While many organisations have implemented a business continuity plan (BCP) into their framework, many don’t possess a management plan specific to cyber-risks, also known as a cyber continuity. 

Considering the high-profile data breaches that have occurred in the past couple years, such as Facebook, British Airways or TalkTalk, along with strict data protection requirements by the General Data Protection Regulation (GDPR), failing to account for cyber-exposures in your organisation’s BCP is a risk you simply cannot afford to take.

When a data breach or other cyber-event occurs, the damages can be significant, often resulting in legal actions, fines and serious financial losses.

What’s more, cyber-exposures impact businesses of all kinds, regardless of their size, area of focus, or status as a private or public entity. Even the most secure organisations are at risk of a data breach.

It can often take days or even months for a company to notice its data has been compromised. When it comes to containing the damage caused by a data breach, having a response plan in place is crucial.

While cyber-security programmes help secure an organisation’s digital assets, cyber-continuity and incident response plans provide comprehensive, proactive guidance for organisations to prevent cyber-threats, as well as reactive steps to follow when a cyber-event occurs.

Utilising a continuity and response plan helps to ensure business success throughout an attack, notify impacted customers and partners quickly and efficiently, and limit financial and reputational damages.

Essentially, failing to have a clear plan in place that ensures immediate action in the face of a breach could cost a business huge sums of money and shatter its reputation.

Our toolkit provides organisations with a general overview of cyber-continuity and incident response plans—what they are, their benefits, how to implement them.  

While businesses may approach cyber-security differently depending on their unique exposures and the kind of data they store, this resource provides a number of best practices to keep in mind.

 Why Cyber-continuity and Incident Response Plans Matter

Simply put, every organisation that stores or handles data is at risk of a cyber-attack. As technology advances, companies are collecting, storing and transferring more personal information about their customers and employees than ever before.

Just one breach can affect thousands or even millions of individuals. Unfortunately, cyber-incidents cost more than just data:

Data breaches are becoming increasingly expensive: - While cyber-liability insurance can help offset the costs of a data breach and any subsequent litigation, just one breach can be financially devastating.

Non-compliance fines can be significant: - Under the GDPR, organisations that fail to comply with the law have the potential to suffer hefty fines from the Information Commissioner’s Office (ICO). Serious violations can result in fines of up 4 per cent of turnover!

Cyber-incidents can lead to serious reputational damage, significantly impacting directors and officers: - When wide-scale breaches occur, a company’s reputation can be tarnished, sometimes permanently. In addition, the public holds organisations accountable for major losses of personal data, and directors and officers are often the ones who take the blame.

The Benefits of a Cyber-continuity and Incident Response Plan

Most organisations have some form of data protection in place. While these protections are critical to minimise the damage caused by a breach, they don’t provide clear action steps following an attack. That’s where cyber-continuity and incident response plans can help. Cyber-continuity and incident response plans are written guides comprised of instructions, procedures and protocols that enable an organisation to respond to and recover from various kinds of data security incidents.

Cyber-attacks are no longer a matter of if, but when, and reacting to an inevitable breach takes more than just threat neutralisation. Companies must have the ability to respond to and defend against evolving threats. Cyber-continuity and incident response plans give organisations the tools they need to further enhance their data protection practices as well as help them:

1. Anticipate cyber-security incidents before they occur.

 2. Minimise the impact of cyber-security incidents.

 3. Mitigate threats and vulnerabilities while a cyber-attack occurs.

 4. Improve cyber-security response overall, encouraging buy-in at a management level.

 5. Reduce the direct and indirect costs caused by cyber-security incidents.

 6. Maintain business continuity in the face of major threats.

7. Prevent the loss of data critical to their business.

 8. Improve the overall security of their organisation.

 9. Strengthen their reputation as a secure business, increasing customer confidence.

10. Devote more time and resources to business improvements, innovation and growth.

Above all, cyber-continuity and incident response plans can help organisations to better understand the nature of an attack, which, in turn, promotes a fast and thorough response to threats. However, cyber-continuity and incident response plans are typically created and implemented as part of larger cyber-security programmes. As such, it’s important for businesses to have a basic understanding of what goes into creating an effective cyber-security programme.

Training and Policies

Every cyber-security programme must address employee training and create cyber-security policies. The content of these policies will differ depending on the size and type of the organisation, but typically include similar elements. The checklists below identify questions organisations should ask in order to establish or adjust companywide policies regarding cyber-security:   

POLICIES

Yes

No

N/A

Does your organisation have a cyber-security policy in place?     

 

 

 

Is your organisation’s cyber-security policy enforced?                  

 

 

 

Does your organisation’s cyber-security policy include an internet access policy?                                                                                                    

 

 

 

Does your organisation’s cyber-security policy include an email and communications policy?                                                                       

 

 

 

Does your organisation’s cyber-security policy include a remote access policy?    

 

 

 

Does your organisation’s cyber-security policy include a “bring your own device” (BYOD) policy?                                                                  

 

 

 

Does your organisation’s cyber-security policy include an encryption policy?

 

 

 

Does your organisation’s cyber-security policy include a data breach response policy?

 

 

 

  

PERSONAL SECURITY

Yes

No

N/A

Does your organisation have a system in place for checking the background of employees and contractors that have access to computer systems and sensitive data?

 

 

 

Are employees and contractors required to wear ID badges?

 

 

 

After an employee or contractor is no longer authorised to conduct work on your organisation’s behalf, do you revoke access to your computer systems?

 

 

 

 

PHYSICAL SECURITY

Yes

No

N/A

Does your organisation ensure the physical security of its computer systems?

 

 

 

Are personal computers inaccessible to unauthorised users?

 

 

 

Are there procedures in place to keep computers from remaining logged in for prolonged periods of time?

 

 

 

Does your organisation have a process for notifying IT personnel if a device is misplaced or stolen?

 

 

 

 

SECURITY AWARENESS AND EDUCATION

Yes

No

N/A

Are your staff informed regarding the importance of computer security?

 

 

 

Does your organisation provide employees with cyber-security training on a regular basis?

 

 

 

Are your staff members familiar with techniques they can use to prevent a security breach?

 

 

 

In the event of a data breach, does your staff know how to respond? (This includes notifying the ICO within 72 hours of the data breach occurrence.)

 

 

 

Do your staff members know how to keep their passwords and hardware secure?

 

 

 

IT Security

One of the most important aspects of a cyber-security programme are IT defences themselves. Above all, organisations want to invest in the right solutions—solutions that are adequate and up to date. Organisations should install industry-standard antivirus and malware protections, documenting any and all updates. It’s also important that your network is protected against internal and external attacks as much as possible. You should secure wireless networks using firewalls, malware detection and similar protections. Conduct penetration testing regularly and make sure that technical solutions are in place to detect and block suspicious activities or access. The checklist below outlines some general questions organisations should ask to promote thorough and comprehensive IT security:

 

IT PROCEEDURES

Yes

No

N/A

Does your organisation keep operating systems and antivirus software up to date?

 

 

 

Does your organisation periodically perform vulnerability scans on servers and all the computers used in your organisation?

 

 

 

Does your organisation patch the software on all systems by following a regular schedule?

 

 

 

Are employees required to create strong passwords?

 

 

 

Does your organisation encrypt sensitive data?

 

 

 

Does your organisation have a process for retrieving backup and archival copies of critical data?

 

 

 

Does your organisation have policies and procedures in place for handling credit card and other personal private information?

 

 

 

Does your organisation have “secure send” procedures in place so it can receive and distribute client information safely?

 

 

 

Cyber-security Programmes: A Continual Process

Creating a cyber-security programme is an involved process, and there is no one-size-fits-all solution. In fact, certain organisations may have more detailed programmes depending on the scope of their IT infrastructure and the type of data they handle for customers, partners and employees.

While basic considerations are outlined above, organisations will want to perform regular risk assessments to help them determine what specific steps to take when crafting a cyber-security programme.

As a qualified insurance broker, we can help you understand your cyber-risks and provide you with a list of key business areas to examine. Cyber-security programmes should evolve alongside the threat landscape, and you will need to update policies, IT protections and training information as needed. 

To find out more call me or my team on 01273 328181

or to contact us

click here