By Billy Ruston
Billy Ruston highlights a critical risk facing UK and European companies: insufficient rehearsal of cyberattack response plans. As cyber threats escalate in frequency and complexity, Ruston urges businesses to strengthen resilience exercises and ensure staff readiness to maintain operations and minimize costly disruptions during cyber incidents.
Companies in the UK and Europe targeted by hackers risk incurring serious, costly disruption because planned workarounds designed to minimise the impact of cyberattacks are not being rehearsed sufficiently, leaving staff unclear what they need to do to maintain company operations.
The oversight needs to be addressed because firms are facing a fresh wave of cyber menace from well-resourced threat actors and new methods of penetrating company systems through the exploitation of digital vulnerabilities and human vulnerabilities – bypassing cyber defences altogether. The UK’s National Cyber Security Centre CEO, Richard Horne, said in December the country’s cyber risks were “widely underestimated” and that hostile activity in UK cyberspace had “increased in frequency, sophistication and intensity”.
In recent weeks, major UK retailers have been targeted by hackers. And in the last 12 months, 43% of British businesses have reported a cybersecurity breach or attack, according to the government’s latest cyber security breaches survey. The figure is significantly higher for medium and large firms, 67% and 74% respectively. Last May, Europe’s cybersecurity chief revealed a doubling of cyberattacks in the EU over the previous six months.
Some of the bigger firms invest in expensive disaster recovery and failover systems that kick in to minimise downtime when they have been hit by a disruptive cyberattack. However, sophisticated cyberattacks can significantly reduce the effectiveness of these systems, highlighting that robust business continuity plans are still essential. Smaller businesses, who may not have access to such high-end solutions, have to adopt proportionate solutions; potentially including switching to pen-and-paper workarounds, and using external cyber experts to support in-house IT teams in attempting to contain and eradicate threats, prior to restoring their systems. That process may take days, weeks, or possibly months depending on the severity of the incident. It underlies the importance of conducting regular resilience exercises; essentially, fictional incident response simulations.
These exercises ensure staff know their roles and responsibilities for keeping their companies operational and competitive in the event of a malicious hack. In effect, they enable staff to do their own jobs and communicate with colleagues in a prolonged crisis situation, potentially without the use of company IT systems and data – and then how all the pen-and-paper workflow can be reconciled back into their IT systems, once the cyber incident has been resolved.
The chaos caused by the wave of cybercrime during the Covid crisis prompted many corporate decision-makers to not only boost their organisations’ cyber defences but also to draw up business continuity plans and systems for validating those plans. This involves calculating the risks an organisation faces, and assessing the impact of these risks should it be subject to a cyberattack, then developing the recovery strategies and operational workarounds, and lastly testing them with regular resilience exercises.
But resilience has fallen down the pecking order of boardroom priorities, with exercises testing business continuity plans (which some companies are required to conduct by law) undertaken less frequently and becoming ‘tick-box’ in nature. A recent Scottish government report suggested that only half of organisations regularly test resilience plans. The drop off in validation can be explained by a tightening of budgets as macroeconomic concerns grow – like further heightened as we enter a new era of geopolitical and financial uncertainty.
There are also other factors. These include exercise fatigue and a lack of internal resource to design, deliver and report on resilience exercises (particularly in the public sector). And, in some cases, a flawed calculation that having invested heavily in robust cyber defences, there’s less need to monitor employees’ level of readiness for disruptive attacks. Persistent threat actors, however, will always find a way to penetrate company systems.
That has never been more apparent. State and state-linked hacking groups have been stepping up their attempts to sow commercial and infrastructural chaos in Britain and Europe, as geopolitical tensions mount. Already, we’ve seen attacks in Britain on the health service, local authorities and transport organisations. There have been similarly disruptive cyberattacks within the EU; with German aerospace and defence firms, French government services, Polish government institutions, and Italian financial institutions, arms manufacturers, and public transportation companies targeted.
Malicious state actors and organised criminal groups are at the same time posing new threats to companies by exploiting information posted on social media, blogs and the dark web. They employ so-called social engineering techniques to manipulate personal and company data to help them either penetrate IT systems more easily or trick company personnel into letting them in. They typically do so by posing as someone employees would trust, such as a former colleague or an old school acquaintance. AI tools that manipulate images, video and audio can assist with this deception.
The methods employed in the recent British retailer cyberattacks have yet to be confirmed. The National Cyber Security Centre is still investigating, but it acknowledges there has been discussion in the press “about whether social engineering had been used by threat actors targeting IT helpdesks to perform password and MFA (multi-factor authentication) resets” in some of the incidents. In their wake, the centre has issued security guidance, including reviewing helpdesk password reset processes.
Given the mounting cyber threat and the growing use of social engineering to unlock IT systems, companies should review their degree of exposure, re-assess risk, and revise business continuity plans, even if they have robust cyber defences in place. Next, they need to assess whether their programme for resilience exercises and training require adjustment in terms of frequency and scope, based on the perceived vulnerability of their organisations to cyberattacks and the extent of the disruption that might result.
Also, depending on the nature and scale of the cyber risks they face, firms should ask themselves if exercises should be conducted on an operational, departmental level (for instance, restricted to HR, marketing or finance) or a tactical, cross-departmental basis, and if critical suppliers should be required to undertake them too. That’s because threat actors could target a company’s supply chains to thwart its operations. For British businesses, this appears to be a blind spot. Just 14 % said they reviewed the risks posed by their immediate suppliers and 7% their wider supply chain, according to the government’s latest cyber security breaches survey.
Strategic leadership teams, then, have a significant role to play in ensuring the highest level of operational resilience, by validating the readiness of personnel, processes and technology at all levels of their organisations, in the event of a cyberattack. The important role of strategic leadership teams has been evidenced in the UK government’s recent release of the Cyber Governance Code of Practice, which highlights a trend towards top-down strategy to complement technical initiatives, potentially laying the foundation for UK’s upcoming Cyber Security and Resilience Bill.
No matter how robust a company’s cyber defence system, it cannot provide complete protection because of the increasing sophistication of threat actors. Therefore, minimising disruption when defences are breached is becoming critical, with business continuity plans, and the resilience exercises validating them, assuming ever greater importance. Cyberattacks can be costly, but those costs can mushroom if the operational mitigations are not well understood.
About the Author
Billy Ruston is a Resilience Consultant at Protection Group International. He is a passionate advocate of resilience and has over a decade of experience supporting government and private sector organisations with their cyber incident preparedness at all levels. Billy is an internationally-recognised exercise facilitator, and is actively engaged in building national resilience capabilities around the world.
#Companies #Braced #Cyber #Disruption