We are focussing on cyber incidents which are considered as a breach in a systems security that affects the integrity, availability or confidentiality of the system. With careful planning we can reduce the costs and time to implement solutions that will protect the business in the event of an incident and fulfil some of the operational requirements against accidental loss of service and data as well as malicious loss.
Large corporates will have a whole team assigned to planning for incidents and actioning the plan when something happens. This team may be spread around the globe so it's important for them to be listed clearly with their responsibilities and how they can be contacted. In a smaller organisation we don’t have that luxury of a team dedicated to this role. Small organisations do have the advantage of tight knit management structures who are used to working together and are often local, with little bureaucracy and typically fewer complex systems to manage. This means that they can move rapidly on a problem if they have a plan and the right level of support.
Smaller companies only need a compact team, those that understand the systems and those that are required to run with the plan. Often, it’s the same people. Make a list of who will be responsible for each part of the plan and consider what will happen if they are not available.
List the key contact details for each person and external resources so that you can access it quickly when you need it and the pressure is on.
Make sure that each person understands what they need to do and the timeframe it needs to be completed in. The 72-hour window for reporting a data breach to the ICO can be difficult to achieve especially if time has been lost trying to determine the correct course of action.
Create a list of the key systems and processes along with the data they contain and the roles they play. When we do this the normal result is about twice the number of systems as originally estimated. You will find that this is also an important part of meeting your GDPR requirements.
Build an information asset register that lists the following
Each of the systems will have risk to the business based upon some common scenarios.
Give the system a risk based upon the information above and look at what is required to protect that system based upon the risks. We typically assign two risks.
The commercial risk is the risk to the business directly from the system outage or loss of data. Financial losses due to inability to work, loss of intellectual property and business secrets, loss of customers and future business.
The personal risk is based upon the type of data stored and the risk to data subjects. This is where we need to consider GDPR and the consequences to a data breach. These consequences could be regulatory fines, litigation, and loss of reputation. The ICO can apply penalties from not having the appropriate level of controls and products in place to protect the data. Under GDPR an organisation could be faced with a fine as high as 2% of global turnover for not having adequate and appropriate protection in place.
There are many things that can be done to reduce the risks. Implement appropriate processes to protect your systems and data. For small companies this can often be as simple as installing security software and backup systems. Pick the systems that can perform the critical roles and be part of daily operations. The key components of the security systems for smaller organisations are:
The most common example is a backup system We like to use online backup systems that can act as our daily backup and the recovery system that is part of the DR plan. The other benefit is that the backup is also automatically offsite, which is essential if you are unfortunate enough to have a fire.
Corporate organisations will use Data Loss Prevention (DLP) systems to monitor and control the possible loss of data, this technology is now trickling down to the security software available in standard software such as antivirus and email security. If you are recording NI numbers, or bank details then set alarms when these types of data leave the boundaries of the business.
Where data is critical consider if it can be protected by applying suitable access controls, and security measures such as encryption. Remember to review this and keep the information asset register up to date.
If this is sounding like a Disaster Recovery Plan or Business Continuity plan, then that is because it is. Incidents whether they be cyber related, or system failures can quickly become disasters in small
companies. We need to combine our plan to cater for all types of incidents, and the protective measures we implement must fulfil multiple roles both in standard daily operations and major incidents.
Consider insurance! Cyber insurance policies are still in their infancy but will become a normal part of a business insurance policy. At the moment they appear complex and with different terminology used they can be hard to compare so pick a good broker who can guide you through the options.
In the next article we will look at running the plan...