In an age where cyber-attacks have become a ubiquitous threat, the question for businesses is not if they will be attacked, but when. Recent statistics reveal a sobering reality: 85% of UK businesses have reported being attacked in the last 12 months.
Christof Taylor-Smith, Head of Transformation for Pace, highlights modern cyber-attacks’ intricate and prolonged nature. “Threat actors (hackers) can dwell within an organisation’s infrastructure for up to 328 days before launching a full-scale attack,” he explains. This prolonged presence allows cybercriminals to meticulously plan their offensive, making the eventual attack more devastating.
The real damage, Taylor-Smith notes, lies in data theft and the operational paralysis that follows. “When an organisation is immobilised through system access denial, it disrupts operations, fuels public fear and exacerbates misperceptions,” he says. Consequently, many organisations pay ransoms to restore systems and data access, inadvertently fuelling the cybercrime cycle.
Taylor-Smith suggests a segmented approach to understanding and mitigating cyber-attacks: Motivation, Attack, Mobilisation, and Resolution. Addressing these phases comprehensively is crucial for an effective cybersecurity program.
He explains “Understand why a cyber-crime organisation might target your company and assess both internal and external factors to enhance your defences. Evaluating internal goodwill involves ensuring that your team is informed and committed to cybersecurity best practices, while assessing external brand perception helps gauge how your organisation is viewed by others, including potential attackers. Together, these assessments enable early detection of threats, increasing your chances of survival. Knowing when to trigger a business continuity plan is also a crucial element of any cyber response. By the time an attack happens, it’s often too late. Have a rigorous approach to mobilising your teams and assume systems are completely unavailable.”
In business continuity, preparedness is more than just having a plan on paper. Many organisations think they are ready for disruptions, but surprising oversights can leave them vulnerable. He outlines the vital question every business should ask – are you prepared?
Here are three critical questions to assess an organisation’s level of readiness:
- Can you access your Business Continuity Plan (BCP) if all access to systems has been lost? Has this been independently challenged?
It’s one thing to have a BCP, but another to ensure it is accessible in an emergency. Moreover, having your plan independently reviewed can uncover blind spots and weaknesses. Regularly challenge and update your BCP to ensure its robustness.
- How would you communicate if you can’t use devices?
In a scenario where traditional communication styles and channels fail, how would you keep your team and stakeholders informed? Developing alternative communication strategies, such as how critical information is exchanged and pre-arranging meeting points or low-tech options, can be crucial.
- Would you know when to activate your BCP?
It is essential to recognise the right moment to implement your BCP. Delayed or premature activation can both be costly. Establish clear criteria and decision-making processes to ensure timely action, especially in relation to a cyber-attack, which often present unclear levels of impact or threat.
Answering these three questions and having your BCP independently assessed by an organisation like Pace will significantly enhance your understanding of business continuity readiness. They are a starting point for deeper evaluation and improvement, ensuring that you are truly prepared to respond effectively when disruption strikes.