The Business Continuity Institute conducted research into the causes of, and responses to, the growing threat of cyber attack. This research is based on a survey of 369 business continuity professionals from right across the globe and it confirms some worrying trends in how companies respond to such incidents.
66% of respondents to the survey reported that their companies had been affected by at least one cyber security incident over the last 12 months. The costs of these incidents varied greatly, with 73% reporting total costs over the year of less than €50,000, but 6% reporting annual costs of more than €500,000.
The BCI research found that there was a wide range of response times for cyber incidents. Almost a third of companies (31%) responded promptly, within one hour. However, one fifth (19%) take a worrying four hours or more in responding to a cyber event and almost half (45%) take more than two hours to respond. This has clear implications for cost , the amount of damage done and the risk to the company’s reputation. You only have to think about the speed of TalkTalk’s response to their cyber attack and the long-term impact on the company to recognise this.
Even if companies wish to respond immediately to a cyber attack, the nature of the attack may render them unable to do so. The research found that phishing and social engineering was the top cause of cyber disruption, with over 60% of companies reporting being hit by such an incident over the past 12 months and 37% hit by spear phishing.
It also found that 45% of companies were hit by a malware attack and 24% by a denial of service. All of these forms of attack will, in different ways, render a company’s own network either contaminated or inoperable. Their website may have been taken down and they may well have to switch off their internet connection until they can secure themselves from further attack.
Rapid communication with employees, customer and suppliers is vital for any company in terms of responding effectively to a major business disruption event such as a cyber attack. Companies are only now realising a resilient response plan must include a cloud-based communications solution that does not touch the company network. It is vital that such a solution stands completely separate from your network if it is to be of use to you when your own system has been contaminated or compromised and needs to be isolated.
When your business is at risk, even a one hour delay in establishing contact with your response teams to an incident can be too long and very expensive. Taking more than two hours to respond is just unacceptable. There are new apps out there that can significantly improve response times. Crises Control is one such mobile app that can help you reduce that response time to under two minutes, saving you both money and possibly even your business reputation.
In the wake of the TalkTalk attack and others, legislators are getting involved. The Culture Media and Sport Committee has just published a report suggesting a regime of corporate fines where companies fail to take reasonable action to prevent cyber attacks or fail to inform stakeholders that they have been attacked. Take action now, before this happens to you.
Chairman – Crises Control