By Jude McCorry, CEO of Scottish Business Resilience Centre
WHILE the volume of crime overall is falling in Scotland, cybercrime in comparison has risen. Why? Our reliance on technology increased significantly last year, with Police Scotland reporting a 100% overall increase in cyber investigations between July 2019 and July 2020. Some business leaders might think this statistic means they should speak to IT and prioritise cybersecurity. However, it’s no longer enough to implement a cybersecurity strategy and expect it to keep an organisation safe. In 2021 and beyond, it will be vital for companies to embrace a cyber resilience strategy on top of standard security measures.
Cybersecurity refers to an organisation’s defence strategy – a series of measures put in place to prevent criminals from penetrating systems through methods including hacking, phishing, and ransomware. It focuses on software such as firewalls, antivirus programmes, and malware protection, and on employee education to reduce human error in allowing a breach to happen. This is important but, given the rapidly changing and expanding nature of technology, the goalposts have been moved. Cybersecurity alone is no longer enough.
Instead, cyber resilience must become the goal. This is about what happens after an organisation experiences a cyberattack on its systems. A cyber resilient organisation is one that can respond and recover from a cyberattack with minimal impact on business operations. The most cyber resilient organisation will continue functioning during an attack, with no effect on its operations.
It is natural that some security teams might want to avoid such discussions; after all, cyber resilience involves accepting that there is no perfect cybersecurity solution. Taking this idea onboard is vital for a business’ long-term survival. As we approach CyberScotland Week, which is heavily focused on cyber resilience, its importance is clear. While a breach is essentially inevitable, without a cyber resilience strategy, the cost ramifications could be catastrophic.
Certainly, the UK Government’s Cyber Security Breaches Survey 2020 found the average cost of a breach is £4,430. However, the survey also notes that this may be an underestimation of the full costs in terms of lost business or reputational damage. The number could be significantly higher: consider TalkTalk being fined £400,000 by the Information Commissioner’s Office in 2015, or – in a more extreme case – Equifax losing $4 billion (approximately £2.8 billion) in share value after a 2017 hacking incident. And while smaller organisations are unlikely to see costs this high, SMEs are often targeted because they generally have less investment in security.
In 2018, cybersecurity researchers identified at least 57 ways cyberattacks could have a negative impact on a business; ranging from regulatory fines and declining stock prices, to damaged relationships with customers and reputational loss. Given the dramatic effect a cyberattack can have on a business, organisations must assume it will happen – and undertake preparations to become as resilient as possible.
A starting point in cyber resilience discussions is to conduct a baseline assessment of where a cyberattack could have the most damaging effects on the business and then to put measures in place that mitigate this damage. For example, developing offline emergency processes that will keep essential operations running. A cross-functional response team involving employees from every department will help with this.
The far-reaching effects of a security breach highlight why cyber discussions cannot be left to the IT team. They must be included in boardroom discussions, especially because cyber resilience requires a holistic approach that involves all aspects of business operations.
Technology has been a saviour for most businesses over the past year, but brings unprecedented risks and threats to business continuity. Given that almost every business relies on online services in some way – whether that’s using an online bank account, holding customer information electronically, or just having a website – it’s not a question of “if” the business will suffer a cyberattack, but “when.” This attitude adjustment is key to ensuring preparedness and management of a cyberattack, and make sure the business can remain as operational as possible.