Given the media coverage over just the last couple of weeks, you could be forgiven for thinking the UK is in the midst of a ransomware crisis.
And today’s attacks are more complex than just encrypting data and demanding a ransom. Attackers are extorting the data, exploiting the companies for even more money, and causing a knock-on effect of months of downtime, loss of customers, and loss of trust.
That’s why boards must give cyber resilience the focus and funding it deserves, and treat it as a core part of business continuity and disaster recovery (BC/DR).
The stakes are too high to let the IT department shoulder the burden alone.
Counting the cost
IT is the engine room of modern businesses, even for organisations that don’t consider themselves to be tech innovators. But while boards are keen to harness the benefits, they’re often less prepared for the increased risk exposure it brings.
Every new remote working laptop, AWS account, and API offers a potential avenue for compromise. And while many UK businesses are struggling with cyber security skills shortages and static budgets, their adversaries are taking advantage of any weakness..
This is costing UK companies dear. IBM’s estimate for ransomware-related data breaches is $5.1m (£3.8M) per incident. Marks & Spencer revealed it expects losses of £300m from an Easter ransomware attack after it was forced to shutter its e-commerce business for weeks. And the Co-op recently announced it lost £206m in revenue after being attacked by the same threat actors. That’s even though the firm acted quickly enough to pull the plug before they managed to encrypt its data.
The cost of breaches isn’t just lost sales and productivity. It can also include IT consulting and incident response, breach notification, legal expenses, credit monitoring for potential victims, and the harder-to-quantify costs of lost customers and reputational damage.
There’s also a potential societal impact, as the JLR breach has illustrated. Although the ransomware attack on the carmaker is said to be costing it around £5m per day in lost profits, it has also caused huge disruption in the local supply chain. Companies that rely on JLR for the majority of their business employ anywhere from 120,000-200,000 workers. It makes the case for cyber resilience even more urgent.
Why resilience means business
Manufacturing has been the most frequently targeted sector by ransomware groups for four years in a row, according to IBM. But it’s by no means the only one. Healthcare, utilities, retail, and other providers all have a low tolerance for outages and hold sensitive data which could be stolen and ransomed. For some, like UK logistics provider KNP, German repair company Einhaus Gruppe, and US vodka maker Stoli Group, a breach resulted in their bankruptcies and in the case of KNP, the loss of hundreds of jobs.
Cyber resilience is therefore an operational and financial necessity. It’s up to CISOs to frame it as such in conversations with their boards. Cautionary tales like the ones above can help to make the point, as long as they’re told using the language of business risk. That means explaining the financial and reputational impact of a breach, rather than focusing on how many servers were encrypted and gigabytes of data were stolen. Organisations don’t have to do this alone, they can lean on their suppliers’ expertise to help them quantify this and frame it to the board in a language they understand.
Round-the-clock detection
So what does effective cyber resilience look like? Preventative measures are an essential first step. That means best practices like risk-based patching, vulnerability management programmes, regularly updated awareness training sessions, data encryption, and strict access controls. But no organisation is 100% breach proof, especially when you consider the damage that can be done via a supplier.
That’s why the focus for resilience should be on continuous monitoring and the ability to quickly regain normal operations once a breach occurs. For many organisations, it’s simply not cost effective to manage this in house, which is why many outsource their security operations (SecOps) to an expert third party. Out-of-the-box detection isn’t enough, organisations need experts to engineer detection rules. A third party SOC can monitor the customer environment 24/7/365, raise the alarm as soon as they see any suspicious activity, and expedite threat containment.
This means that, if the worst happens, adversaries can be identified and kicked off the network before they’ve had a chance to do any real damage. Most importantly, it ensures critical business services remain operational even during a serious attack. Security teams should also follow best practice backup policies, and ensure they have a well-trained incident response (IR) team ready to leap into action. Regular simulation exercises will help to identify and fix any vulnerabilities that could be exploited by an attacker, further bolstering resilience.
Focus on the supply chain
It’s vital that these same high standards are extended to suppliers. Recent airline disruption across Europe was caused by a ransomware attack on a critical check-in desk software provider. Your organisation can be the most secure and resilient in the world, but if your supply chain isn’t, adversaries will find the path of least resistance.
This is why the UK’s new Cyber Security and Resilience Bill will rightly force improvements to supply chain risk management and incident response. It will also give regulators more power to enforce a high baseline of best practice. This forthcoming legislation only applies to certain critical infrastructure providers. But the truth is that all organisations should take note. Until cyber resilience is the norm, they are at risk.
Leave a Comment