Are you prepared for a cyber-attack?

Your business is on a hacker’s target list. You will be attacked.  No organisation is immune. 

There is a never-ending growth in new forms of cyber-attacks.  It is impossible to eliminate all risks.  What can you do to protect your business from the potentially devastating impact of a cyber-attack?

If you employ cloud computing services from a competent provider, some of the most important security protections should be in place.  It would be prudent, however, to trust but verify.

A competent cloud service provider normally provides server system patch updates, server anti-virus, firewalls, intrusion detection, compulsory complex password policies, multi-factor authentication (where needed) and daily data backups, to name a few.  This goes much further than most on-premise systems.

However, it is your technology users who will likely provide most of your vulnerabilities to system hackers.  It is very important that simple and understandable employee user policies are documented, disseminated and tested.

Policies regarding protection of passwords, connecting unmanaged personal devices to the company’s network, introducing software on company devices, together with acceptable use policies for Internet browsing and email, wireless network security and polices regarding data handling will help to provide a stronger first line of defence.

Consider formalising the responsibility to comply with technology user policies as an addendum to each employee’s employment agreement.  Provided the process is followed correctly in terms of consultation, an employee breach of these policies, which may lead to a cyber-attack, will provide employers with much stronger disciplinary options, if needed.

Employee education is a perennial task.  Repeated reminders must be provided to enable new and current employees to become aware of the hazards of careless behaviour and to help create a culture of awareness.

A key cyber-attack vulnerability is described as social engineering.  This involves a form of confidence trick for the purpose of gathering information, fraud or system access, often manipulating technology users to do something, such as reveal a password, pay an invoice or deliver goods to a different address.

Education and caution are the watch-words here. An educated response to resolve any uncertainty may prevent a painful experience. This is by no means fool-proof.  Some hackers are so believable that the most suspicious user may be fooled.  Consider adding business processes with additional layers of verification.

Ensure that any user device, such as a PC or laptop, has current operating system patches and anti-virus protection.  Application whitelisting, by preventing any unauthorised application to be installed, provides another layer of protection.

Restricting user administrative access rights to a bare minimum will also reduce exposure, as these privileged access user accounts are top of the list for hackers as they hold the keys to the IT kingdom.

Another important defence tactic is to have well developed and tested disaster recovery and business continuity plans.  These may include readiness assessments and response plans for specific types of cyber-attack.

Business continuity plans should provide detail for restoring systems in a methodical process, predetermined by business leaders. Making decisions about the order in which systems are restored under duress will be much less effective.

If all else fails, and a cyber-attack takes place, it will be too late to arrange any insurance.  Policy cover for cyber-attacks has only recently become widely available.  A typical policy will cover the costs of any restoration of digital assets, forensic services to determine the severity and scope of the cyber-attack, reimbursement for any ransom or cyber-extortion payments, and public relations costs to help mitigate any reputational loss.  Risks covered include denial of service attacks, ransomware extortion and similar.

Most firms have a business income loss cover to provide for losses resulting from a fire or earthquake, for example.  These policies rarely cover any loss of business profits resulting from a cyber-attack.  Conversely, a cyber-attack policy will provide explicit and valuable cover for this risk.

As the severity and frequency of cyber-attacks increase, a cyber-risk insurance policy has quickly become a commercial “no-brainer”.

Regrettably, a cyber-risk policy is like an ambulance at the bottom of a cliff.  It should not be seen as the solution, but as another risk mitigating factor.  It is crucial to deal with the primary risk vectors, without relying on the policy to pick up the pieces.

The costs of a cyber-attack go well beyond the cost of restoring data.  This is the tip of the iceberg.  Hidden costs include operational disruption, loss of customers and reputational damage.  According to U.S. and New Zealand surveys, less than 50% of firms are prepared for a cyber-event. Are you ready?

As seen in the National Business Review, 26th August 2016