Top Tips: Cyber-risk action plan

18-02-2015-cyber-risk-action-planAmber Lewis, a director at Pitmans LLP is a non-contentious commercial technology lawyer with a litigation background. Before joining Pitmans LLP she spent over 5 years in-house as UK legal counsel to Easynet, a global service provider and integrator of managed networking and cloud hosting services in the enterprise and SME markets. Her specialisms include complex outsourcing and IT contracting and in-life contract management issues, particularly in relation to data protection, IPR and related matters.

Amber shares her top tips on how business can reduce cyber-risk.

If you think that cyber attacks have been big news in the last decade, the real floodgates are probably yet to open. Major disruptions to businesses that are attacked or have their websites defaced are now a harsh reality. Companies of all sizes are at risk of becoming victims of an attack that could have catastrophic consequences for their business: 

  • Last May eBay revealed that hackers managed to intercept the personal information of 233 million users.  
  • Restaurant chain P.F. Chang suffered a huge data breach in June that compromised customer payment details.
  • Also in June, hackers held Domino's Pizza to ransom after stealing more than 650,000 passwords from its customers in France and Belgium. 

The motives of those launching such attacks vary from criminal attempts to obtain money or intellectual property through to state sponsored espionage aimed at disrupting the economy of a country or market sector. I have picked the brains of some of the best and most experienced Information Security professionals to provide five top tips that any company can adopt to help reduce the risk:

Implement basic security controls. The controls required by the UK government’s brand new Cyber Essentials Scheme are a good start. It has been estimated that 80% of cyber-attacks in the UK could have been mitigated if the five controls defined in the Scheme had been implemented by the victims. The controls are a combination of technical and operational measures relating to firewalls at the boundary to the internet, secure configuration of devices, access controls, malware protection and patch management. Senior management should be engaged in the self-certification of the effectiveness of the controls.

Backup important data. This is particularly important for laptops, tablets or other mobile devices. If infected with a ‘Ransom-ware’ like Cryptolocker then, if all the data is backed up and available, the data can be restored and no ransom need be paid. Business critical data in Business Support Systems should also be backed up, again to allow for restoration following a compromise. Business data is an asset and like all valuable assets, should have clear ownership and accountability.

Increase staff awareness – Senior executives need to be engaged with getting staff on-board regarding their individual responsibilities to protect the company and its data assets. Provide some basic information security awareness training including the need to protect confidential information, being sure before clicking on links in emails, not allowing anyone to follow you in to secure areas (tailgating), locking away valuable assets when away from the office, using strong passwords and changing these regularly. Managers have a special role here to lead by example, praise good practice that they see and correct poor behaviour. One easy and clever trick is to test staff awareness by periodically sending emails with links that should not be clicked on, that redirect them to warning pages and/or training information to increase awareness.

Develop a cyber-recovery plan – Have a plan of what steps will be taken immediately following a cyber-breach. Speed is critical in recovery, so having a plan already developed (and getting advice on whether the plan will work) will help expedite recovery from the attack. The plan will need to cater for a range of possible scenarios depending on the nature of the breach. Try to identify how the breach occurred and initially focus on correctly diagnosing the vulnerability, using an external expert if necessary, so that it can be fixed. Consider disconnecting company access to the internet at least temporarily and scour all computers and servers for malware. Enforce a company-wide password change. If necessary restore data and applications from backups. If customer personal data such as credit card information has been lost, then take advice on a customer communication and PR strategy and make sure the relevant authorities such as the ICO are properly notified.

Test the cyber-recovery plan – It is prudent to conduct a periodic test (perhaps annually) of the cyber recovery plan. Enlist a company that specialises in vulnerability assessment or penetration testing and get them to scan and probe for cyber security weaknesses. Role play a variety of scenarios and check that the information necessary for recovery can be found and is up to date. 

The risk of your company being attacked will increase during the next decade. This is no longer an idle threat, it is a harsh reality. Some might say it’s more a matter of when, than if. Regardless of what business you are in, you will be attacked and the damage is likely to cost you beyond the limits of your present insurance. I've seen the damage, the bills and the devastation first hand and know that the tips above, if implemented, will reduce the risk and allow for a more speedy recovery if you are unlucky enough to have a security breach.

In the same way that having a burglar alarm can be a deterrent to a casual burglar – having basic cyber security controls in place can sometimes be enough to persuade a would-be attacker to leave you alone and move onto an easier target.


« InfoShot: What the Brits really think of driverless cars


Look before you leap into an Asian IT role this year »
IDG Connect

IDG Connect tackles the tech stories that matter to you

  • Mail


Do you think your smartphone is making you a workaholic?