Key takeaways
- It’s a matter of when, not if, you’ll suffer a cyber attack.
- Plan ahead so you know what you’ll do in the crucial first 24 hours.
- Don’t try to go it alone — assemble your team of trusted advisors before you need them.
On 24 April 2024, we partnered with world-leading cyber security experts S-RM to discuss the critical touchpoints of a cyber crisis and how to respond in the early hours of an attack. We’d like to thank our panellists, Yasmin Mangalji (General Counsel, Advanced) and Daniel Caplin (Head of UK Cyber Incident Response, S-RM), and the board directors and governance professionals who attended.
When, not if
Cyber attacks are becoming more prevalent and increasingly sophisticated, with corporates vulnerable to a wide range of attacks — from ransomware to business email compromises and, in some cases, nation-state espionage.
The pre-eminent threat lies in ransomware attacks, which are often carried out by organised criminal groups. They gain access to your networks before stealing data and destroying any backups they can find. They then ransom the stolen data, making threats to release it or sell it on unless their financial demands are met.
Although the percentage of ransomware victims who pay is falling (down from nearly 80% in 2019 to around 30% today), the number of attacks has almost doubled to over 5,000 known victims. Ransomware groups took over £2 billion in 2023, doubling their 2022 takings.
With this trend showing no sign of slowing, boards must come to terms with this risk. Cyber attacks take a prominent position on the risk register and, even if you take every step that you can think of or are advised to take, the best you can expect is reduce the risk of an attack happening and lessen its impact when it does.
“The thing about cyber risk is that it’s always red. We’re getting to the point where it’s ‘death, taxes and cyber attacks’. It’s inevitable.”
~ Yasmin Mangalji, General Counsel, Advanced
It’s not a case of wondering what you would do if you’re the victim of a cyber attack, but rather what you will do when it happens.
Who you gonna call?
Preparation is unlikely to prevent an attack, but it will help when crisis strikes.
Cyber incident response plans — which you can put to the test in simulation exercises — will ensure that senior leaders know their own responsibilities, as well as those of others, when the time comes. Knowing who to inform, who to consult, and who can make certain decisions will improve both the speed and quality of your response.
Crucially, however, you need to understand these incident plans — especially if you’re not from a technical background. So, ask the right questions before the crisis and probe, test, and challenge the team until you get answers you understand. What are our key assets? Are we protecting our data, IP, and systems? What are the layers of protection that we have in place? Who gets alerted when there’s an attack, and in what order — and how can we contact them if our usual systems are down?
“If they can’t explain it to you, they probably don’t understand it themselves. And if it doesn’t make sense to you, it probably doesn’t make sense to anyone.”
~ Yasmin Mangalji, General Counsel, Advanced
This matters because your decisions in the early hours of an attack will determine the overall success of your response. The first 72 hours will be intense; it will be difficult to determine the extent of the attack and to form a holistic picture of how your systems have been affected. Your first move should therefore be to muster your team (internal and external) so you can understand exactly what’s happening and work out how best to stem the bleeding.
There are some practical steps you can take, too. Making sure everyone is using clean devices is a priority early on — often, senior leaders are targeted with malware that allows the attacker to covertly keep an eye on the organisation’s response or sabotage the recovery. You should also disable as many systems as necessary to prevent the attack spreading to unaffected areas of the business or third parties. And leaders should keep their cyber response plan somewhere safe, so they can access it even if (or when) your organisation’s communications are taken down.
Don’t bottle it up
Don’t fall into the trap of thinking that you can handle the incident on your own, however sophisticated your systems or experienced your team. Opt instead for expert independent advice that you can call on at short notice and trust.
During a cyber attack, tensions often run high — people can be quick to blame and internal teams can (understandably) take a defensive stance. Bringing in an impartial third party without emotional attachment to the situation can help to diffuse these tensions and plot a route through the chaos.
“For the victims of a cyber attack, it’ll be the worst day of their professional lives. But for independent experts, managing crises is what we do week in, week out.”
~ Daniel Caplin, Head of UK Cyber Incident Response, S-RM
But don’t leave it until you’re under attack to mobilise your advisors — because by then it’s already too late. Research your options and build relationships in advance. And if you have cyber insurance, it’s worth finding out ahead of time what is (and isn’t) covered by your policy and which advisors they recommend or will allow you to work with. When it comes to cyber, specialisation and speed of response count.
Be proactive
It’s impossible to discount the risk of cyber attack, so it’s incumbent on every board to ensure that their organisation is as prepared as possible. And with the average cyber-attack costing businesses $1.7 million, to say nothing of the reputational damage and the 12-24 month distraction, boards can’t afford not to pay close attention to their cyber preparedness.
But with half of directors thinking that at least one fellow board member should be replaced by someone more tech-savvy, it’s more important than ever that boards get their cybersecurity ducks in a row. By using a board portal, boards can arm themselves with the tools they need to keep their board materials secure — and remove unnecessary security risk by safeguarding the confidential information they rely on.
