Editor’s note: this article was written last year in conjunction with RiskLogic’s Cyber-Awareness campaign. We are re-publishing for 2017’s Cyber awareness month.
The Business Continuity Institute brings you another year of stats to help really put into perspective what the issues facing organisations are. Here is a break down of the 2016 Cyber Resilience Report. These numbers were researched and put together by Senior Communications Manager, Andrew Scott CBCI.
As I mentioned last week, BDO had stated in their cyber awareness workshop that one organisation would receive on average 17,000 attacks in 2016. By 2020, this is going to cost companies a staggering $3 trillion USD.
The frequency of these cyber incidents demonstrates why it is important for organizations to have plans in place to mitigate against these kind of threats, or to lessen their impact.
This has clear implications for the time taken to return to business as usual, and the ultimate cost of the incident to the organization.
Even if organizations wish to respond immediately to a cyber attack, the nature of the attack may render them unable to do so.
All these forms of attack will, in different ways, render an organization’s own network either contaminated or inoperable. An example of a company in New Zealand who a few years ago disappeared off the face of the earth reiterates this.
They had realised one afternoon someone was in their system, just sitting there waiting (which can be more worrying than if they’re actually attacking). The organisation took the first meaningful step and completely disconnected the whole business. 150,000 customers were contacted to change their passwords. Over two weeks the IT team rebuilt the company up from scratch. Confident that no hacker could get back into something completely rebuilt like this, they gained the stakeholders trust and invested millions into fixing this as soon as possible. On a Friday afternoon at 4:30pm, the business was ready to switch back on. Once they had, their CIO had been informed that the hacker was there again, waiting, back in the systems. His inevitable attack lead the company to loose a further couple of million dollars and send them to bankruptcy.
David James-Brown FBCI, Chairman of the BCI, commented: “This piece of research is one of the most timely, insightful and relevant the BCI has ever produced. Cyber attacks tend to target the weakest links of an organisation, and this calls for a greater awareness of ‘cyber crime’. As the cyber threat evolves, it is crucial to stay on top of it, building long-term initiatives and regularly updating recovery plans.”
Rickie Sehgal, Chairman of Crises Control, said: “Rapid communication with employees, customers and suppliers is vital for any company in terms of responding effectively to a major business disruption event such as a cyber attack. When your business is at risk, even a one hour delay in responding to an incident can be too long. Taking more than two hours to respond, as almost half of companies do, is just unacceptable.”
RiskLogic offers a comprehensive training course on cyber resilience and how your organisation can remain prepared and secured for when an attack occurs. Our experienced and credible consultants are well prepared and ready to assist you in your cyber journey. Contact us now to arrange your obligation free consultation.
Written by Brad Law -Senior Manager, Resilience Services & Country Manager NZ , edited by Ollie Law – Commercial Marketing Manager.
Over the past few years, RiskLogic has gained a reputation for providing truly unique and dynamic exercise simulations for organisations wishing to test their Business Continuity Program & resilience. Being able to understand how your team works when the pressure is on is vital, but being able to identify gaps and roadblocks that can occur during a crisis, probably more so.
Recently, RiskLogic sat down with Therese Chakour-West, the Information Technology Manager at STIHL Pty Ltd (STIHL) to revisit her experience in developing and validating a Business Continuity Plan (BCP) and attending an exercise.
STIHL established its name in the forestry and landscape world as far back as the mid 20’s. Today, they are now considered as the pioneers to petrol powered chainsaws and one of the most established brands in the market. Their chainsaws, handheld equipment, and tools are likely to be sitting in most handyman’s vans. When Mr. Andreas Stihl founded his company in 1926, it was unlikely he was considering the importance of a BC plan and running scenario exercises, however. So why is it today, in 2016, a large majority still haven’t acted on putting something in place?
Therese and her team are considered as early adopters in this case. They saw a need for a review and action before anything serious happened, and this was endorsed by the parent company’s auditors!
“We’ve not had a BCP at all before, so that was an obvious key driver. We identified a serious gap for the operation and we had to act on it. The auditors asked for things like the Disaster Recovery Plan (DRP) and we didn’t have any plan to show them! They really applied the pressure, so we had to get something done and it was our responsibility to do so for our own subsidiary.”
It’s no myth that directors, CEO’s and Senior execs are being spoken to all the time about BCP’s and risks that the organisation faces. A key challenge is convincing them of the importance but then getting it underway.
“I had been trying to get it off the ground for many years. The previous MD didn’t quite see the value but with the auditor’s support and the current Leadership team support, I knew I could finally get something done here. The interest was already there for the DRP, but it was also the BCP we had to align. You can’t have one without the other. So, I just took it upon myself to get it done. You know, it’s funny, when I met with the Chairman of the board in July, I told him what we had done with the exercises, the DRP & BCP and this convinced him enough to report the importance of them back to the parent company and other subsidiaries. He just got that we needed to do it.”
When you are part of a very large organisation, it is easy to forget that many areas of the business have different risks compared to that of head office. Therese understood quickly that their plan had to be different.
it was getting the guidance to put a plan that worked into action
“The parent company in Germany had their DR plan and it seemed obvious to use theirs. It didn’t take long to realise we had our own risks to focus on though. So, our procurement manager went to market and we found RiskLogic. That final BCP couldn’t have been handed down, it had to be unique for our three sites, it had to focus on our needs”.
“We’re a team of four full-timers here on the IT Crisis team (7 total members on the crisis team). It was a no-brainer to all of us we needed this in place, but it was getting the guidance to put a plan that worked into action”.
Those organisations that do not have a plan in place often ask themselves the same question, ‘what do we actually do if something happens?’ Most businesses will encounter at least 17,000 different versions and types of incident events each year (mostly small cyber attacks that fail); a vast majority of those will not have a BCP in place to deal with it.
“I asked myself that a few years back; if we have a crisis, what do we do? Who does what? Really, when you’re in that high-intensity situation – what are you going to do? We really were flying by the seat of our pants here”.
RiskLogic’s exercises focus on testing a business continuity program via realistic, hands-on scenario exercises. This is critical to:
1) Build familiarisation with staff roles, responsibilities, processes and available tools
2) Identify practical program improvements
3) Provide a high level of stakeholder assurance in an organisations recovery capability
At RiskLogic, we create event-driven, realistic scenario exercises, maximising participant engagement and providing a comprehensive, yet practical learning experience. We’ll even provide a Client with highly dynamic scenarios, utilising well-established exercise resources in a controlled exercise environment.
Over the last two years, we have run over 150 exercises and trained over 7,000 people on Business Continuity. A number of those organisations later went on to have a real life situation occur. They were able to successfully implement the plan they had originally rehearsed to deal with the situation.
Therese reiterated the importance of this, “You know, I’m keen to get these happening annually! Keeping the team refreshed because there is a lot of information, just keeping that awareness there”.
you get out and act and this simulation really showed the dynamics
“The scenario was a real eye opener for us; it was unanimous. You’re really put under the same pressure you would get in real life. We were getting emails, phone calls and you know you really are just winging it by that stage.”
“I actually got a phone call from ‘The Herald Sun’ and thought what am I supposed to say to them? I actually put my foot in it and it was a huge surprise there. You don’t think that an emergency you’re dealing with could be going viral on social media, and that can really hurt the brand.”
“I also noticed we needed a lot of focus on the ground level people. Who is going to check on our staff? Do we know who on the crisis team should focus on our people and where they should be based? Do you stay in the office while all this happens? No, you get out and act and this simulation really showed the dynamics we can provide as a small team, it was really great”.
Recently, a pastor who had eaten at an Applebee’s restaurant in the US crossed out the automatic ‘18% tip charged’ for parties of more than eight and wrote “I give God 10% why do you get 18” above her signature. A waitress at the restaurant took a photo of this and posted it online. She was subsequently fired for “violating customer privacy” which would have been understandable if Applebee’s had not posted a similar receipt that was complimenting them just 2 weeks prior.
As news of this incident spread like wildfire and infuriated people across all social media platforms, Applebee’s responded with a short post defending their actions on their Facebook page. This quickly drew over 10,000 mostly negative comments, to which Applebee’s started responding by posting the same comment over and over again. They were also accused of deleting negative comments and blocking users.
The downward spiral continued as Applebee’s persisted in defending their actions and argued with users that criticised them. By the following day, after the original post had generated over 19,000 comments, Applebee’s decided to hide the post which only created more anger.
“Gosh, you just shouldn’t underestimate the importance of this. People, customers talking about your brand without you being aware could be so damaging. There is so much at stake” Therese acknowledged when we mentioned a similar example.
Since their scenario exercise with RiskLogic in June 2016, Therese is initiating an awareness session with the wider team. Her three other locations throughout Australia will adopt the same processes to ensure everyone, everywhere, is prepared – especially their Primary Crisis Team working out of the command centre in Melbourne. This is a fantastic step for STIHL to promote their resilience and innovative nature in the market, but maybe more so having the ability to show their staff and clients they care about this subject!
“I have so much more to learn, I’m no Crisis Management expert but I definitely feel more confident in my team and our readiness when the pressure is on”.
To learn more about STIHL and their work, visit http://www.stihl.com.au/about-us.aspx
Until then, plan, do, check & act…