Five point Crisis Plan in case of a Cyber-Attack
It has been found that not too many Organisations have crisis plans in place to deal with a Cyber-Attack should it occur on their business.
According to a recent survey, 84% of businesses expect the number of cyber-attacks to increase over the next two years. 39% of organisations did not have or were not aware of a crisis response plan for them to follow in the event of an attack. This is according to BAE Systems Applied Intelligence report "Business and the Cyber Threat: The Rise of Digital Criminality".
More education appears to be needed on the issues that can arise from an attack and how to handle such a crisis situation.
A cyber-attack on your business will happen at some stage. Perhaps some attacks will have only a minor impact but others may threaten the reputation of your organisation with clients or customers not trusting you with their information in the future. A poor response to these attacks will often worsen the fallout from a major incident.
Organisations need to have effective processes to identify attacks early and then respond to these in a structured and methodical manner. It also needs a clear allocation of responsibility.
BAE Systems Applied Intelligence suggests companies take into consideration these five points to make up a crisis plan:
1. Effective detection: Does your organisation have the right controls in place to detect targeted cyber-attacks? Is your business confident that the most sophisticated types of attack will be detected?
2. Formalising where critical information resides: Has your organisation established which information is its most valuable? Does your company know which departments, business processes, IT systems, suppliers and staff have access to this information?
3. Roles and Responsibilities: Are roles and responsibilities clearly made in the event of a crisis? A common problem is the lack of a clear chain of command for effective and timely decision making. A crisis will often require difficult decisions, such as at what point to turn off key systems or services, or engage with customers or media.
4. Access to specialists: Does your organisation have clarity over which specialist partners will be used in the event of a cyber-attack? Are these organisations on a ‘retainer’ so they can be called in at short notice? A common challenge for organisations is that they don’t have pre-existing commercial arrangements in place at a time when they need urgent support.
5. Testing the crisis plan: Are the plans periodically tested to ensure they are effective? Organisations should test the crisis plan to ensure there aren’t any gaps and share it with the entire organisation. Stakeholders should be made aware of their role in the event of a cyber-attack long before an attack takes place.
These suggestions can be a good starting point in managing these risks. It is also possible to transfer many Cyber Risks to insurers with an appropriate policy. Speak to CPR Insurance Services about these exposures soon because we are your Cyber and Privacy Risk experts