A ‘solid incident response plan’ is a major element of cyber resilience, advises Barracuda’s Paul Drake.
In an evolving cyberthreat landscape, security teams not only need advanced tools to detect and prevent attacks; they also need to know how to deal with a security incident to get back up and running as quickly and effectively as possible.
For many businesses, a security incident of some kind is almost inevitable. Some organisations can fall victim repeatedly, particularly if they haven’t fully addressed the root cause of previous incidents. Barracuda’s research among IT security professionals found that more than two-thirds (67pc) of UK organisations were hit with one or more cyberattacks in the last year.
Organisations need to understand the level of security risk they face and ensure they can withstand, respond to and recover from any incident. This is cyber resilience.
The cost of incidents
Cyberattacks are expensive. Barracuda’s research found that for UK organisations the average annual cost of dealing with cybersecurity incidents is around £3.6m. This includes £2m for the theft of IT assets, damage to infrastructure, incident investigation and remediation activity and a further £1.6m for the cost of downtime and the resulting lost productivity and operational disruption. If you then factor in the longer-term impact of loss of customer trust, regulatory and legal issues, the final cost can rise even further.
This figure reflects how cyberthreats are evolving: most respondents said attacks had become more sophisticated (61pc) and more severe (54pc) over the last year, taking longer to recover from and fix.
When organisations get cyber resilience right, they are better placed to keep operations going while they recover. Effective cyber resilience is underpinned by security solutions, but it also depends on security governance – the policies, programmes and leadership that enable organisations to manage risk.
The challenge of consistency
The research revealed that almost half (42pc) of the UK organisations surveyed find it hard to implement consistent enterprise-wide security policies and programmes.
The reasons can be related to company culture. For example, business leaders responsible for mandating security practices might be reluctant to enforce any measures that are inconvenient or overly restrictive. Employees might be resistant to strict controls, such as ‘least privilege’ access for certain applications or data, especially if they’ve had open access before. Some employees may not fully understand the security policies or how they relate to their systems or roles.
It’s important for security leaders to communicate with employees about the policies they implement, and to explain clearly what they are, who they apply to and why they’re important.
Management support
Around a fifth (19pc) of UK respondents worry that senior managers do not see cyberattacks as a significant risk.
This is not a question of management failure. It is hard to be interested in or care about something you don’t understand. The onus is on security professionals to be storytellers, able to explain risk, and present cyberthreats, challenges and opportunities in terms of how they could impact the business. For example, what could happen to business operations, revenue and brand reputation in the event of a cyber breach and what investments are needed to manage risks so this doesn’t happen.
Another top governance challenge that keeps UK security professionals awake at night is how to manage third-party risk. A third (33pc) find it difficult to secure the supply chain from a technical perspective, while 36pc don’t know how many, or which, third parties have access to their sensitive and confidential data. Supply chain breaches are an increasing risk for all companies, and often beyond their direct security control.
Best practices for incident response
A solid incident response plan is one of the most important factors in cyber resilience. Without a plan, organisations may not be prepared to react to events as they unfold in the wake of a security incident.
The good news is that many organisations, including 84pc of the UK respondents in our research, understand this and have such a plan. However, a quarter admitted that their plan is not applied consistently across the enterprise – and a worrying 16pc of UK companies don’t have a plan at all, the highest proportion of all the countries surveyed.
As a start, at a strategic level, you need to know what your most valuable and business critical assets are and where they reside. These are your priority.
You need to understand how incidents will be contained and neutralised, the maximum downtime your critical systems can sustain, and whether there are manual processes you can revert to if needed. Your plan should address the potential impact to customers, service level agreements and regulatory compliance demands. It should also outline internal communications to staff and external communications to customers, partners and the press.
Plans need to be tested. Again, there are some industry recognised approaches, such as ‘purple team’ incident response simulations or table-top exercises. These simulations are an opportunity to help companies improve their ability to detect, respond to, mitigate and learn from security incidents.
These actions will provide a realistic picture of your company’s preparedness for a cyberattack. It may lay bare gaps and vulnerabilities, but this is the first step to making improvements to boost your resilience and provides a clear pathway for mitigating the expense and impact of a successful attack.
By Paul Drake
Paul Drake is regional VP of sales for the UK and Ireland at Barracuda, a cybersecurity services and consulting company.
Find out how emerging tech trends are transforming tomorrow with our new podcast, Future Human: The Series. Listen now on Spotify, on Apple or wherever you get your podcasts.
