Cyber Security
The non-IT expert’s guide to surviving a cyberattack
C By Lex Drennan
42 | Asia Pacific Security Magazine
yber-crime is one of the fastest growing industries in the world. In the last year, it is estimated that cybercrime costs business over $400 billion, including reputational damage, costs to remediate breaches and interruption to normal business operations . There is no doubt that the real figures are higher due to under reporting and it is projected to reach a staggering $2 trillion by 2019 . The risks arising from cyber-crime are clearly top-ofmind for the C-suite and those concerns are only likely to increase as the cyber-crime industry grows increasingly sophisticated. This rising level of concern reflects awareness that cyber-crime is no longer “just an IT issue”. The mode of business interruption may be through information technology, but the impacts are organisation-wide and have the potential to destroy businesses. The most common types of cyber-attacks fall into the categories of ransomware, data theft and malicious interruption. Whilst the technical details of these attack modes are relevant at the operational level, at the board-room it is necessary to understand the type of attack mode as it has significant bearing on your response options and the management strategy you implement. The following scenario will call on the skills of all the executive team to address it – whether you consider yourself an IT expert or not. This is the nightmare scenario – compromised systems, breach of privacy, harm to customers and significant reputational damage. Nonetheless, an executive team can take immediate and critical steps to minimise the extent of this breach.
1.) Establish Management Control With a sudden-onset critical incident, employees and customers will naturally look to the business’ leaders to see who is in charge. There is often a grace period where customers and the general public will sympathise with a business as the victim of an attack. However, this grace period does not last long. The absence of clear, strong leadership by the executive team can be taken as a sign of incompetence, rapidly turning a potentially sympathetic audience into a hostile one. For organisations that have pre-defined Crisis Management Plans, this is the time to implement them. Often businesses take a ‘wait and see’ approach to activating these plans, fearing that they may be crying wolf. However, any time lost at the commencement of managing a crisis cannot be regained, and will immediately place the business on the back foot. It is essential that the management team rapidly assemble to assess how serious the incident is, its potential for escalation and, most importantly, to communicate these actions to staff and customers. 2) Address the Technical Issues Whether or not you understand the technical aspects of a cyber attack, you cannot back away from building a strategy to address it. If your business is large enough to have inhouse IT staff, call on them. They may not be cyber-crime experts but asking questions is the best and only way to