Preparation is Key

31.08.22

Blog, Cyber

This article was written and provided to the Scottish Business Resilience Centre by Catriona Garcia-Alis, Senior Associate, Dispute Resolution Team, CMS.

I don’t remember the first time I was introduced to the quote commonly attributed to Benjamin Franklin “by failing to prepare, you are preparing to fail”, but it was very early on in my legal career and I diligently added it to my mental list of quotes to live and work by. Since then, it’s cropped up in so many of the professional development training sessions I’ve attended (20-plus years of them) that I confess the quote has lost a bit of its initial sparkle for me, dulled from over-use. But despite that, there can be no doubting the wisdom of Mr Franklin’s words. No-one likes to fail, and I’m sure we can all think of numerous examples from both our personal and our professional lives where we have put those words into practice without thinking about it, in order to avoid failure and the repercussions that failure can bring: whether it was putting in the necessary study to ensure you got good marks in school or university exams, or making sure you had done the necessary research and preparation to be ready for a job interview or client pitch. Or preparing a cyber incident response plan for your business to manage and mitigate the risks of a cyber attack, right?

Given that the cyber threat landscape has for many years been widely acknowledged in media headlines as well as in annual cyber risk reports to be increasing year on year, it puzzles me why preparing for a cyber attack is something many businesses across the country seem hesitant to do. The pandemic has exacerbated these trends. The Marsh Cyber Risk Trends Report 2021 stated that the pandemic had expanded the cyberthreat landscape and accelerated the pace of cybercriminals – “[a]lthough organisations and governments around the world have been expecting rapid evolution of the cyber risk landscape for some years, never has the threat been more confronting and pace more rapid as it is today.”

In case it needed saying, the UK Government’s Cyber Security Breaches Survey 2022 points out that “the ability to detect and quickly respond to cyber breaches will help reduce the operational, financial and reputational damage” that such attacks can inflict on a business. Interestingly, however, UK businesses were found to be more likely to take a reactive than a proactive approach to responding to cyber incidents: 84% of businesses said they would inform the board, and 73% said they would make an assessment of the attack, in response to a breach occurring; in comparison, only 19% of UK businesses, and 22% of charities, had a formal incident response plan in place. Even fewer businesses had plans which covered communications and public engagement (14% and 15% respectively) – a significant aspect of any comprehensive incident response plan given the impact a cyber attack (and the perception of lax cyber security) can have on a business’s reputation.

In addition, the survey found that the percentages of businesses with a formal incident response plan were much higher amongst large businesses and very high-income charities (70% and 72% respectively), which means it is the micro-businesses and SMEs that are most likely to find themselves navigating the choppy waters of a cyber attack without a route map to guide them.

The survey also contained interesting data in relation to the types, frequency and impact of cyber attacks and breaches. Phishing remains the most common type of breach or attack faced by UK businesses (83% of reported attacks experienced by businesses were phishing attacks). Although phishing attacks did not necessarily result in significant negative consequences in terms of money or data loss, they were nonetheless considered by businesses to be the most disruptive form of attack. Ransomware attacks, on the other hand, were much less prevalent (accounting for just 4% of reported cyber attacks), but they were still considered a major threat to businesses owing to the more substantial damage they tended to inflict. The survey warned that cyber security is not a one-dimensional issue for organisations, and businesses need to be prepared to respond to all manner of cyber threat.

When providing breach response services, time is of the essence. An initial response team call with the key individuals is vital to understanding the situation, and ultimately to containing it, and working with the organisation to understand its business priorities, third party contracts and regulatory/legal obligations etc is essential to responding appropriately to an incident in a timely and measured manner. Time is key, and being able to quickly access the necessary information (and information-holders) required to work through the breach response steps, and the decision-makers to authorise them, is so important to the overall success of the response. The easiest way to achieve those efficiencies is by preparing a cyber incident response plan, and by reviewing it and testing it regularly.

I believe that the main reason many businesses are choosing to be reactive rather than proactive in managing cyber attacks is not because they want to fail at the first cyber breach hurdle, but simply due to a lack of resource. Preparing a cyber incident response plan does, after all, sound like a fairly technical and time-intensive task. The good news is that it may actually be easier than you think thanks to CyberScotland’s Incident Response Pack. Prepared by the Scottish Business Resilience Centre, and some of its members, and drawing on their experience, the pack contains documents to help support businesses plan their response to a cyber incident. The documents can help create an Incident Response Plan from scratch or can be used to compliment an existing Incident Response Plan. Having a response plan ensures your business has the tools it will need to help good decision-making in a time of significant stress and pressure. In addition, the act of preparing your plan – and reviewing it and testing it on a regular basis – provides you with an opportunity to identify and address any gaps you might discover in it, so that it may be as comprehensive as possible when you actually need it.

No-one wants to see businesses suffer at the hands of cyber criminals. The means to prepare your organisation for a cyber attack or data breach is out there for you, so don’t fail to prepare.

About Catriona

Catriona is a Senior Associate in CMS’ Dispute Resolution team in Edinburgh. She has extensive experience of advising clients in relation to cyber breaches. In particular, in her role within the CMS Cyber Breach Response Team she has assisted numerous businesses across all sectors in the immediate aftermath of a cyber/data breach incident, including co-ordinating first response teams, supporting clients in relation to regulatory and other notification obligations, and advising them in relation to consequent data breach litigation.

Catriona has worked with SBRC on a number of projects and presentations, including having contributed to the Incident Response Pack prepared for CyberScotland.