Business foundations for data protection: Where are the Life-RAFTs?

The importance of building Risk Awareness, Flexibility and Trust long before you hit the rocks

By Bill Mew

Customers in all sectors, not just tech, are becoming increasingly discerning and demanding. Research into what they expect of companies, rather than governments, has found that data security and privacy have surpassed even diversity and sustainability. Indeed, security and privacy are now the main things that consumers expect firms to take a stand on and they will be unforgiving if you get it wrong.

An effective data protection strategy must be built on solid business foundations. RAFT – Risk Awareness, Flexibility and Trust – are all key attributes that you’ll need to help counter cyber threats. Here’s what to know to build a cyber defence Life-RAFT:

1. Risk awareness

Most individuals, departments and organisations are managed and incentivised based on revenue and profit-centric ROI (return on investment) metrics. The thing is, ROI frameworks leave little or no room for effective risk appreciation.

In fact, there’s really only one senior manager focused on return on risk (ROR) instead of rate of investment (ROI): the CISO (Chief Information Security Officer).

That difference in priority may put the CISO at odds with the rest of the management team. He or she may not only become isolated (what I term CISOlation) but may also even be scapegoated when things go wrong – even if their warnings were ignored.

It’s as if the senior management team is watching a TV where only two of the three colour feeds are working (revenue and profit). They can see what’s happening across the business, but they don’t get the full picture. When major risks do appear, out of the blue, they can be visible to the CISO but not to the others.

Reforming company culture to incorporate ROR at the management level can be a challenge. However, two recent major disruption events – the 2008 global financial crisis and the recent pandemic – coupled with headlines about fines from the General Data Protection Regulation (GDPR) regulators in Europe and the Federal Trade Commission (FTC) in the U.S., as well as litigation in all regions, are making executives take cyber risk more seriously.

Organisations without a “risk aware” culture often accidentally take risks that could compromise data security and privacy. For example, many teams delegate purchase of IoT devices (from security cameras to thermostats), and simple items like USB memory keys to their procurement department without adding security requirements such as encryption. In a risk aware culture, security requirements are written in to processes across departments and any small premium associated with purchasing secure devices is accepted.

The same thinking applies to more significant procurement decisions, from cloud data management to ransomware detection. Risk-aware companies apply a risk premium as their selection standard, rather than solutions that just tick the box.

Risk aware organisations select solutions that are able to do the job properly and securely rather than those that just tick the box

Along with risk comes digital ethics. Companies that support both often treat data with care and respect. They are less likely to experience a data breach and better able to respond in the event of one. Accurate identification of personal data and appreciation of related risks also aids regulatory compliance.

Ask yourself, how is your team’s performance measured? What prevents them from taking unnecessary risks?

Key takeaways

1. Shift from an all-ROI focus to an ROI/ROR balance

2. Avoid CISOlation: Be risk aware and listen to warnings from the CISO

2. Flexibility

Together with risk awareness, flexibility is a powerful source of competitive advantage, especially during a crisis (as we explained in the last blog). Dominant players may use their scale to sustain market leadership, but if they lack the flexibility to respond effectively during major disruptions, they can fall rapidly from grace. Such events are in turn a real opportunity for flexible, risk aware organisations to capture market share and even entire markets.

How cyber-ready and crisis-prepared is your organisation? Having a cyber incident response plan is essential. Article 32 of GDPR states that technical and organisational measures need to provide:

“(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;


(c) the ability to restore the availability and access to personal data on time in the event of a physical or technical incident;


(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.”

Effective backups designed to recover systems and maintain business continuity aren’t just “nice to have”; they are legal obligations for any organisations handling EU citizens’ data. In truth, having effective backups and “regularly testing, assessing and evaluating” cyber security processes makes sense for just about everyone.

Regularly testing, assessing and evaluating your cyber security processes isn’t just mandatory, it’s plain common sense

In addition to scenario planning and backup and recovery drills, use fully immersive simulation exercises to test if your crisis response team (people with technical, legal, reputational and social media responsibilities) can communicate and collaborate well under pressure. Realistic rehearsals are needed, rather than lecture-based training, as stress significantly impacts your situational awareness. Such simulation experience may also help senior management appreciate cyber risk and better understand the need for crisis preparedness. 

How often do you test your teams and systems?

Key takeaways

3. Regularly test, assess and evaluate your cyber security processes, including your backups

4. Have a cyber incident response plan and use realistic simulation exercises to test it

3. Trust

Ransomware is a particularly pernicious threat – prevent it at all costs. The prospect of having your data encrypted and held for ransom is terrible enough, but even if you choose to pay out, there is no guarantee you’ll have your data unencrypted or that backdoors will not have been created allowing them to return to extort you all over again. Worse yet, cybercriminals have recently changed from simply denying access to data to blackmailing firms with the threat of publicly releasing particularly sensitive data.

  • Instances of ransomware are on the increase: ransomware identification service ID Ransomware1 recorded 452,151 confirmed incidents during 2019, but with only a quarter of organizations submitting reports to it, the figure could be four times as large.
  • Ransomware demands doubled in the final quarter of 2019: the average demand rose to $84,000,2 but in 2020 we have already seen demands escalate further with £42 million demanded in the REvil (Sodinokibi) ransomware attack on a New York-based law firm. A third2 of companies are reported to have agreed to pay such demands.
  • The cost of the ransom itself is dwarfed by other costs: incidents result in an average of 16 days downtime2at a cost of $5,600 a minute2 – equating to a global total for ransom demands and downtime of between $42 and $169 billion3.
  • Reputational damage, cost of recovery and regulatory fines and litigation add even more to the overall cost: Norsk Hydro suffered a ransomware incident that cost it more than €70 million, but its cyber insurer paid out only €3.6 million – only about 6% of the total. And EasyJet has been setting records in the UK with a data breach impacting nine million victims resulting in a potential claim of £18 billion, with 10 million claimants signing up in the first three weeks – the largest and also fastest growing privacy claim in UK legal history.

Crisis management textbooks suggest there’s a “golden hour” after an incident goes public in which you have a chance to save the brand. With most incidents, as the victim of crime, if you act quickly and show empathy for your customers then the press and public should have sympathy for you. Unfortunately, this doesn’t work for cyber incidents as the press and public will blame the company – rather than the hackers – for any loss of personal data.

As soon as a breach is detected, rapidly conduct expert forensics to ascertain the nature and scope of any incident. Then use these findings not only to fix the breach but also to build a legally defensive narrative and a brand defence plan. At this point, brand trust is everything. It may take a while to shake public belief in a trusted brand, but reputational damage will take its toll and you may need to recruit trusted voices (including topical opinion leaders) to help counter misinformation and social hysteria.

Trust … is everything. It may take a while to shake people’s belief in trusted brands, but reputational damage will take its toll.

Ask yourself, how much do people trust your brand? Will they continue to trust you through a crisis?

Key takeaways

5. Establish trust in your brand and respond quickly in a crisis if you want to keep it

6. Don’t treat a cyber incident like any other crisis; be prepared to implement a forensically-based legal and reputational response

Risk Awareness, Flexibility and Trust – your Life-RAFT

The thing about Life-RAFTs is that you need to fit them in advance or they won’t be there when you need them. As an officer of the ship, make RAFTs required procedure. Then, when the ship’s captain announces it’s time to man the Life-RAFTs, you can point the way. If the CISO wasn’t listened to, and there are no rafts, finger-pointing will be small comfort.

In reality though, you would already be out of business, since discerning passengers would all have sailed with your rivals, unwilling to even board your ship if it lacked Life-RAFTs.

Save yourself and your passengers when you hit the rocks and avoid losing customers to your rivals: invest in Risk Awareness, Flexibility and Trust – your Life-RAFT.

References

1 https://id-ransomware.malwarehunterteam.com/
2 https://www.coveware.com/blog/2020/1/22/ransomware-costs-double-in-q4-as-ryuk-sodinokibi-proliferate
3 https://blog.emsisoft.com/en/35583/report-the-cost-of-ransomware-in-2020-a-country-by-country-analysis/

Bill Mew is the founder and CEO of cyber crisis incident response firm The Crisis Team. He is also a high profile digital ethics campaigner, who focuses on striking the right balance between “meaningful protection” (privacy, security, etc.) and “the maximization of economic and social value” (innovation, digital transformation, cloud, smarter cities, govtech, etc.). As well as being one of the top global influencers on all these topics, he appears regularly on international broadcast TV and radio, having more broadcast airtime than any other technologist in the UK.