Most organisations are aware of the catastrophic damage that extreme cyber attacks can cause, but few have put in place appropriate measures to defend and respond to such incidents, according to a new report from PwC.
Strengthening digital society against cyber shocks, which analyses key findings from the 2018 Global State of Information Security® Survey (GSISS), focuses on the effects of massive incidents such as NotPetya and WannaCry. It warns that organisations should make these “cyber shocks”, i.e. “large-scale cyber attacks with cascading disruptive consequences”, a top priority.
What damage can they cause?
Different methods of attack will affect organisations in different ways, but according to the GSISS, many executives shared the same concerns:
- Disruption of operations/manufacturing (40%)
- Loss or compromise of sensitive data (39%)
- Negative impact to quality of products produced (32%)
- Damage to physical property (29%)
- Harm to human life (22%)
Even though the surveyed executives know these concerns exist, many admitted to glaring holes in their cyber security practices:
- 44% said they don’t have an overall information security strategy
- 48% said they don’t have an employee security awareness training programme
- 54% said they don’t have an incident response process
Preparedness is only half the battle, with the report warning that being prepared doesn’t necessarily equate to low risk. Organisations need to regularly assess and improve their cyber security defences as new threats emerge. The report cites the US National Intelligence Council, which said: “Tomorrow’s successful states will probably be those that invest in infrastructure, knowledge, and relationships resilient to shock – whether economic, environmental, societal, or cyber.”
‘Resilience’ is a good approach to cyber defences, as it mediates the balance between preparedness and security. Even the most secure organisations can suffer data breaches, and attacks are frequent enough that organisations need to accept that one will eventually be successful.
Cyber resilience encompasses cyber security and business continuity management. Adopting this strategy helps you avoid an ‘all or nothing’ outlook to information security, as you defend against potential attacks but also put in place measures to make sure your organisation survives and recovers from an attack.
It’s a realistic approach to security that helps you:
- Reduce financial losses;
- Meet legal and regulatory requirements;
- Improve your company’s culture and internal processes; and
- Protect your company’s brand and reputation.
IT Governance offers many ways to help you develop cyber resilience, including a Cyber Health Check, penetration testing services, support in complying with Cyber Essentials and assistance in developing and maintaining an ISMS and BCMS.