Managing the risks in a cyber incident.
Managing the Risks from an Incident in a Small Business
We are focussing on cyber incidents which are considered as a breach in a systems security that affects the integrity, availability or confidentiality of the system. With careful planning we can reduce the costs and time to implement solutions that will protect the business in the event of an incident and fulfil some of the operational requirements against accidental loss of service and data as well as malicious loss.
Incident Response Team
Large corporates will have a whole team assigned to planning for incidents and actioning the plan when something happens. This team may be spread around the globe so it’s important for them to be listed clearly with their responsibilities and how they can be contacted. In a smaller organisation we don’t have that luxury of a team dedicated to this role. Small organisations do have the advantage of tight knit management structures who are used to working together and are often local, with little bureaucracy and typically fewer complex systems to manage. This means that they can move rapidly on a problem if they have a plan and the right level of support.
Identify Key Roles in the Plan
Smaller companies only need a compact team, those that understand the systems and those that are required to run with the plan. Often, it’s the same people. Make a list of who will be responsible for each part of the plan and consider what will happen if they are not available.
List the key contact details for each person and external resources so that you can access it quickly when you need it and the pressure is on.
Make sure that each person understands what they need to do and the timeframe it needs to be completed in. The 72-hour window for reporting a data breach to the ICO can be difficult to achieve especially if time has been lost trying to determine the correct course of action.
Build an Information Asset Register
Create a list of the key systems and processes along with the data they contain and the roles they play. When we do this the normal result is about twice the number of systems as originally estimated. You will find that this is also an important part of meeting your GDPR requirements.
Build an information asset register that lists the following
- Name of the system
- Description of its operation and purpose including how it processes?
- What kind of data it contains? (Commercial, Personal)
- What categories of data? (any special category)
- How much data it contains?
- Where the data comes from and where it is shared or transferred to?
- Where is the system is located?
- How it is accessed and how it is protected from unauthorised access?
- Who accesses and why?
- How the system is protected from loss (Backups and Security measures)?
Analyse the risks to the systems
Each of the systems will have risk to the business based upon some common scenarios.
- System failure (Could be denial of service or failure)
- System is compromised, and data is stolen (security failure)
Give the system a risk based upon the information above and look at what is required to protect that system based upon the risks. We typically assign two risks.
- Commercial risk
- Personal risk
The commercial risk is the risk to the business directly from the system outage or loss of data. Financial losses due to inability to work, loss of intellectual property and business secrets, loss of customers and future business.
The personal risk is based upon the type of data stored and the risk to data subjects. This is where we need to consider GDPR and the consequences to a data breach. These consequences could be regulatory fines, litigation, and loss of reputation. The ICO can apply penalties from not having the appropriate level of controls and products in place to protect the data. Under GDPR an organisation could be faced with a fine as high as 2% of global turnover for not having adequate and appropriate protection in place.
Reduce the Risks
There are many things that can be done to reduce the risks. Implement appropriate processes to protect your systems and data. For small companies this can often be as simple as installing security software and backup systems. Pick the systems that can perform the critical roles and be part of daily operations. The key components of the security systems for smaller organisations are:
- Backup systems.
- Antivirus and Anti-malware.
- Antispam and mail security.
- Encryption.
- Employee training. (Don’t underestimate the value of this)
The most common example is a backup system We like to use online backup systems that can act as our daily backup and the recovery system that is part of the DR plan. The other benefit is that the backup is also automatically offsite, which is essential if you are unfortunate enough to have a fire.
Corporate organisations will use Data Loss Prevention (DLP) systems to monitor and control the possible loss of data, this technology is now trickling down to the security software available in standard software such as antivirus and email security. If you are recording NI numbers, or bank details then set alarms when these types of data leave the boundaries of the business.
Where data is critical consider if it can be protected by applying suitable access controls, and security measures such as encryption. Remember to review this and keep the information asset register up to date.
- You will need to monitor and test these systems, we often do this for our customers because they don’t have the time and skill set to do this in house.
- Look at the how the system is reporting events and errors and understand what are normal.
- Set alarms and alerts that trigger for unusual behaviour such as viruses and security breaches. You may consider a user logging on to a system from outside the country as unusual and warrants investigation.
- Test the systems regularly, restore some test data every month.
- Test restore a whole system once a year, this is your disaster recovery scenario. We encourage the use of an offsite restore.
- Maintain the integrity of systems by installing system and security updates. Consider using best practices such as Cyber Essentials.
Summary
If this is sounding like a Disaster Recovery Plan or Business Continuity plan, then that is because it is. Incidents whether they be cyber related, or system failures can quickly become disasters in small
companies. We need to combine our plan to cater for all types of incidents, and the protective measures we implement must fulfil multiple roles both in standard daily operations and major incidents.
Consider insurance! Cyber insurance policies are still in their infancy but will become a normal part of a business insurance policy. At the moment they appear complex and with different terminology used they can be hard to compare so pick a good broker who can guide you through the options.
In the next article we will look at running the plan…