Jonathan Bowl at Commvault explains that the foundations of cyber security are risk awareness, flexibility and trust.
Across all sectors, customers are becoming increasingly difficult to please and evermore demanding. Research into what is now expected of companies, rather than governments, has found that data privacy and security have surpassed other necessities, such as even diversity and sustainability.
It seems that security and privacy are now the two key practices that consumers expect firms to be assertive on. They can be unforgiving if they aren’t done correctly.
A strong and effective data protection strategy must be constructed on stable business foundations. Thinking about these in terms of ‘RAFT’ – risk awareness, flexibility and trust – can be useful in ensuring all bases are covered to counter cyber-threats. Here’s what to know to build a cyber defence RAFT.
1 Risk awareness
Most organisations are managed and incentivised based on revenue and profit-centric ROI (return on investment) metrics. However, ROI frameworks leave little or no room for effective risk appreciation. In reality, the only senior manager focused on return on risk (ROR) over rate of investment (ROI) is the CISO (Chief Information Security Officer).
Reforming company culture to incorporate ROR at the management level can be challenging. However, two recent major disruption events – the 2008 global financial crisis and the recent pandemic – coupled with headlines about fines from the General Data Protection Regulation (GDPR) regulators, are making executives take cyber-risk more seriously.
Organisations without a ‘risk-aware’ culture often accidentally take risks that could compromise data security and privacy. For example, many teams delegate purchase of IoT devices (from security cameras to thermostats), and simple items like USB memory keys, to their purchasing department, without adding security requirements such as encryption.
In a risk-aware culture, security requirements are written into processes across departments, even in association to small premiums associated with purchasing secure devices. This same thinking applies to more significant purchasing decisions, from cloud data management to ransomware detection. Risk-aware companies apply a risk premium as their selection standard, rather than solutions that just tick the box.
Along with risk comes digital ethics. Companies that support both often treat data with care and respect. They are less likely to experience a data breach and better able to respond in the event of one. Accurate identification of personal data and appreciation of related risks also aids regulatory compliance.
Together with risk awareness, flexibility is a powerful source of competitive advantage, especially during a crisis. Dominant players may use their scale to sustain market leadership. But if they lack the flexibility to respond effectively during major disruptions, they can fall rapidly from grace. Such events are a real opportunity for flexible, risk-aware organisations to capture market share, and even entire markets.
Having a cyber incident-response plan is essential. Effective backups designed to recover systems and maintain business continuity aren’t just ‘nice to have’. They are legal obligations for any organisations handling EU citizens’ data. Realistically, having effective backups and regularly testing, assessing and evaluating cyber-security processes makes sense for just about everyone.
In addition to scenario planning, and backup and recovery drills, it is important to use fully immersive simulation exercises to test if a crisis-response team (people with technical, legal, reputational and social media responsibilities) can communicate and collaborate well under pressure. Realistic rehearsals are needed, rather than lecture-based training, as stress significantly impacts situational awareness. Such simulation experience may also help senior management appreciate cyber risk and better understand the need for crisis preparedness.
Ransomware is a particularly pernicious threat that must be prevented at all costs. This was made evident by the UK’s National Cyber Security Centre’s alert to British universities and colleges about a spike in ransomware attacks, as many teachers were left concerned they would be unable to admit students at the start of term.
The prospect of having data encrypted and held for ransom is terrible enough. However, even if a company chooses to pay out, there is no guarantee it’ll have its data unencrypted or that back-doors won’t have been created, allowing data to be leaked all over again.
Worse yet, cyber-criminals have recently changed from simply denying access to data to blackmailing firms with the threat of publicly releasing particularly sensitive data.
Crisis management textbooks suggest there’s a ‘golden hour’ after an incident goes public in which there is a chance to save the brand. With most incidents, as the victim of crime, if a business acts quickly and shows empathy for customers then the press and public should have sympathy.
Unfortunately, this doesn’t work for cyber incidents as the press and public will blame the company – rather than the hackers – for any loss of personal data.
As soon as a breach is detected, the business should rapidly conduct expert forensics to ascertain the nature and scope of any incident. It can then use these findings not only to fix the breach, but also to build a legally defensive narrative and a brand-defence plan. At this point, brand trust is everything. It may take a while to shake public belief in a trusted brand, but reputational damage will take its toll and may require the recruitment of trusted voices to help counter misinformation and social hysteria.
When using the acronym ‘RAFT’ it is important to remember that all three aspects must be established in advance, otherwise they won’t provide a safe harbour when they’re needed. They are a required procedure: when it’s time to bring RAFT out, it should be easily accessible and reliable.
Investing in risk awareness, flexibility and trust will protect a business, its employees and its customers through tumultuous times.
Jonathan Bowl is AVP for UK&I and Nordics at Commvault
Main image courtesy of iStockPhoto.com