It’s hard to ignore the headlines; the past few years have brought floods, plagues and an unprecedented rise in cyber-attacks. New Zealand businesses have taken the brunt of these events. Some have been pushed to breaking point.
Floods and plagues are tangible events. We can usually see them coming and prepare for the worst. Cyber-attacks are like a bolt of lightning, one minute it’s a sunny day, and the next minute your business is on fire and you are scrambling to mitigate the damage.
Cyber resilience is a measure of how well you can manage a cyber-attack or data breach while continuing to maintain business operations effectively. There are some simple steps you can take to make your business more resilient to cyber-attacks.
Step One: Know what you are trying to protect
All businesses have information that, if lost, would compromise the viability of the business. When considering what you need to protect, think of your information as assets in terms of maintaining their confidentiality, integrity and their availability of access. Which ones are the most important for your business to protect?
Knowing what you need to protect makes it easier to determine whether your cybersecurity protections are sufficient.
Step Two: Mind the gaps
Cyber resilience is more than just having anti-virus installed. Pay attention to the resilience of your people, processes and technology; cyber health checks will identify gaps and recommend improvements. Specialist cyber resilience companies such as Intelligensia provide impartial assessments of your cyber resilience and can liaise with your IT provider to get you the right the level of protection.
Step Three: Know your risk appetite
Know how much risk you are willing to accept for your business. This helps you decide how much you need to invest in cybersecurity protections. For example, if you keep sensitive client information, invest in offline back-ups that can’t be compromised if you succumb to a ransomware attack. An investment in off-line backups will not only minimise the loss of information, but also your downtime.
Step Four: Business impact
During the recent floods, power, phones and the internet were disabled for some time. A cyber-attack on your managed IT services provider or software vendor could similarly leave you with no access to your computer systems or information for extended periods. Think about the business impact if you can’t access your customer, financial or bookings information for an extended period. Use a scenario of not having access to vital tools and information for up to a month. During large scale cyber-attacks, your IT providers will be juggling competing demands to get multiple businesses operational again. Check your service level agreements and know the level of support you can expect.
Step Five: Incident response plan
An incident response plan lets you take a methodical approach to deal with a cyber-attack when it occurs. Many businesses think that calling their IT provider to fix the problem is all that is needed. Certainly, they can fix the technical problems, but you have obligations as well. For instance, you may need to notify the Privacy Commissioner if personal information has been stolen. Failing to report information breaches can result in a hefty fine. Informing customers that you’ve lost their information is another requirement. The way you manage a cyber-attack will determine the impact on your business’s reputation and your customers’ level of trust.
Essential to be cyber resilient
Cyber-attacks are on the rise. They increased 600% during the pandemic; security commentators predict that this year a business will suffer a ransomware attack every eleven seconds. More than 90% are caused by someone clicking on a phishing email. It’s not a case of ‘if’ you get attacked, rather ‘when’. Being cyber resilient puts your business in a much stronger position to weather the storm and recover quickly from a cyber-attack.
If you want your business to survive in today’s digital economy develop your cyber resilience now.
Jan Thornborough established Intelligensia in 2021 after realising that although big organisations were dealing with cyber risks, small and medium-sized business and not-for-profits were being left behind. Intelligensia’s mission is to bring the same level of expertise enjoyed by large companies and government agencies to smaller organisations.
Previously, Jan was head of the cyber resilience unit at New Zealand’s National Cyber Security Centre that helps nationally significant organisations become more cyber resilient.
DISCLAIMER: All the information published in Fineprint is true and accurate to the best of the authors’ knowledge. It should not be a substitute for legal advice. No liability is assumed by the authors or publisher for losses suffered by any person or organisation relying directly or indirectly on this newsletter. Views expressed are those of individual authors, and do not necessarily reflect the view of Edmonds Judd. Articles appearing in Fineprint may be reproduced with prior approval from the editor and credit given to the source.
Copyright, NZ LAW Limited, 2022. Editor: Adrienne Olsen. E-mail: [email protected]. Ph: 029 286 3650