Preparing to Fail in Cybersecurity

The UK government estimates that 50 per cent of businesses suffered a cyber attack in 2023. This figure highlights how common cybercrime is today and reinforces the ‘it’s not if, but when’ theory.

Many of these incidents would have been catastrophic, with the damages and losses surpassing volumes the victims would have imagined.

But that’s the harsh reality of cyber today.

Organisations are losing much more than IT access; today, the damages posed by incidents are creating shockwaves worldwide, with few realising just how much harm can be caused by a determined hacker with some nefarious computing skills.

If you want proof of this, look at the recent attack on Synnovis. Until the beginning of June, the organisation was a virtually unheard-of provider to the NHS. Now the organisation is splashed across media headlines after falling victim to a ransomware attack causing turmoil to hospitals across London.

Thousands of medical appointments have been postponed, blood supplies have reached critical lows, and the culprits won’t back down until their $50 million ransom is paid.

This attack is a worst-case scenario cyber incident that Synnovis may not have been fully prepared for; few organisations would be.

However, the incident does demonstrate that attacks like these can happen, so preparing for them mustn’t be overlooked.  

Preparing for Failure

Benjamin Franklin once famously said that by failing to prepare, you are preparing to fail.

In the cyber world, this statement holds true, but as cyber-attacks are regularly causing serious real-world damages, organisations shouldn’t just prepare for incidents; they should prepare for cyber incidents occurring and then work backwards to mitigate damages.

Every day, we see worst-case scenario attacks; they are becoming the norm, so when organisations run cyber incident response planning, they can’t just focus on the small losses they could endure. Instead, they must focus on the high impact risks materialising, and work their hardest to protect against those risks.  

What are the absolute maximum losses an organisation could face? Would a ransomware attack impact their IT estate, or would customer services also be disrupted? Would there be a knock-on effect on the public?

These are questions organisations must consider in their preparations for an attack. They also mustn’t just consider attacks on their infrastructure; they must also think about attacks on their supply chain and how attacks on their services would impact their partners.

When organisations identify these worst-case scenario incidents, they must analyse how they could impact them and then introduce controls to mitigate them.

The ultimate goal is to become cyber resilient by protecting against the most damaging incidents, so if they do occur, the organisation can still operate and doesn’t come to a complete standstill. This type of planning should include a wide range of stakeholders so that roles and responsibilities can be assigned before incidents occur. By doing this, everyone knows their responsibilities when attacks happen, so they can move straight into remediation actions.

No organisation wants to fail, but in today’s hostile threat landscape, the potential of business destroying cyber attacks increases every day.

This means preparing for these incidents is essential to enable organisations to ready their defences, ensuring that survival is never at stake even in the face of complete adversity. 

This article was also published in The Scotsman: Read it on their website here.