Cyber-attacks have been on the rise in the past 12 months, and business organisations in Malta have not been spared from this digital global reality. Local organisations large and small have seen an increase in sophisticated and targeted security attacks, ranging from sophisticated phishing email attacks to malware attacks in the form of ransomware. Cyber attacks are a sophisticated evolution of the traditional security attacks, no longer done by individual hackers but by organised and well equipped criminals with a global attack ground.

Cyber security breaches are all still linked to the fundamental loss of data, monetary, and reputational damage linked with the effort required to regain trust in systems, and more importantly, in the business organisation itself.

When it comes to the notion of being spared because of the size of the organisation, in a recent UK survey conducted by the Federation of Small Businesses, the costs associated with cyber attacks for small businesses is disproportionately greater than the cost for larger businesses when adjusted for organisation size.

A risk-based defence approach

Cyber-attacks are typically more successful in those organisations that have a fractured approach to their information security risk framework. It is important that for any organisation that seriously thinks it has the necessary measures in place to mitigate the risks associated with cyber, it must ensure that it has implemented and enforced a system of governance, management and assurance practices.

What this means is that organisations need to get smarter about employee policies; achieving key security goals driven by the implementation of supporting technologies but also through effective awareness and education of employees; together with a response plan to an all-but-inevitable attack. Keeping up to date is a real challenge, and organisations that have been impacted by a cyber incident have understood the reality of an active adversary, meaning that their defences had to be continuously monitored and evolved to keep up the pace of the attacks perpetrated. There is also an opportunity, albeit for larger organisations, to apply effective analytics to the relevant data intelligence collected from isolated incidents to be able to identify and potentially prevent attacks in an agile fashion.

Equally important is the fact that cyber security should never be an issue to be discussed solely by the IT department. Cyber security is becoming more and more a topical agenda item for directors. However, this prevailing governance issue hinders an effective risk-based approach to managing cyber risks, and many times, IT executives do not like sharing bad news with the executive management and boards, who in-turn think that cyber is too technical a topic to discuss or to measure in the first place.

Managing the inevitable cyber incidents

The possibility that an attack can hit your organisation, and the controls that you expected to effectively eliminate the risks fail to a human error is inevitable. This means that an organisation needs to be prepared to react to a breach, and the first 24 to 48 hours are critical in minimising the impact and managing a swift recovery. However, many organisations have been reportedly very slow in taking serious action against a breach due to the fact that the discovery was late. Cyber attacks also tend to come in waves, so typically, breaches manifest themselves in a series.

As a result, in order to effectively address a breach, it is fundamentally important for an organisation to have a cyber security incident response plan in place, tried and tested. The plan will vary from industry to industry, however key principles of knowing what needs to be protected, assigned responsibilities across a multidisciplinary team (beyond the IT team), and a communication plan (including disclosure obligations) are fundamental to a successful plan.

Unfortunately, many organisations, even though they do not admit to the approach taken, only evolve their information security risk management capabilities after they experience a serious breach. Organisations need to stop focusing on ‘if’ they are going to get breached, but should focus on identifying ‘when’ and what happens next.