In this article, I ask the question "Is your small business ready for a cyber-attack?" I explain what cyber incident response is, what role it plays in the cyber risk management framework, and why your small business needs an incident response plan.
The cyber threat to small businesses has never been greater than now, and the financial livelihood of small business owners could be severely impacted by a cyber-attack.
Hey, it's John Byrne here, entrepreneur, insurance professional, online educator, and founder of Surviving Cyber, where I help small business owners get to grips with cyber risk. This short video series about cyber risk and cyber insurance will help you prepare for an incident and keep your small business and your people safe.
Now, today's video asks "Cyber-attack: is your small business ready?" Make sure you stick around to the end because I'm also going to share some very interesting findings on incident response from a 2022 Cyber report that you'll want to hear.
Did you know that over 80% of UK businesses don't have a documented cyber incident response plan? This startling figure comes from the UK Cyber Security Breaches Survey, an annual report by the UK Government. And the 2022 version of the report confirmed again a statistic that's appeared in previous years - about 80% of UK businesses don't have a cyber incident response plan. So, let's have a look at what incident response is and why it's important that you should develop a plan.
I will begin today's article by asking two key questions. "What is cyber incident response?" and "Why do I need a cyber incident response plan?" And as you consider these two questions, I want you to bear in mind the words of Robert Mueller, the former director of the FBI, from March 2012. And he said:
"There are only two types of companies, those that have been hacked and those that will be".
What this quote shows us is that cyber risk exists for every company. It is inevitable that every company will experience a cyber incident at some stage, and therefore the need for a plan is clear.
What is Cyber Incident Response?
Cybersecurity incident response is a process by which organizations can assess, respond to, and mitigate cyber threats. It helps companies protect their data, their network, their applications, and their systems from cyber-attacks and it's an essential part of protecting the business from the dangers of cybercrime. Now, this definition ignores the human aspect of cybersecurity and concentrates on the technology side but, nonetheless, it gives you a good idea of what incident response is all about.
You need the capability to respond immediately to a cyber incident in your business. And you may well ask why? Well, you need urgency because “time is of the essence” when a cyber-attack takes place. We'll consider in a minute what the practical implications of a cyber-attack might be. The damage of one of these attacks is inflicted in the initial minutes and hours, not over weeks or months. It could be your worst nightmare because it will be very, very difficult to run a business in the middle of a cyber-attack.
Soon, I’m going to look at the data from a recent report on cyber incidents and look at the bigger picture of the place that Cyber Incident Response plays in a risk management framework. As I do so, it's worth bearing in mind this quote:
"It takes 20 years to build a reputation and a few minutes of a cyber incident to ruin it."
What would you do?
I've said previously that a cyber-attack could be your worst nightmare and it's helpful to consider what would you do in the event of a cyber-attack on your business. The first thing to acknowledge is that it will be a dramatic event in the life of the business and you should really try to imagine how you would run a normal business if:
- You had no access to your IT systems
- You knew that a cybercriminal had attacked you and had control of your systems
- You didn't know who exactly had attacked you or why
- You didn't know the extent of the damage that had been inflicted
- You didn't know whether the attack was still ongoing
- You didn't know what to do to respond to the attack, and
- You didn't know where to go to get urgent assistance
This is a very practical scenario for most small businesses when they are attacked. And all the while that you're dealing with these worries, the future of your business is at stake. Because when your customers, your suppliers, and your employees hear about the cyber-attack, they will all start looking for reassurance from you, the business owner. So, this is quite a dramatic event in the life of your business.
Why do you need a cyber incident response plan?
Now that you understand what cyber incident response is, I’ll move on to the second question posed earlier: "Why do you need a cyber incident response plan?" and the related issue of "How bad is the situation?"
The Hiscox Cyber Readiness Report 2022 contains some very interesting findings. It's a survey of eight countries, the USA, the UK, the Netherlands, Germany, Belgium, France, Spain, and Ireland.
- The first finding was that almost all the countries found cyber to be the number one threat to their financial health. The exception was Ireland, where companies found the pandemic to be the number one threat, with cyber the number two threat.
- About half the companies reported a cyber-attack in the last 12 months.
- The median cost of these attacks had risen 29% in the 12 months to just under $17,000.
- However, median costs as a percentage of revenue of the company were two and a half times higher for cyber novices, that is, companies that are new to cybersecurity.
- 19% of respondents reported a ransomware attack, a relatively small percentage, given the immense publicity that ransomware has received. However, two-thirds of those companies paid the ransom.
- In case there's any comfort in a median loss of $17,000, it's very interesting to note that 20% of companies across all the countries said that a cyber-attack almost rendered them insolvent.
- Not surprisingly, 64% of companies in this survey now have cyber insurance in place.
- An interesting finding is a gulf in the perception of the seriousness of cyber risk between those who have been attacked and those who have not been attacked. In essence, it's learning the hard way, through experience, that cyber risk needs to be taken very seriously.
- The change in the environment is visible also in the Hiscox report, where 62% agreed that their business is now more vulnerable to a cyber-attack as a result of working from home.
- COVID-19 also accelerated the cloud journey of companies and led to a big jump in attacks by cybercriminals against cloud servers. This is interesting because cyber criminals always adapt their tactics to the environment that they find.
- Overall, respondents mean cybersecurity spending was up 60% in the report in the past year, but smaller companies were spending less and being targeted more by cyber criminals. Now, this is a worrying trend for small companies, because they are the most exposed and the least protected.
Incident Response as part of a Risk Management Framework
I said earlier that I would explain how Incident Response fits into the bigger picture of your cybersecurity framework. Incident Response is a critical part of the cybersecurity lifecycle and in order to respond appropriately, we have to consider all the elements of the cycle. The National Institute of Standards and Technology in the USA or NIST, as it's commonly known, identifies the cybersecurity lifecycle in the NIST CSF or cybersecurity framework, and it has five parts.
- Step one is "Identify" - this is identifying the risks to which your business is exposed.
- Step two is "Protect" - that's putting in place the proper defenses to protect your key information assets.
- Step three is "Detect" - this is finding out if, in fact, you have been attacked by a cybercriminal.
- Step four is "Respond" - this is the incident response stage of the process.
- Step five is "Recover" - the recovery stage.
So, you can see that incident response plays a key role largely in steps three and four of the NIST cybersecurity framework. And of course, your incident response plan should be tied into and linked to your disaster recovery plan or your business continuity plan.
Why do you need a Cyber Incident Response Plan?
By now, you should see the importance of the Cyber Incident Response topic but the question remains, "Why do we need a plan?" Well, we need a plan because businesses that are prepared to respond to a cyber incident are the businesses that can survive the event and recover. It is inevitable that every company will have a cyber incident of some form at some stage, and it will be too late to try to respond to this incident when it happens if you're acting under pressure, and without a plan.
The critical step is to create the incident response plan, and then form a team to execute the plan. An incident response plan that's tested has real value. A plan that sits on the shelf is of little value. The team that's required to carry out the plan will need to do drills, like fire drills for an office environment, to be able to respond when the real event happens. Having cyber insurance in place can be a significant part of your incident response plan, especially for small companies, because the insurance policy allows access to an insurance expert response panel. This is because a lot of the services that would be difficult for small companies to secure become available through an Insurer’s cyber incident response panel.
Professional service firms are particularly exposed to cyber risk because of the high expectation of their client base that the business is secure. In fact, professional services was the second most targeted sector in the Hiscox 2022 report, where 58% of the respondents in professional services reported attacks in the last 12 months. The importance of the topic is once again underlined by the following quote from the CEO of IBM from September 2015:
"Cybercrime is the greatest threat to every company in the world".
UK Cyber Security Breaches Report 2022 – Interesting Findings
Earlier, I said I was going to share some very interesting findings on incident response from a 2022 Cyber report. The report is the UK Cyber Security Breaches Report 2022. So, here are the findings:
- Only 19% of businesses had a formal incident response plan in place. Even less, only 14%, had communications and public engagement plans for when they had a cyber incident. 7% of businesses had none of the listed actions or measures in place for a cyber incident.
- Businesses are reacting to cyber events when they take place. 39% of businesses were assigning roles to specific individuals during or after the incident if an incident occurred, and 30% of businesses had written guidelines on who to notify, or when to notify externally when they suffered a cyber incident. External notification examples are to regulators or to insurance companies.
- 84% of businesses would inform the board if an incident occurred, and 73% would assess the scale and the impact of the attack. This would be a difficult thing to do. In the absence of any planning for an incident. 68% keep a record of incidents and 68% and inform a regulator of incidents if required. Of course, you would like to see higher levels of compliance with all of these activities.
The actions taken most frequently by businesses in the survey were reactive - responding to an incident after it happened rather than proactive, for example, providing written guidance or guidelines in advance of an incident.
Thanks so much for watching today's video. I hope you found it helpful and can now judge whether your small business is ready for a cyber-attack. Now before you go, I want to give you access to my free cyber resilience video workshop, "How Small Business Owners can create their First Cyber Resilience Plan in less than 30 days". It's full of practical tips that you can implement. You should use the link pages.survivingcyber.com/workshop to get access now.
I hope to see you again soon for article four in the series when I ask "Why is managing online risk important to your small business?"