AS businesses around the world continue to reel from onslaught of the WannaCry ransomware attack, many are asking “how could this have been prevented or at least more quickly contained?”
While few of the global stock exchanges and other financial systems were affected, the long-term ramifications are yet to be understood. Experts say that despite the attacks slowing over the weekend, this respite will likely only be brief, and Microsoft itself, has warned that governments around the world should treat it as a “wake-up call.”
Henry Peens Associate Director: Risk Advisory, and Deloitte South Africa’s Cyber Leader warned that fighting cybercrime is not just about having the right preventative software in place, it’s about having the right cyber-risk management team and relevant, proactive plans and processes in place.
“It is not just a matter of technology controls, and it’s not just the CIO’s responsibility,” said Peens, “It requires business transformation that broadens the scope of involvement at the top levels of the company, with a focus on overall business risk.”
By gaining a broad understanding of attackers’ motives and planning proactively by anticipating potential high-impact scenarios, organisations will be able to reprioritise and refocus their investments with the aim of mitigating likely outcomes.
Cathy Gibson Director: Cyber Risk Services agreed, saying that it was critical to bring the right business and technical leaders together to evaluate organisational readiness: “The team must be able to develop a list of high-risk cyberattack scenarios that is relevant to their specific business”.
“It is imperative that the members of the team collectively understand the businesses strategy, products, revenue streams, operations, technology, regulation, and the company’s cyber risk program, to identify their both their crown jewels and the greatest risks.”
Once you have identified what is truly most important to the organisation, you are able to create a readiness plan that includes all the people needed to protect, defend, and recover those things should they be compromised.
Peens said that by establishing broad-based cyber-awareness and engagement across your organisation, you will improve your team’s ability to collaborate and react when the cyber incident alarm goes off.
Cyber readiness is not a reactive process, it is a proactive plan of defence. Whether they originate from within or outside of your business, and whether they are aimed at IP, trade secrets, operational disruption, fraud or data theft, cyberattacks typically extend well beyond the technology domain and can have deep and long-lasting effects on an organisation.
“It is critical for every organisation to change the kinds of conversations they are having about cyber risk, and to institute some variation of a secure, vigilant and resilient approach that can ultimately improve their ability to survive and thrive in the face of increasingly likely cyberattacks,” Peens said.