VIEW: On comprehensive cyber resilience
Written by James McAlister, chairman, the Business Continuity Institute
The BCI launched its annual Cyber Resilience Report earlier this month, once again highlighting the global increase in cyber vulnerabilities. The top three risks were found to be phishing, malware and social engineering, with new entrant ransomware only just making the top five. But will new legislation like the GDPR, state of the art anti-hacking software or staff security awareness training stop all future attacks? Not on their own.
Cyber attacks are inevitable due to the increasing complexity of our IT systems, diverse data supply chain networks, lack of internal expertise to deal with attacks, and the abundance of cyber criminals earning fortunes by exploiting the smallest vulnerability. That is not to say that we should adopt a fatalist approach to an attack and do nothing, but we must prepare for a reasonable worst-case scenario if we do suffer an attack. With that planning assumption in mind, we can then consider what I believe is the true weakness in our cyber defences: the C-Suite.
Those of you who have read the BCI’s Cyber Resilience Report would now challenge me, as the survey finds that there is a 60% commitment by top management to drive cyber resilience efforts. That may be true and as we all know SMT buy-in is essential to embedding all organisational resilience disciplines but what most high-level management teams fail to recognise is that in a cyber crisis, they will have to deal with a wide variety of hands-on strategic level dilemmas far removed from IT technical solutions or cyber insurance that most of them currently believe will cure the problem.
No software patch or pay-out is going to preserve reputation, brand equity, market share or customers. What we really need to do is invest time and effort preparing for what may happen through crisis communication training and then ensure they regularly take part in cyber attack rehearsals and exercises that challenge them with realistic scenarios.
Obviously, hiring external expertise doesn’t come cheap, but with the cost of a data breach to a FTSE 100 firm estimated at £120m, training is well worth investing in.
Download the report at www.thebci.org/index.php/bci-cyber-resilience-report-2017