We have all received those emails from someone in a foreign country that has millions of dollars for us…and we’re all still waiting for it! Of course, just about everyone knows at this point that these are bogus messages. In the meantime, threats are evolving, phishing and spearphishing emails are becoming more sophisticated and prevalent, and automated technologies and artificial intelligence are making it harder to protect our businesses. On the personal side, identity theft and other threats to our personal safety are on the rise – and that is concerning for everyone.
Unfortunately, even with all the technology and security available, just about every business at some point will become the victim of an inevitable cyberattack. A determined, well-equipped cybercriminal can penetrate any network. Businesses have lots of security and training in place, but what many businesses do NOT have is a step-by-step holistic plan to recover from cyberattacks. This goes far beyond data backups. Prevention is only half the battle; recovery is the other.
Now, we all know that we need to pay attention, and pay money to protect our businesses, and there are 3 main reasons why companies invest in cybersecurity:
- First, there continues to be an increased frequency of cyberattacks – according to a recent report from the ACR (Annual Cybercrime Report), cybercrime is now more profitable than the global trade of all major illegal drugs – COMBINED! That’s around $6 TRILLION annually that business and organzations have lost to cybercrime and it represents the greatest transfer of economic wealth in history!
- Second, these attacks have been causing a greater impact on business continuity than ever before. Some businesses cannot afford to be down for minutes, let alone hours, days or weeks. Many businesses, large or small, could go OUT of business after a major disruption. Think about the loss of not only your job, but of all those who depend on your business – employees, vendors, contractors…that impact produces a domino effect throughout the economy.
- Third, data breach costs have skyrocketed due to not only business downtime, but theft of intellectual property, trade secrets, stolen customer personal information, financial and account information, vendor records and much more that can be used or sold on the Dark Web.
Whatever the motivation behind a cybercriminal’s behavior – the bottom line is that you need to have a comprehensive plan in place that allows you to sleep a little better at night, knowing who to call, what to do, and how to do it.
In order to do so, many cybersecurity professionals miss (or ignore) the core tenets of a business that can impact the effectiveness of a recovery plan. These include the mission of the company, the vision of the owners, and the corporate culture at the business. You might be wondering, “What does that have to do with a recovery plan?” In a nutshell – everything!
To begin with, in order to know what is important to protect, you must first start with what the Mission of the company is. In most organizations this is written down somewhere – perhaps relegated to and hidden in an Employee Manual, or it may be on the wall in the break room in full view as a constant reminder to all. If it is not written down, or if it has not been reviewed in some time, a perfect time to review it is before creating or updating your business continuity or incident response plan. Essentially, this is what you do and who you do it for.
Next, it is also important to know what the Vision for your company is. That is, what is your “end result” that you wish to achieve? This is the direction that your company is headed. Again, this should be written down and clear to all employees who should be reminded of it regularly. Why? Because it will cement in them the reason why your company exists. It is what they are all working towards and a reminder that they need to perform to the best of their ability as safely and securely as possible for the benefit of everyone. This includes not just your clients or customers, but fellow employees, vendors, board of directors, contractors – everyone. Jeopardizing the business not only puts individuals at risk, it puts many others at risk as well in a domino effect.
It is absolutely critical that your Mission and Vision statements be well defined because they define the value that you need to protect, and will help give you answers to questions that need to be addressed later in the process of creating or updating your Business Continuity Plan.
Finally, you must understand the Culture of your company. The corporate culture of your business is what your company stands for. This includes its values, beliefs, principles, ways it is managed, the types of employees that work there, and more. It is the sum of all the parts and more influential and powerful than the strategy that drives your company. It is imperative that you understand the culture of your company because that is what creates the backbone of your cybersecurity plan. Knowing this will allow you to develop an effective plan in line with your culture. If you try to implement controls and excessive security at a business with a lax corporate culture or one that thrives on creativity and innovation, your employees will rebel against overly restrictive controls. At the other extreme, if you have a very rigid corporate culture due to the nature of your business such as one that deals with highly sensitive data, having controls that are not restrictive enough will be equally, if not more damaging.
Understanding these seemingly unrelated items is imperative in creating an effective and secure workplace for everyone involved, both directly and indirectly. Ignore at your own peril!