Do you have the right strategies in place for a cyber-attack?

December 1st, 2021
x
Bookmark

By Anthony Pillay

Cyber theft, especially ransomware, has hit businesses and the legal profession has become a key target for cyber-criminals. Critical services to the public, such as healthcare and social services have been targeted, and recently the Department of Justice has seen the adage ‘not if but when’.

Large corporations who have invested millions in cybersecurity have all fallen victim to this scourge.

Business executives have learned that cybersecurity should be treated as a risk and evaluated by cost and benefit analysis.

Dependent on your business and the potential impact and the cost of recovery, this risk may be classified as a strategic risk.

Discussions on cyber risks are not confined to information and communications technology. They must include risk management discussions at the executive level, namely –

  • understanding the nature of the risk;
  • the potential scale of the risk on the practice;
  • vulnerable systems;
  • digital infrastructure; and
  • business processes etcetera and develop a plan to mitigate the impact of cyber breaches.

Unlike other risks, there must be an audit of the users, devices, critical systems, business recovery plans on post-breach communication strategy.

This information must be used to build resilience in the systems and educate users continuously. Thus, it requires a directed and focused approach.

Based on the National Association of Corporate Directors and the Internet Security Alliance guidelines on ‘Cyber-risk Oversight 2020: Key Principles and Practical Guidance for Corporate Boards’, risk oversight must include the following:

  • ‘Directors should understand the legal implications of cyber risks as they relate to their company’s specific circumstances’.
  • ‘Boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given regular and adequate time on board meeting agendas’ for risk management, including cyber risks.
  • Directors should set the parameters on the level of acceptable risks (appetite) for strategic risks.
  • Directors should ensure that management establishes an enterprise-wide risk framework, including cyber risk with skilled risk staff and an adequate budget.
  • The Board in discussions with management ‘should include identification and quantification of financial exposure to [strategic] risks and which risks to accept, mitigate, or transfer, such as through insurance, as well as specific plans associated with each’ tactic chosen.

The Board must keep a balance between protecting the organisation’s security and mitigating losses, while ensuring profitability and growth in a competitive environment.

The Law Society of South Africa previously published the following key strategies for cyber risks:

  • Reasonable assurance is not sufficient, dynamic methods of managing risk are needed to survive in the fierce world of cyber-attacks, including automated controls.
  • Zero trust – staff, should only have access to systems/processes that are essential for their functions.
  • Apply design thinking (the vanguard of cybersecurity) –

–        ‘first, fully understand the problem;
–        second, explore a wide range of possible solutions;
–        third, iterate extensively through prototyping and testing; and
–        finally, implement through customary deployment mechanisms’ (Rebecca Linke ‘Design thinking, explained’ (https://mitsloan.mit.edu, accessed 23-11-2021)). 

  • Organisational mass and inertia resist change – management must be the catalyst.
  • Cyber risks should be addressed in an integrated approach across all risks to achieving business objectives.
  • Strategic decisions regarding technology should be integrated with broader business strategy and methods of managing risk in the strategy development process.
  • Staff awareness and training should be continuous as the greatest threat is individuals’ attitudes and behaviours strongly influence intrusions into IT systems.
  • Enforce mandatory regular password changing (at the very least every two weeks), multiple character strings with minimum safety at least 12 characters strong (insurers insist on 14).
  • Ensure all software updates are regularly installed, have regular backups with offline storage, run malware software before reinstating back-ups.
  • Specific guidelines for ransomware published previously:
  • Recognise the high likelihood that not only will firms be attacked but their defences will be breached.
  • Complete (and maintain over time) a business impact analysis to understand how a breach might affect firms. This is an exercise that must have the active and committed participation of both the technical and practice managers and staff experts.
  • Assess how significant a breach could be (there is a range of possible magnitudes, each with its own likelihood) in their specific circumstances.
  • Prepare for the event.
  • Harden both defences and response – within reason – and test them regularly. The articles have some great recommendations.
  • Invest according to the risk to the firm, based on the business impact analysis, rather on another’s survey, the news headlines, or on a consultant’s advice.
  • Review and audit (using the firm’s own staff and management) periodically with the frequency based on the level of risk, continuously updated.

The Law Society of South Africa’s Cybersecurity Helpdesk is headed by Anthony Pillay. Mr Pillay is currently the Acting Executive Director of the Law Society of South Africa.

This article was first published in De Rebus in 2021 (Dec) DR 41.

X
De Rebus