How to stress test your business for cyber resiliency

Cyber attacks are a growing concern for organizations across all sectors—and with good reason. Globally, the average number of security breaches experienced by a company in the last year grew by 11% from 130 to 145, according to 2019 “Cost of Cybercrime” study by Accenture and the Ponemon Institute.¹ As the number of attacks increases, so too does the cost: CyberSecurity Ventures predicts that global losses related to cyber attacks will reach US$6 trillion by 2021, up from US$3 trillion in 2015. ²

A new report from Aon, “Prepare for the expected: Safeguarding value in the era of cyber risk,”³ notes that business face financial loss in the form of immediate crisis expenses, regulatory fines and lost revenue from disruption to the business. There’s also reputational risk, as an attack can erode a company’s market value, destroy brand loyalty and limit a company’s digital transformation, notes Aon.

Businesses are wisely investing in cyber security—CyberSecurity Ventures predicts more than US$1 trillion will be spent from 2017 to 2021—but no measures are 100% effective. That’s why it’s also critical to have a cyber resilience plan in place, which covers how your organization withstands, responds to, and recovers from a cyber attack or data breach.

While cyber resilience plans will look different at every organization, one commonality is the importance of testing those plans. A stress test allows organizations to see how quickly and effectively they react and respond to any given cyber risk. As Deloitte notes in the report, “Five essential steps to improve cyber security,”⁴ most organizations have a security management process in place, but few have tested it.

The report outlines key questions organizations should ask, such as “Who should be contacted during and after an incident?” and how quickly can you contain a security breach and restore your organization to normal operation?” “But answering the questions is just part of the equation,” Deloitte states. “Testing your answers is critical.”

Here are four best practices for testing your cyber resilience plan:

• Get everyone on the same page: As with any large undertaking, C-suite support is the first—and most essential—step in creating and testing a cyber resilience plan. As one cyber-security expert notes, without C-suite support, it’s impossible for cyber-security leaders to effectively plan for and defend against threats.⁵ And since cyber security affects every employee, everyone in the organization needs to be aware of the plan and understand their roles and responsibilities.
• Conduct a vulnerability scan: In the computing world, a vulnerability is a weakness in a device or system that can be exploited by cyber attackers. A vulnerability scan (or assessment) allows businesses to identify which parts of their system are the weakest and most likely to be targeted, and therefore the most relevant to the cyber resilience plan.⁶
• Carry out cyber simulations: As Deloitte notes, cyber simulations are interactive techniques that immerse participants in a simulated attack scenario to help organizations evaluate their response and preparedness. Some specific attacks organizations may want to test for are phishing emails—fraudulent emails designed to get people to unwittingly share passwords or financial information, or malicious attachments—documents that appear to be legitimate, but are actually a virus or malware.
• Review and make improvements to your plan: “There’s absolutely no point running simulated attacks if they’ll play no role in optimizing the incident response processes,” says another cyber-security expert.⁷ Determine what worked well and what didn’t in your response plan. Identify areas for improvement and adjust the necessary processes.

If you’ve followed these steps but feel like you still need some support or guidance, your insurer may be able to help. The possibility of a cyber attack doesn’t have to be overwhelming when you’ve stress tested your plan and know it stands up.

Sources

¹ Research Report: “Ninth annual cost of cybercrime study.” Accenture, March 6, 2019
² “Global Cybercrime Damages Predicted to Reach $6 Trillion Annually By 2021”. Cybercrime Magazine, December 7, 2018
³ Media Release “Aon report shares C-suite insights as losses from cyber attacks set to reach all-time highs”, accessed December 4th, 2019
⁴ “Five essential steps to improve cybersecurity”, Deloitte, accessed December 4th, 2019
⁵ Burley, Ron “How Cybersecurity Leaders Can Best Navigate the C-Suite” CPO Magazine, September 13, 2019
⁶ “Best Practices for testing you Cyber Incident Response Plan” RSI Security, February 8, 2019
⁷ Reichenberg, Nimmy “Putting Your Incident Response Processes to the Test” Siemplify, July 8, 2018