Are you ready for the inevitable cyber-attack?

1. Cyber-attacks are becoming more prevalent and increasingly sophisticated, with corporates vulnerable to a wide range of attacks — from
• Ransomware to business email compromises and,
• In some cases, nation-state espionage.
2. The pre-eminent threat lies in ransomware attacks, often carried out by organised criminal groups.
• They gain access to your networks before stealing data and destroying any backups they can find.
• They then ransom the stolen data, threatening to release or sell it unless their financial demands are met.
3. Although the percentage of ransomware victims who pay is falling (down from nearly 80% in 2019 to around 30% today), the number of attacks has almost doubled to over 5,000 known victims.
4. Ransomware groups took over £2 billion in 2023, doubling their 2022 takings.

Accept the risk.

1. With this trend showing no sign of slowing, boards must come to terms with this risk.
2. Cyber-attacks must take a prominent position on the risk register, and even if you take every step that you can think of or are advised to take, the best you can expect is to reduce the risk of an attack happening and lessen its impact when it does.

• “The thing about cyber risk is that it’s always red. We’re getting to the point where it’s ‘death, taxes and cyber-attacks’. It’s inevitable.” ~ Yasmin Mangalji, General Counsel, Advanced [https://www.oneadvanced.com/about-us/leadership/yasmin-mangalji/]

3. It’s not a case of wondering what you would do if you’re the victim of a cyber-attack, but rather what you will do when it happens.

Who are you going to call?

1. Preparation is unlikely to prevent an attack, but it will help when crisis strikes.
2. Cyber incident response plans — which you can put to the test in simulation exercises — will ensure that senior leaders know their own responsibilities, as well as those of others, when the time comes.
3. Knowing who to inform, who to consult, and who can make certain decisions will improve your response's speed and quality.
4. Crucially, however, you need to understand these incident plans — especially if you’re not from a technical background. So, ask the right questions before the crisis and probe, test, and challenge the team until you get answers you understand. What are our key assets? Are we protecting our data, IP, and systems? What are the layers of protection that we have in place? Who gets alerted when there’s an attack, and in what order — and how can we contact them if our usual systems are down?

• “If they can’t explain it to you, they probably don’t understand it themselves. And if it doesn’t make sense to you, it probably doesn’t make sense to anyone.” ~ Yasmin Mangalji, General Counsel, Advanced

5. This matters because your decisions in the early hours of an attack will determine the overall success of your response.

The first 72 hours

1. The first 72 hours will be intense; it will be difficult to determine the extent of the attack and to form a holistic picture of how your systems have been affected.
2. Your first move should, therefore, be to muster your team (internal and external) so you can understand exactly what’s happening and work out how best to stem the bleeding.
3. There are some practical steps you can take, too. Making sure everyone is using clean devices is a priority early on.
4. Often, senior leaders are targeted with malware that allows the attacker to monitor the organisation’s response or sabotage the recovery covertly.
5. You should also disable as many systems as necessary to prevent the attack from spreading to unaffected areas of the business or third parties.
6. Leaders should keep their cyber response plan somewhere safe to access it even if (or when) their organisation’s communications are taken down.

Don’t bottle it up

1. Don’t fall into the trap of thinking that you can handle the incident independently, however sophisticated your systems or experienced your team.
2. You can always go for expert independent advice you can call on at short notice and trust.
3. During a cyber-attack, tensions often run high — people can quickly blame, and internal teams can (understandably) take a defensive stance.
4. Bringing in an impartial third party without emotional attachment to the situation can help to diffuse these tensions and plot a route through the chaos.

• “For the victims of a cyber-attack, it’ll be the worst day of their professional lives. But for independent experts, managing crises is what we do week in, week out.” ~ Daniel Caplin, Head of UK Cyber Incident Response, S-RM

1. But don’t leave it until you’re under attack to mobilise your advisors — because it’s already too late by then.
2. You can research your options and build relationships ahead of time.
3. And if you have cyber insurance, it’s worth finding out what is (and isn’t) covered by your policy and which advisors they recommend or will allow you to work with.
4. Regarding cyber, specialisation and speed of response count.

Be proactive.

1. It’s impossible to discount the risk of cyber-attacks, so it’s incumbent on every board to ensure that their organisation is as prepared as possible.
2. With the average cyber-attack costing businesses $1.7 million, to say nothing of the reputational damage and the 12-24 month distraction, boards can’t afford to pay close attention to their cyber preparedness.

Source

• https://www.boardintelligence.com/blog/death-taxes-and-cyber-attacks?utm_campaign=WMOM&utm_medium=email&_hsenc=p2ANqtz--c72k7oZgRy5-eeQwrjhloUTgb8MimeB7uBR_Edz-e71duBdugJLdwAe3Ufp6ZvfmhUL2_I6wwHG9nsVzOcK0NlIYhqdo373VX0CztyK1IsXwmq8U&_hsmi=306757730&utm_content=306757730&utm_source=hs_email