Monthly Archives: February 2017

Cyber Attack – How much does it cost to fix?

Category : Preparedness

How much does it cost to fix a cyber attack?

Estimated reading time 4 minutes.

Wynn kindly wrote the following blog for me and goes beyond the original question, explaining the new laws coming into effect next year. You need to know this!  He also gives useful advice on how to protect yourself from the attack in the first place.

cost to fix cyber attack

 

The question, what is the average cost to fix a cyber-attack. Good question, but difficult to answer. It depends on the business and also depends on the type of attack used by the very organised cyber criminals these days. On average, UK SMBs suffer a cyber-attack seven million times a year, with the average hack costing them £3,000, new research has shown. (This is based on a study from mid 2016). The Federation of Small Businesses (FSB) found that SMBs are the victim of an average of four cyber-attacks every 24 months, with 66 per cent of the 1,006 organisations surveyed having been a victim of cybercrime at some point.

Taking into account the increased complexity of attack vectors being used by cybercriminals and the fact that the vast majority of cyber-attacks go unreported to the authorities, the number is much higher and will only continue to grow. Especially when one considers that the introduction of the new General Data Protection Regulations, GDPR, become compulsory as of 25th May 2018. As of that point all businesses who store any personal data of any citizen of the EU will be held responsible for the protection of the said data. This doesn’t mean just the processing of card payments, as most people mistakenly believe now, but plain old names, addresses, email addresses, telephone numbers etc…

Common cyber attacks

As of May 2018, you will be held responsible for any data breach of any personal data you hold. Not only that, if you do not report any hack, you will be in even further trouble. Attacks have to be reported to the DPA, data protection authority, within 72 hours of the breach. You will also have to prove that you have taken all reasonable precautions to prevent any such attacks.

You will no longer have the excuse of; I didn’t know about the new regulations! The new regs state very clearly that it is the business owner’s responsibility to ensure that they know the laws and have made every effort to secure the data that they are responsible for, whether it is in their possession or a third-party supplier. If you attempt to feign ignorance, you will receive extra penalties.

There is currently far too much complacency around data security and cybercrime, from business owners, individuals and IT service providers alike. Many IT suppliers claim to have their client’s data security needs at the forefront of their agenda, when in reality, they do not understand the current attack vectors used by cybercriminals, and have no training or experience on how to prevent said attacks. They deliberately evade implementing even the most basic of best IT security practises, and think that installing antivirus software or a bigger firewall is doing the right thing. IT service providers are reluctant to change default configurations and installations, and restrict both their own and the clients access. They reuse passwords across multiple clients, and passwords are all too guessable to the trained hacker.

In reality, even a cheap firewall, properly configured, will prevent direct access. Good antivirus is essential, as well is security patching of operating systems and applications. But more importantly, the biggest advance in protecting a website, network or computer from attack is training of the end user and good practises. As with anything in life, there is no silver bullet for this problem, we all have to take ownership, accountability and responsibility for our actions and the data that we store.

As such, the average cost of a cyber breach will rise in the years to come. Not only will business owners be accountable for the data they store, but they will be fined for not making the best effort to protect that data by the authorities. Then there will be the litigation suits, or as the Americans call it, Class Action Suits, fired up by the long line of compensation chasers, whom are currently looking for another avenue to pursue once the PPI funds run out.


Business Resilience – Why?

Category : Preparedness

My mission is to scare business owners by telling them about all the things that they should be lying awake at night worrying about. Things like, what if the power is cut off? What if the staff are off sick? What if my suppliers let me down? What if someone digs up the telephone cable?

Estimated reading time 4 minutes.

Luckily, because I have been in this line of work for a few decades now, I know how to help those people sleep soundly, without resorting to drugs and alcohol, unless they want to of course.

I spent the past 27 years as a Coastguard Officer dealing with emergencies at sea and on the coast of the UK. My last 15 years were spent in a variety of roles, dealing with planning and responding to emergencies. The last 5 years were as a senior officer responsible for resilience, working primarily with government, devolved administrations and the other emergency services to improve the resilience of the UK to disruptive events.  As part of a re-organisation I found my role as Head of Resilience being relocated to Southampton. I didn’t want to go so I took the package. I tried retiring but it didn’t suit me.

My ‘why’ is that having spent so many years trying to make the country safer and to improve society’s response to emergencies I felt I wanted to continue. I have often seen small and medium sized businesses struggle and even fail because they didn’t have access to advice on how to make their business more resilient. Most businesses don’t need full blown business continuity plans but they would all benefit from advice and that is what I set my company up to offer. Good, pragmatic, inexpensive advice.

One story I often tell that illustrates how my ‘why’ came about revolves around a story many people will be familiar with.

On 1 November 2006 Alexander Valterovich Litvinenko, a former Russian spy who was living in London became ill and died 23 days later from Polonium 210-induced acute radiation syndrome. Remember that?

Now the bit you won’t be familiar with (unless I have told you it already) is that one of the outcomes of this incident was that the authorities set about tracing where the polonium 210 had been. They wanted to isolate any traces of it because it’s obviously dangerous!  They traced its path around London and wherever they found a trace they shut the building down.

John Smith (I’ve forgotten his real name) had his office supplies business in one of those buildings. He had spent 15 years building his business but now he was denied access to the building. By the time he was allowed back in, his business was in ruins.

As you know, the office supplies business is a very efficient supply chain but that efficiency makes it vulnerable to disruption. As a good business owner, you order your printer juice or paper today and you want and expect it to be delivered tomorrow, just in time.  The problem with Smith was that he hadn’t anticipated being denied access to his building and had no way of accessing his computer or his phone. He hadn’t backed-up any data and everything was held in his office so he had no way of letting his customers know of his problems and his customers had no way of placing their orders. The customers wanted their order delivered tomorrow or their business was in trouble. So, they phoned one of Smith’s competitors. They got their office supplies and were satisfied with the service they got and stayed with their new supplier.  John Smith’s business was destroyed in a week.

So, what could Smith have done to avoid his enforced early retirement?  He could have called me when he started out in business and I would have advised him to back-up everything to the cloud so he could access his customer records and still operate. I would have advised him to invest in a VOIP phone so that he could easily divert his calls to any phone or computer he wanted in minutes. There is a load of other things as well but they could all have been put together and detailed in the plan called ‘Polonium Incidents’, ready for just such an event (I assume you all have one)?  His business would have carried on without his customers realising there was a problem and without losing a single sale.

I know it’s simple, though it gets more complex the larger the company but bad things happen to good people if they don’t ever think ‘what if’. My ‘why’ is that I want to help good people avoid the avoidable through planning and preparation. They might also manage to sleep better.