Cyber security basics for business | Step 3 Respond and recover

26 September 2017

Leon Fouche , National Leader, Cyber Security |

In part two of our cyber security series last week, we highlighted the importance of cyber insurance as a risk management tool to provide financial protection for your business.

In this, our final week of the series, we address ‘responding to and recovering from’ a cyber incident.

The 2016 BDO Cyber Security Survey found that the top three cyber security incidents (for Australian and New Zealand businesses were ransomware, phishing, and malware, with 57 per cent of respondents affected.

What is phishing? It is an email containing a malicious link or file attachment, intended to trick the recipient to respond to a request, e.g. click on the link or open an attachment. Phishing emails are the main attack method cyber criminals are using today. Increasingly, cyber criminals will use social engineering to increase the likelihood that the email will be opened. Look for suspicious emails from familiar contacts, names that don’t match corporate email accounts or formats, and emails requesting help with a financial transaction.

What is malware vs ransomware? Malware is malicious software such as a computer virus with the intent to damage or disrupt your computer systems or data integrity. Ransomware encrypts files on your computer, with the intent of eliciting a ransom payment in the form of bitcoin, before data or files are released.

The good news is that cyber security awareness programs (such as staff training) appear to reduce an organisations susceptibility to malware or ransomware incidents for SMEs by more than 70 per cent (Source: 2016 BDO Cyber Security Survey). Likewise, having cyber incident detection and response capabilities reduces incidents by almost 60 per cent.

The introduction of the new data breach notification legislation in February 2018 requires that organisations have in place a plan or process to report cyber breaches. At the core of this, is a cyber incident response plan with supporting capabilities and processes. The critical components that this plan or capability needs to cover, are:

  • Containment - If an incident has been detected and understood, it needs to be contained. Since it’s not efficient to attempt to eradicate an incident that’s still proactively spreading, the containment stage is about minimising damage by stopping the spread of an incident. This can include disabling networks, taking websites offline, decommissioning workstations, locking user accounts and closing down online services.
  • Eradication - Once the incident has been contained, efforts must be geared towards eradicating it from your environment. This means not only removing all traces of the malicious activity, but ensuring the weaknesses which enabled the incident are fixed. This involves not just quarantining devices with anti-virus software, re-formatting storage devices or restoring databases from backups, but also hardening systems, fixing security vulnerabilities and applying patches to ensure the incident cannot reoccur.
  • Recovery - After an incident has been halted and removed from your environment, the business needs to recover. The recovery stage is not just focused on returning affected services to full functionality, but also conducting a post-incident analysis. This involves not just re-launching servers, re-provisioning devices and restoring critical services, but also reviewing the effectiveness of response activities, documenting lessons learned and improving incident response plans.

In today’s interconnected environment it is inevitable that businesses will experience a cyber incident at some time, which means they will have to be prepared to respond to an incident. It is therefore important that all businesses need to have a cyber incident response plan in place. This plan needs to be regularly reviewed to ensure it remains relevant and useful. It is also recommended that regular exercises are conducted using the plan, to ensure that all stakeholders know their responsibilities during a cyber incident and that all required resources are identified ahead of time.

Having an appropriate cyber incident response plan and capabilities in place can reduce the impact of a cyber attack on the business. Cyber insurance can provide further financial cover for organisations who are impacted by a cyber incident.

BDO is working with Cyber Plus to deliver a suite of cyber security insurance services to help businesses mitigate their cyber security risks.

If you need assistance with creating an incident response plan, or putting into place any of the cyber security recommendations outlined in this series, such as risk assessments or cyber insurance, please contact me.