.jpg)
Most companies have response plans in place for severe weather events or natural catastrophes – however, it seems the same preparation is lacking around cyberattacks and one industry expert says he’d like to see the two areas afforded the same careful preparation moving forward.
Leon Fouche is Australia’s national cyber security leader for BDO – he says that while organisations have become much better at putting preventative measures in place to stave off a cyberattack, relatively few have strong response plans in place.
“Although there have been a lot of improvements around cyber resilience, much of the focus has been on trying to reduce the likelihood of a risk happening and, to me, I think there hasn’t been sufficient focus on the impact once a cyberattack actually occurs,” says Fouche.
“I think we need to be more focussed on reducing the impact of an incident rather than simply trying to reduce the likelihood of it happening altogether.”
Fouche’s comments come after BDO published the results of its most recent cyber security survey, which found that 66% of organisations don’t have an incident response plan.
“If you’ve got a response plan which is regularly tested, you tend to respond a lot quicker and a lot more effectively because you’ve rehearsed it and everyone knows what needs to be done – whereas if you don’t have that, it tends to be a chaotic response where everyone’s just running in different directions,” says Fouche.
“By having a plan, it allows you to focus and you can actually follow that approach because when something like that happens, a crisis, if there’s not a structured plan, people do get distracted.”
When asked why organisations haven’t typically invested the same care and consideration into response plans, Fouche says it can be traced back to how insurers previously approached cyber.
“Looking back five years or so, insurance companies wanted to get a good understanding of the risk they were taking on so a lot of focus was around risk assessments and understanding where the concentration of risk was – but there was no guarantee the organisation was actually going to take up that insurance,” says Fouche.
“What’s happened in the last 12 months is, we’ve actually started to see insurers providing discounts to clients who have incident response plans in place – so they’re definitely starting to value that more than what we were seeing in the past.”
However, while this signalling may encourage the uptake of incident response plans, Fouche believes it is essential that organisations test them regularly – something which isn’t currently commonplace.
In fact, the recent survey released by BDO found that, of the companies with incident response plans, less than half had ever tested them.
“By having a plan but not exercising it, you run the risk of nobody knowing what to do when an incident does occur,” says Fouche. “There’s also a risk the plan will be outdated when you come to use it because you’ve introduced new systems and contact details haven’t been updated.”
