When Dido Harding, the CEO of TalkTalk, recently announced there was a chance that all their four million customers’ personal data might have been compromised, she could not have imagined the tsunami of press and media coverage that resulted.
It all happened so quickly – 48 hours is a very long time when it comes to managing a cyber crisis. Of more concern for TalkTalk is knowing that it will take many more weeks and months for the full reputation and financial impacts to be felt. The strong trust between the company and their customers as well as with their investors may never be the same again.
But before you breathe a sigh of relief that this happened to someone else, be aware: this could happen to you too.
Dido Harding told the media: “Cyber-crime is the crime of our generation.” It’s true. The harsh reality of our digitally-connected world is that all organizations are at risk from cyber-attack. No matter how much money, people, resources, and technology you apply to the cyber threat, no-one will ever be bullet-proof.
So, are you prepared to manage your cyber-crisis? Does your whole organization have resilience – in other words, the ability to withstand a cyber breach and return to business as usual – embedded into its operations, not just in IT?
It’s all too easy to take knee-jerk decisions during a crisis when really it demands a response based on good intelligence and understanding. But these decisions can easily return to haunt you and your organization if you haven’t already designed, tried and tested how to respond in a crisis scenario. There is no blueprint for the perfect response but you will need to know is:
- What questions will require speedy answers
- How and what you plan to communicate to your stakeholders and when you you will contact them
- How to react to a rapidly changing set of circumstances.
Many organizations are also missing another golden opportunity to manage their resilience – their people. This constitutes the most powerful force that can help protect their reputation, competitive advantage and commercially-sensitive information. The vast majority of successful cyber-attacks – 90% according to Verizon’s 2015 Data Breach Investigations report – succeed because of the unwitting actions of a member of staff. Organizations need to focus on what they can influence and control, and engaging employees in compelling awareness learning is one area which will greatly improve cyber resilience capabilities.
Organizations need to concentrate on decreasing the risk of attack as well as understanding their processes to manage a significant cyber attack when it occurs. I believe there are six important questions any organization should be asking:
- Can we identify what information, systems, or capabilities are important to our organization?
- Do we have a cyber resilience strategy and does it support our agreed business strategy?
- Are we investing in protecting the information and systems that are most valuable and critical to our future success?
- Do we have an effective information security awareness programme in place across our organization?
- Do we have a well-defined, tried-and-tested incident response plan in the event of a significant data breach?
- Have we established an appropriate cyber risk escalation framework that includes our risk appetite and reporting thresholds?
See AXELOS' RESILIA™ section for more information about cyber resilience for organizations.
Read more AXELOS Blog Posts from Nick Wilding
Cyber resilience: How important is your reputation? How effective are your people?
21st century cyber awareness for a 21st century threat
A cyber resilience Q&A with Karoliina Ainge, head of Estonian cyber security policy - Part 2
A cyber resilience Q&A with Karoliina Ainge, head of Estonian cyber security policy - Part 1
Cyber Resilience: it’s all about behaviours - Digital Leaders Conference presentation
Cyber Resilience: it’s all about behaviour, not bits and bytes
Cyber Resilience: developing a new language for all
Looking for Business Leaders in the Cyber Resilience Race
Has your organization ever suffered a cyber attack that put your confidential or customer information at t risk? How did you respond and recover from the cyber security breach? Or has your business been affected by TalkTalk's recent breach. Please share your thoughts and experiences in the comments box below.