenty was made up of passwords that were equally as guessable. It wouldn’t take a computer genius to hack into those people’s accounts. It is cyber vulnerabilities on the part of the end user that the Business Continuity Institute focused on as part of its latest campaign, highlighting the steps that each and every one of us can take to help improve cyber security.
It suggested that organisations and individuals should: use secure passwords including a combination of at least 12 upper and lower case letters, numbers and symbols, rather than 123456 or your pet’s name; keep passwords safe and don’t write them on a post-it note that’s left next to your computer; lock your computer when you’re not using it; be cautious when using public Wi-Fi and don’t access sensitive information when using it; don’t plug in untrusted USB devices; and don’t click on untrusted links.
The essence of the campaign was that cyber security is everyone’s responsibility and we can all play a part in building a resilient organisation.
Business continuity planning
So how do you prepare your organisation for the various disruptions that it could face. Horizon scanning is a fundamental part of business continuity and while the BCI’s Horizon Scan Report offers an overview of the top level threats, it is important for each organisation to assess the threats that are relevant to them. If you know the threats you face, you will have a better understanding of what the potential impacts could be. If you know what the potential impacts could be then you are in a much better position to put plans in place to manage through them.
With digital infrastructure, it doesn’t matter whether it’s a cyber attack or a power failure, if the IT is out of action then you need to have plans in place to manage through this. Can it be replicated elsewhere? There are many data replication solutions available that can migrate all of your data to a secondary system, removing the potential single point of failure that could result in you losing all of your data in the event of an IT disaster.
You must always make sure that your data is backed-up. If your data is backed-up and you experience a ransomware attack then you can isolate the ransomware, clean the network of it and then restore the data from your back-up. It’s not necessarily an easy process, but it means you don’t lose all your data and you don’t pay a ransom. Of course you need to ensure that the back-up can’t be encrypted by the ransomware as well.
Whatever the crisis, it is essential to respond swiftly as the longer you delay any action then the more disruptive it could become. Communicate to all your stakeholders what is going on and what you are doing to resolve it. People are a lot more understanding when you’re being transparent and they can see you’re making an effort to sort things out.
Disruptive events will always occur, whatever form they may take. By having an effective business continuity programme in place, it should mean that, in the event of an incident, a drama doesn’t turn into a crisis.