Analysis: How can organisations prepare for cyber incidents they cannot predict?

Firms, and their partners, must expect the unexpected and plan accordingly, says the head of the Information Security Forum

It is now accepted that organisations need to invest in cyber security to protect themselves from criminals, whether they be remote hackers or malicious insiders.

Technology, processes and training all need to be developed and disseminated around the enterprise to protect networks, and ensure staff are using best practice in keeping data safe.

Prime Minister David Cameron has claimed that cyber crime costs the UK economy £27bn per year, but in order to avoid contributing to that statistic, firms need to cater for the risks they can't predict, according to expert body the Information Security Forum (ISF).

Michael de Crespigny, chief executive of the ISF (pictured), believes that businesses cannot afford to overly restrict their exposure to cyber risk, due to the importance of the internet to most firms.

"In the business-to-consumer market, 80 per cent of business growth comes from online channels, so you risk your success if you're not actively involved," he said.

He added that there is often pressure internally in businesses to adopt the latest internet trends and services, such as using Twitter for marketing communications.

However, de Crespigny said that using new technologies always comes with risks.

He cited the example of Qantas, which last year set up a Twitter hashtag, entreating customers to tweet positive feedback about their experiences.

However, when the airline was forced to suddenly ground many of its aircraft due to a suspected technical problem, the firm's stranded customers used the tag to vent their frustrations.

Sony and secure token specialist RSA also ran into problems last year, as both companies suffered embarrasing hacks and lost sensitive data.

Both firms were criticised at the time for taking several weeks to fully inform customers that their data had been stolen.

De Crespigny explained that the consequences of cyber incidents can cause enduring damage to companies' reputations.

"The impact of these issues in cyber space is long and often disproportionately severe. A data breach for instance has a lasting impact as it undermines business potential, with an erosion of trust between customers and suppliers."

He added that the impact of the incident is often magnified by the success of the organisation.

"Sony lost the credit card details of 77 million of its customers. It lost such a large figure due to its own success. Only a successful company would have such a large volume of that type of data.

"Since the breach its share price has dropped by 35 per cent."

However, it should be noted that other factors have contributed to that drop, including the earthquake in Japan in March 2011, which impacted the firm's supply chain.

Firms must become 'cyber resilient'

While the attacks and other incidents themselves may have been hard to predict or prevent, the way in which the firms responded to the attacks could have been handled better. De Crespigny terms this "cyber resilience".

He described cyber resilience as the ability to respond not just technically, but in a co-ordinated and collaborative way.

"Organisations need to co-ordinate their response with their customers, suppliers and other stakeholders, so you know in advance how to react to the threats you're unable to predict.

"Many organisations may be affected - not because they have been targeted themselves, but because a supplier has been attacked. The approach must be collaborative," said de Crespigny.

And firms cannot expect to be able to block all forms of attack, according to the ISF.

"Even if you apply all the best practice security controls, you will still only catch around 85 per cent of the attacks that happened in 2010," he claimed.

"Some forms of attack, such as DDoS [Distributed Denial of Service], involve lots of people and are very hard to mitigate."

Enterprise risk management rules alone cannot cope due to the pace of change in cyber space.

"The complexity enables threats to combine in new and unpredictable ways. Who could have thought two years ago that DDoS attacks would be initiated through a Twitter feed," said de Crespigny, referring to a recent tweet from hacktivist group Anonymous, publicising their downloadable DDoS tool via Twitter.

"It's the communication between customers and stakeholders that's important."

He drew a parallel with the handling of the H1N1 or "Birdflu" virus epidemic in 2009. This involved international collaboration to monitor a large number of potentially infected animals and travellers, in some cases isolating them.

"The response was well thought through, co-ordinated and successful."

How to attain cyber resilience

The ISF feels that enterprises need the same level of preparation in order to be considered cyber resilient.

It has developed a framework to help companies assess their current level of preparedness, and to understand the steps they need to take to become cyber resilient.

One solution to the challenge is for firms to have a governance framework with board-level buy-in for monitoring cyber activities, including monitoring partner collaboration, and the risks and obligations in cyber space.

Firms should have a process for analysing, gathering and sharing cyber intelligence with stakeholders. They also need a process for assessing and adjusting their resilience to the impacts from past, present and future cyberspace activity.

Finally, the organisation should attempt to prevent, detect and respond to cyber incidents, and minimise their impacts.