As the world moves increasingly online, risk management professionals and business owners must continue to invest in the prevention of cyber threats. It’s surprising, to see just how many businesses have plans in place for all sorts of things such as fire, flood and COVID-related issues, yet don’t have any action plans in place should a cyber attack occur.
What happens in the minutes, hours and days after an attack is crucial. This is where business continuity planning can be vital lifeline, with a sound plan saving time and money whilst a threat is addressed.
Why is a strong cybersecurity policy so important?
A detailed cybersecurity policy is an essential part of any business continuity plan. It ensures that businesses are adequately addressing any weaknesses, are prepared for potential threats, and are ready to mitigate an attack should the worst happen.
Organisations need to be able to detect and respond quickly and effectively to a cyber incident to reduce the financial, operational and reputational harm it can cause. It is crucial that a team has effective cyber security and robust incident response plans in place to follow.
A poor cybersecurity policy can disrupt business continuity making a cyber-attack more likely as defensive measures aren’t in place. It can also make attacks worse as policies necessary for recovery aren’t established and ultimately impact revenue and productivity, all of which affect the bottom line.
1. How poor cyber policies can cost businesses money
A data breach can result in a variety of costs, such as fines, lawsuits, and extra staff wages. This includes direct costs paid to IT consultants or the attackers, long term costs such as hiring new staff or improving security, and indirect costs where staff couldn’t complete their work or devices needing replacements.
Under GDPR regulations, an individual is also entitled to claim compensation from an organisation if they’ve experienced material (e.g. loss of money) or non-material (e.g. suffered distress) damage as a result of the organisation breaking data protection law. This may result in further financial losses and reputational damage.
2. How poor cyber policies can cause a loss of reputation
Knowing that a company has been a victim of a data breach can stop customers from trusting the brand and influence them to choose a competitor or avoid the affected company’s services. Consumers don’t want to risk their own personal data, so providing it to a company with a poor cybersecurity policy isn’t worth it. This can result in a loss of revenue for the organisation.
This can also create a snowball effect. Knowing that consumers don’t trust the business can influence other businesses’ decisions on whether to work with them. Because of this reputational damage, many businesses won’t want to be linked to that brand and may choose a competitor as a result.
3. How poor cyber policies reduce productivity
Productivity loss as a result of a data breach can be one of the most common business continuity disruptions faced. There are many forms this could take, such as a hairdresser losing access to their diary booking system, a construction company losing access to their subcontractor database, or a small manufacturer losing their production line and communication with customers.
In the short term, a cyber attack will take unplanned time to deal with. This can be from mitigating the attack or downtime through loss of access to networks and data. Overall, 24% of businesses say that a data breach prevented staff carrying out their day-to-day work, this could result in missed deadlines and overtime.
Long term, compromised financial or personal data takes time to correct, as well as time to conduct cybersecurity training and complete audits to update your policies.
What can businesses put in place to reduce losses?
Businesses can however, take measures to reduce such losses. A cyber business continuity exercise is an important part of the process for creating a plan to identify major risks which could cause significant disruption.
The policies created from such exercises will then form your defence against attacks and potential losses. The policy should identify threats, list actions taken to prevent these threats and persons responsible for actioning, maintaining security and responding to breaches.
The aim is to then take steps to prevent these disruptions where possible to allow essential processes to continue. The requirements of a cybersecurity policy are ever-changing due to new techniques and tools being used by cyber criminals and should be reviewed regularly. Especially following an incident to determine whether the current policy is still appropriate.
Mitigations listed within the policy might include things like antivirus software and firewalls, managing updates and patches needed to ensure things like browsers and plugins aren’t at risk. It can also include operating systems, and other internet-facing applications.
Additionally, policies should cover what data an organisation has, how it is processed and protected showing compliance with GDPR regulations. This is especially important since the majority of booking systems and account details are now stored online.
Businesses who need help reviewing their business continuity plan or advice on running exercises such as gap analysis, impact assessments and determining risk can get in touch with non-profit organisations such as the North East Business Resilience Centre. In partnership with the Police and the NCSC, the organisation uses elements modelled off of the International Business Continuity Management Systems standard ‘ISO/IEC 22301:2019’ to help strengthen and sense check any plans.
Poor cybersecurity practices can leave businesses exposed to financial and reputational losses. To find out more about the NEBRC and how they can help your businesses with continuity planning visit the website or sign up to their free core membership.
About the author:
Stephen Leach, Detective Inspector and Head of Business Development at NEBRC.
Steve is a Detective Inspector with 28 years policing experience, the majority spent within CID, both at a Force and Regional level. Steve is currently seconded to the NEBRC and has always had an interest in the digital and cyber world.
Prior to joining the police he graduated university with an Electronic Systems Engineering degree. Within the police he has worked in internet investigations and managed communication data investigators, radio frequency technicians and Digital Forensic Examiners. More recently he was part of the team that was responsible for creating the force-wide Cyber Crime Unit. He has previous experience of force and region-wide Projects from design through implementation to delivery.