How preparing for a cyber-attack could literally make or break the business.
This quote is painted on the wall at my daughter’s kickboxing club. I admit to having to look up the reference to discover this admonitory aphorism is attributed to Benjamin Franklin, although there is little evidence as to the specifics and reasoning for him quoting this adage. Regardless of the origins, whilst this is great advice for many endeavours in life, for me, it strikes a chord with being significantly pertinent to modern approaches to security and resilience.
A Shift of Focus
Within the security profession the terms “when, not if”, and “assume breach” have been popular mantras of the past few years that reflect the reality of cyber-attacks defeating the myriad of defences and controls implemented by many companies. The focus has shifted more recently, from prevention to resilience and recovery. That’s not to suggest that proactive defences are not a core pillar of any security strategy, but rather that threat actors commonly identify unique and innovative exploits to circumvent these defences, more often than not, leveraging the human aspect to get a foothold into an organisation through various social engineering techniques. Indeed, if we look at successful cyber breaches over the past 20 years, we see that even the tech behemoths of silicon valley are susceptible, with the big 4 – Alphabet (Google), Amazon, Apple, and Meta (Facebook) all suffering from significant data losses over the years.
Resilience and recovery is all about maintaining business operations, minimising impact, and initiating recovery and a return to normal operations as quickly as possible. This has been emphasised through the increasing number of ransomware attacks that can typically infiltrate an organisation’s infrastructure, rendering critical systems useless in a very short space of time. Businesses that identify strategies and policies for responding in a timely manner, and implement processes to maintain business operations during the compromise, can significantly reduce the impact of such an incident.
Recent studies suggest that approximately 60% of SME’s are likely to go out of business following a successful cyber-attack. This is such a serious consideration, but many businesses fail to realise this until after the event. Organisations that properly prepare for post-breach recovery are far less likely to fail following a compromise and could possibly turn a negative incident into a positive news story.
Where smaller enterprises tend to struggle during an incident is through the loss of custom, and therefore revenue, due to their oversight in preparing for such an event. This, coupled with financial loss as a direct result of the breach itself, can quickly spiral to the point of insolvency. The data suggests that failure typically occurs within 6 months of the attack, and with many organisations not adequately protecting themselves through cyber insurance, the reality of a cyber-attack devastating the business is very real.
Cyber Security Deprioritised
Worryingly, there is evidence to suggest that the recent economic uncertainty, coupled with inflation, is pushing cyber security further down the priority list at the executive level of smaller businesses. This shift of focus has translated to an observable decline in standard cyber hygiene practices, such as maintaining and enforcing password policies, implementing network firewalls, restricting privileges, and applying security updates in a timely manner. The likely consequence of these failings is that these businesses expose themselves to even greater risk, with the irony being that a catastrophic economic impact potentially originates from the very area that has been deprioritised.
This isn’t necessarily a result of wanton disregard in the boardroom, but rather a lack of insight and understanding of the risk that a cyber-attack presents. This impression is reinforced by recent findings from the Cyber Security Breaches Survey 2023, that identifies that businesses who adhere to the Government backed Cyber Essentials scheme are far more likely to have security representation at board level, have taken action to identify security risks, and have conducted cyber security awareness training. Most notably, only 18% of businesses surveyed that do not adhere to the scheme have a formal incident response plan in place.
These findings very much imply that those business leaders who have acquired a greater understanding of the degree of risk and likelihood of a cyber-attack, are not hesitant in implementing policies and procedures to better defend against them.
Sophisticated Tools for Unsophisticated Criminals
The National Cyber Security Centre (NCSC) has recently published a report that found that AI is lowering the barrier of entry for novice cyber criminals. The technology will enable bad actors to target a broader range of victims and increase the volume and impact of cyber-attacks in the medium term.
The report states that analysis from the National Crime Agency (NCA) suggests that cyber criminals are already developing rogue versions of generative AI models, creating better hacking tools available to anyone willing to pay. These findings imply that the likelihood of being a victim of a cyber-attack in the coming years is only going to increase, as sophisticated tools come within reach of a wider cohort of unsophisticated threat actors.
Cyber Security Akin to Vital Business & Financial Issues
The Government, in partnership with the NCSC and other industry figures, has recently published new guidance for business leaders on boosting their cyber security protections, and has asked them to treat the issue in the same way they would any other vital business or financial issue.
With this advice in mind, businesses would do well to observe Benjamin Franklin’s maxim in the context of cyber security, as failure to prepare for an attack could quite literally be preparing for the failure of the business.
If you’re interested in learning more about how your business could be affected by a cyber incident, then sign up for our free Cyber Resilience Event in March. An evening of gameplay, networking, food and drink, where you can experience a major security breach from the safety of the Altus Consulting head office in Bath.
