Extreme Weather WILL happen. Cyber Attacks WILL happen. WILL You be Prepared WHEN they strike??
In this blog, I compare cyber threats and natural disasters to explain why a cybersecurity strategy is an important component of business risk management. You can take a proactive, well-planned, level-headed and measured approach to security. The need for security is immediate, and it will never go away.
Natural Disasters and Cyber Threats are Huge Risks
As part of your risk management efforts, you plan for potential extreme weather events …floods, tornados, drought or hurricanes. You want to make sure your business, and especially your people make it through the storms safely. So you appoint someone to be in charge of emergency management planning. Have you assigned someone to plan for cyber-related emergencies?
We hear: “My company is small. We really don’t think we are a target for cyber attack.”
Consider: Just like extreme weather, you must recognize that cyber attacks are inevitable.
- 62% of all cyber attacks target Small-Medium Businesses (SMBs), approximately 4,000 per day.
- 60% of SMBs go out of business within 6 months of a cyber attack.[i]
In fact, the risk of cyber threats is eerily similar to natural disasters. The World Economic Forum recently published its Global Risks Report 2018, which assesses and ranks a wide range of Economic, Geopolitical, Technological, Environmental and Societal Risks.
That’s right. Cyber attacks are just as likely to occur as natural disasters. To ensure your organization’s ability to recover, you need to have a game plan BEFORE disaster strikes.
Preparing for Natural Disasters
Municipal, Federal and State agencies prepare widespread alert protocols using emergency response systems… storm sirens, evacuation plans and press conferences to warn the public of pending danger. The Government documents these protocols in Disaster Recovery Plans. The hope is that government agencies can minimize the impact of natural disasters and restore the hardest hit areas to a “normal” state as fast as possible. I hear my local government testing its storm sirens on the first Tuesday of every month.
When your office building was designed, the architect added safety features to protect the building’s tenants.
- Secure storm shelters,
- Fire detection and suppression systems, and
- Security alarms and sirens to alert people of emergency.
When your business moves in:
- You construct emergency response plans.
- You run annual fire drills, and you test your alarms and fire extinguishers.
- You purchase insurance to protect the business and your employees.
- You routinely test your backup power generator to make sure it works as you expect.
Hopefully, you never have to find out if all the planning pays off.
Preparing for Cyber Threats
Planning is critical to managing cyber risk. You should create topic-specific Security Plans:
- Incident Response – guides the organization to detect and handle security Incidents and data breaches.
- Business Continuity and Disaster Recovery – A cyber attack can significantly disrupt your business operations just like a natural disaster, and its effects may be permanently damaging. A good DR Plan includes response for both natural and cyber events.
Test Your Defenses
You also need to test your Cyber Incident Response and Disaster Recovery capabilities, at least annually.
- What if your routine Incident Response results in a disaster?
- What if you can’t restore your systems or data after a disaster?
- How will it impact your business?
Train Your People
When you run fire drills, its to make sure people know what to do if a fire strikes. You should do the same thing with cybersecurity. Ask your CIO if you have ever had a problem because a user clicked on a nefarious link in an email. Training may prevent those occurrences.
EVERYONE in your organization has some responsibility to protect the organization and themselves.
- Would your people be able to recognize a cyber attack?
- Would they know how to report suspicious behavior?
- Do your IT and security administrators know how to handle an Incident?
- Does your executive team know when and how to admit to a data breach?
- Does your team know what to do if a disaster strikes?
Hopefully, you now understand that just like with severe weather, you may not be able to stop a cyber attack from happening, but you can prepare for its impact. If your Risk Manager has security experts in-house, hopefully, you will get to work right away. If you don’t have security resources available, you may want to consider outsourcing the function, particularly if cost is a concern.