With big brand names such as Marks & Spencer and Harrods fighting off cyber attacks in recent weeks, it is more crucial than ever for businesses to make sure they're secure from risks — and to have a plan in place for managing an attack.
SoGlos speaks to one of Cheltenham's leading cyber firms, P3M Works, to find out what it means to be cyber resilient — and how to get there.
Can you explain what cyber resilience means and why it is crucial for businesses?
At P3M Works, we think of it as an equation. For us it’s preparation + confidence = minimal disruption.
For the preparation part, this is when an organisation knows its limits, vulnerabilities and strengths. Whereas, confidence is when incident response plans are in place alongside a resilient cyber culture.
And then minimal disruption is the result of preparation and confidence when a cyber incident occurs.
To us, cyber resilience is crucial for businesses because every business needs to have a plan for its cyber security; because every business is at potential risk from a cyber incident.
We say cyber incident, because not all incidents are attacks, some are as simple as an employee emailing out sensitive data to the wrong person. That’s not an attack, but it’s still an issue that should not have happened.
For some time now, the cyber security industry has been moving away from trying to create a magic tool to stop all attacks, to recognising that such a tool simply isn’t possible. Cyber resilience is a much more realistic approach to cyber security. Resilience should focus on not only what tools you have to protect an organisation but how human beings behave and how they react to cyber incidents; and the recognition that cyber security is everyone’s responsibility.
How would you describe the relationship between cyber security and cyber resilience for organisations today?
A lot of organisations are still chasing total security. This can be exhausting, feel like a never-ending quest and is still likely to result in an incident at some point due to the nature of the cyber threats we face today.
As we see more and more high-profile security incidents, such as the CrowdStrike incident last summer, organisations are having to recognise that they are likely to be caught up in a cyber incident and focus on ‘how do we keep business as usual (BAU) as unaffected by cyber incidents as possible’, leading to resilience strategies prioritising the BAU functionality of the business.
This changes the question asked at organisational leadership levels from ‘how secure are we?’ to ‘how resilient are we?’ The latter is much easier to actually demonstrate and assure.
The dial is moving from cyber security to cyber resilience, but it can often be a difficult conceptual shift to undertake. We work independently and with cyber leaders to embed cyber resilience programmes and see first hand the positive change a shift from security to resilience can have.
Are there particular sectors or industries within Gloucestershire that face more significant cyber threats? How can businesses in these sectors enhance their cyber resilience?
There are; however, those holding the biggest risks are the organisations with no current cyber plan in place. Quite a few organisations we speak with, after an incident, mistakenly believed that their IT provider was responsible for their cyber security. In almost all cases this is not correct.
Industries holding high levels of intellectual property or personal identifiable information are at particular risk due to these items being prone to ransom attacks. The types of firms that usually carry such materials are accountancies, legal practices, councils, utilities companies and startups building products.
What are some best practices or strategies you recommend for businesses looking to build a strong cyber resilience framework?
Take a look at some of the NCSC guidelines available online, they have a wealth of resources designed to help firms get more cyber secure.
Take it seriously and, if needs be, bring in help to get you going and keep you on the right path.
Understand your estate — by estate, we mean all of your IT assets. Make a register of them, keep the assets updated and understand any vulnerabilities.
Train your staff, get staff comfortable with reporting phishing emails, don’t shame them! Get teams confident with talking about cyber resilience and understanding their role in keeping the organisation safe.
Cyber can seem a foreign concept, but it’s not one that can be ignored any longer.
With cyber threats constantly evolving, what do you see as the biggest emerging risks for UK businesses over the next two to five years?
The first thing that springs to mind is AI-enhanced threats, we’re seeing some very advanced AI phishing emails, deepfake phone calls and other forms of attack designed to trick a human into doing something. This is why resilience and training are so important and why tooling alone will not provide cyber resilience.
We’re living in an unstable world where rogue groups and nations may try to disrupt organisations using cyber attacks with the intent of causing economic and social damage. This could be achieved by attacking organisations themselves, or popular software that enables organisations such as accounting tools, video conference software, etc. Resilience is an important antidote to this potential chaos — having a plan B and C for software and some well tested information and data backups is a must for all organisations.
How can businesses proactively identify and mitigate potential threats before they escalate into serious security breaches?
This will vary for each business, but we recommend starting with the following:
- Understand what the common threats are in your industry, why did they happen, how did businesses respond and what were the lessons learned?
- Train your workforce, customise this training with the likely threats they will face and use past events your company has dealt with to tailor the training.
- Spend time understanding your assets, like mobiles, computers, servers, your supply chain! Research how they may be vulnerable, create back up plans – this is especially true of supply chain.
- Develop incident response plans. Okay, so an incident has happened, using point one, you can have a rough understanding of what that incident may be — wargame through likely incidents and develop plans.
And finally, in your opinion, what are the key consequences of failing to invest in cyber resilience for a business?
Both customers and suppliers are starting to get a bit twitchy when a business they are working with can’t quite describe how they are mitigating cyber threats — no one wants a break in the chain. So reputational consequences are becoming much more common, especially as firms need to ensure that their suppliers and customers are handling their data correctly.
You may also end up losing business due to a lack of preparedness — I used to shy away from saying this to clients, but it’s true. Would you do business with someone who didn’t have a credible plan to keep operations running during a cyber incident?
Ultimately, you may wake up one day, go into work and find that you, or a supplier, has had a cyber incident. Without a tried and tested resilience plan, you’re betting on an ability to create and deploy a number of workarounds to replicate business as usual, whilst under considerable stress and potential further disruption. It doesn’t look professional to customers and also, why put yourself through that stress?
We get there are a lot of competing priorities for businesses, but investing time in planning, if you don’t want to bring in a professional to do this, is now standard.
