The BCI launched its Cyber Resilience Report earlier this year. The annual report once again highlighted the increase in global all sector cyber vulnerabilities. The top three cyber-attacks continue to be phishing, malware and social engineering with new entrant ransomware only just making the top five. But will new legislation like the EU General Data Protection Regulation (GDPR), the most state of the art anti-hacking software or staff information security awareness training really stop all possible future attacks. Well the simple answer is NO.
Cyber-attacks on all sizes of organisations is inevitable due to the increasing complexity of our IT systems, diverse data supply chain networks, lack of internal expertise to deal with a sophisticated attack and then the abundance of brilliant cyber criminals who can earn vast fortunes by exploiting our company’s smallest of vulnerabilities. That isn’t to say that we should adopt a fatalist approach to an attack and do nothing but we must prepare for a reasonable worst case scenario where our organisation does suffer a serious attack.
With that planning assumption in mind we can then consider what I believe is the true weakness in our cyber defences, the C-Suite. Those of you who have read the BCI’s report would now challenge me, as the survey finds that there is a 60% commitment by top management to drive cyber resilience efforts across organisations. That may be true and as we all know SMT buy-in is essential to embedding all organisational resilience disciplines but what most high level management teams fail to recognise is, that in a cyber-crisis, they will have to deal with a wide variety of hands-on strategic level dilemmas far removed from IT technical solutions or cyber insurance that most of them currently believe will cure the problem. No software patch or pay-out is going to preserve an organisation’s reputation, brand equity, market share or customers. What the C-Suite really need to do is invest their own time and effort preparing for what may happen in a cyber incident through crisis decision and communication training and then ensure they regularly take part in cyber-attack rehearsals and exercises which challenge them with realistic scenarios. Obviously, there will be a cost implication as hiring external expertise doesn't come cheap but with the estimated cost following a data breach to a FTSE 100 firm being £120m, its training well worth investing in.
James McAlister is the Chair of the Business Continuity Institute