Private companies and family offices often think that they are too small to attract the attention of hackers and so a cyber attack won’t happen to them. However, in our experience it’s not a case of if a business will be attacked but when.
The reality is that cyber attacks are becoming increasingly sophisticated and professional. There are many different hacker groups worldwide, each with reputations to uphold. They are constantly adapting and use a myriad of different technologies to infiltrate companies and individuals. It may surprise you to know that many groups are so well set up that they have call centres to deal with payment of their ransoms; and they request those ransom payments in cryptocurrency.
Recently PwC published an article on the 5 cyber security issues that private businesses need to address now. Here we provide some further practical suggestions to help you prepare so that you and your business are ready for a cyber attack.
1. Identify your crown jewels and your cyber security budget
There’s no way to make your business 100% cyber secure so review your assets and identify your critical digital crown jewels. Then ascertain the risks that you are willing to take and design your security program to protect these digital crown jewels.
View your cyber security budget like taking out an insurance policy with corresponding options depending on your attitude to risk. You would insure your most valuable possessions so in the same way make sure you are putting protection around your most critical digital crown jewels.
It’s also worth considering that many companies are changing the way they think about cyber security. Increasingly it’s being viewed not just as an insurance policy but as a foundation of trust in a digital and data-driven business ecosystem. Without the proper cyber security measures in place, you may deter customers and business partners from working with your organization. It is time to view your cyber security budget as an investment and not a cost!
2. Conduct a business impact assessment
When a cyber attack happens you may not be able to access your systems until you negotiate with the hackers and/or pay the ransom. Consider how this will impact your business. For example, do you have customer-facing functions that will be unable to operate during the crisis? What will the impact of this be on your business? For each area of the business consider the impact of having no system access and how you would operate.
3. Develop a crisis readiness plan
Based on the above assessment, you should have some clear ideas on what you need to do to prepare and where the gaps are. It’s worth remembering the age-old advice: failure to plan is planning to fail. Define a recovery plan, make sure you are regularly backing up your data, test the backups to make sure they work. Work with your IT team to make sure the correct measures are in place now to continue your business operations.
When creating the incident response plan make sure it’s tailored so that your organization can consume and put it into action as/when the time comes. There’s no point having a very detailed plan that sits on your intranet and is forgotten about and, even worse, when the hack happens you can’t even access it!
And don’t forget to prepare your communications in advance so that you know who, when and how you will communicate. This should include employees, customers, suppliers and family members; all of whom may be affected. Bear in mind all of your normal communications channels such as email, instant messaging and video calls may be compromised.
4. Look for opportunities to rationalize and automate your cyber security capabilities
As part of this planning process you should have a good idea of which cyber security tools you do and don’t have in place to protect your company. However, before investing in any new cyber security tools, it's important to explore opportunities to rationalize and automate the cyber security capabilities with a few vendors. Implementing point solutions from many vendors can increase complexity of managing cyber security capabilities and also increase the talent needed to effectively operate these solutions. Many vendors bundle multiple products into an enterprise license. Under the enterprise license, you may already have access to a wide range of cyber security products. Take advantage of that and get yourself on the cyber security journey without additional tool investments!
5. Consider outsourcing to a credible managed services partner
If you do decide to invest in more sophisticated cyber security, you will find a wide range of solutions available varying in complexity and cost. Choosing the right cyber security tool stack can feel overwhelming (and expensive). It will involve working out what you need, how any new solutions will integrate with your existing systems and how to manage and maintain this cyber stack. Plus there’s the cost of hiring and retaining the right staff to manage it.
One option could be to engage a credible managed services partner. Some of the benefits of this include gaining greater control over your existing applications, more effective cyber budget management and access to the latest cyber security skill set and industry intelligence.
Want to discuss your business and cyber security planning? Please get in touch and start the conversation.
Partner, Cybersecurity, Privacy and Financial Crime and National Cybersecurity Leader, PwC Canada
Tel: +1 604 806 7603
BC Region Private Leader and Risk Assurance Partner, PwC Canada
Tel: +1 604 806 7082