7 minute read
IT Continuity Management
What’s your cyber attack game plan? By Scott Nursten, CEO, ITHQ
IT CONTINUITY MANAGEMENT Drill your teams to fi ght more than fi re
When a well-known UK business was hacked with ransomware, it took them 17 days to issue a press release. How can they have been so unprepared for this increasingly common scenario? The answer lies in a fl awed view of how IT continuity should be managed and tested.
Models for business continuity and disaster recovery follow the good old-fashioned fi re drill. An alarm is triggered, a building is evacuated, critical systems are isolated and everyone participates. The standard protocol remains the same, regardless of how the fi re started. Overcoming potential damage is not even considered as part of the drill.
IT continuity management requires a different drill because unlike natural disasters like fi re and fl ood, the nature of threats to IT networks and data assets keep changing. This unpredictability requires a different approach to disaster preparation that builds a library of responses.
WHY YOUR BCP AND DR MODEL DOES NOT WORK FOR IT CONTINUITY
BCP and DR were the stuff of thought leadership articles in the ‘90s. It has taken over 20 years for best practice to become commonplace, but threats have moved on. These models prepare you for a disruption to IT function caused by natural disaster but were never designed to help you prepare for a cyber attack.
IT continuity testing is part of your cyber resilience strategy, aiming to ensure your business can anticipate,
withstand, recover, and evolve from an advanced, sustained attack. Testing your resilience to advanced threats means thinking up worst-case realworld scenarios and playing them out.
ARE YOU PREPARED TO TACKLE 1,500 SIMULTANEOUS FIRES?
Ransomware is a classic example of how ill-prepared most businesses are for shifting modern threats. Ransomware was relatively rare until 2011, when it really took off. Then, according to a McAfee Labs Threats Report, cases leapt from 100,000 in 2014 to 720,000 in 2015.
Since then, both frequency and cost of attacks have increased. When Kaseya was hit by a supply chain ransomware attack, it impacted 1,500 businesses at once – and IBM puts the average cost of a corporate breach today at $3.86 million.
In terms of recovery, paying the ransom is only the start. There is no guarantee
that your data will be released or not sold on the dark web. Backups help a lot, providing they are immutable: at least then you can recover your data yourself. If your backup data can be overwritten or deleted, you must test for any threat here as well. But what about recovering from the aftermath of far-reaching reputational damage and ongoing costs? Do you have a pre-prepared press statement, for example? Or a plan for managing the situation with your customers? Your staff?
One year after getting hit by the NotPetya cyberattack in 2017, FedEx Corp. and Merck & Co. were left dealing with millions of dollars’ worth of technology clean-up, disrupted business and lost sales. For FedEx, the bill stretched to $400 million in remediation and related expenses. At Merck, manufacturing, research, and sales operations were disrupted. Orders went unfulfi lled, such as many relating to the Gardasil 9 HPV vaccine, and costs of $670 million were reported.
PREPARE FOR WORST CASE SCENARIOS, NOT GENERIC DISASTERS
Businesses almost invariably believe they are better prepared for a cyberattack than they are, yet they are reluctant to test the resiliency of their IT continuity plans. I always ask clients, “Would you install the latest variant of a piece of ransomware on fi ve critical machines?” The answer is usually, “Are you mad? Why would we do that?” Yet this is exactly what we need to be doing: creating scenarios that test the systems in place to protect us, before a proper, advanced attack shows us our weaknesses in the most damaging way. I believe people should write down on pieces of paper, the worst things that could happen to their network and drop them in a bag. Once a month, someone should randomly select one of those pieces of paper and whatever is written on it gets tested. It could be “we’ve just had a massive ransomware attack”, or “we’ve just had a data centre fail”, for example.
REHEARSE YOUR IT CONTINUITY MANAGEMENT LIKE A SPORTS TEAM DOING DRILLS
Businesses should be running drills as routinely as they test the fi re alarm. IT continuity management is all about being prepared to recover as quickly as possible. It is not only about having systems in place to alert you when an attack inevitably happens, but also about testing your response.
Technology is too often seen as a pre-emptive panacea that can prevent a cyber disaster. This is a mistake for two reasons: it creates a false sense of security and takes focus away from how the business should respond to a crisis.
Even the best cyber security systems can fail. What happens then? Crisis response should be so well rehearsed that it becomes like corporate muscle memory. Everyone needs to know their position and actions for scenario A, scenario B etc. Think of set pieces in sports. Testing your IT continuity should be treated the same.
}}NEXT MONTH’S TOPIC
THE IMPORTANCE OF ZERO TRUST
For more information, feel free to get in touch with me at transform@ithq.pro www.ithq.pro
Celebrating our clients for 200 years
Priory Direct – Planet Friendly Packaging – is the UK’s largest sustainable packaging provider. It also offers a bespoke packaging design service that aims to minimise packaging and the large voids that all adds to transportation costs and environmental damage.
Josh Pitman, Managing Director at Priory Direct, tells Kreston Reeves of the steps it is taking to change online retailing, the community and the planet, one parcel at a time. Josh started working for the family business when he was 15 working occasional shifts in its 15,000 sq ft warehouse in Paddock Wood, Kent. On leaving university, he worked across the entire business before becoming its Marketing Manager in 2011 and its Managing Director in 2018. “At around the same time I became Marketing Manager we developed a new type of integrated label for an emerging e-commerce business, Photobox,” explains Josh. “It contained all the information a retailer needed to ship products efficiently. We caught the start of the e-commerce wave and very quickly the business grew to over 3,000 customers.” It was at this point that Priory Direct took a major change of direction that built the foundations for the business that exists today. “We asked our 3,000 customers what they stick the labels on, with a view of improving the adhesive,” says Josh. “80% said padded envelopes, so we thought we ought to stock those. My dad asked me to present a business plan to the board, which included a change of name, and Priory Direct emerged.” Today, Priory Direct has more than 28,000 customers worldwide, an extensive range of over 2,500 products, a new 60,000 sq ft purpose-built A+ rated warehouse in Aylesford, Kent, with 45 people, a turnover of £10.25m and growth in February 2021 of 94%. But what stands Priory Direct apart from its competitors is its commitment to planet-friendly packaging. “Six years ago I wanted to inject purpose into the business and to differentiate ourselves from our competitors, some of which are much bigger than us,” explains Josh.
Josh Pitman, Managing Director at Priory Direct
“I wanted to make the rapidly expanding e-commerce market truly sustainable, and that meant looking at our supply chain, materials, waste, transportation and manufacturing. I wanted to make a difference to our community and the planet.” Priory Direct is now the UK’s largest provider of planetfriendly packaging and on a mission to go further and help businesses of all sizes on their own sustainability journey. Accountants, business and financial advisers have been a key partner in Priory Direct’s transformative journey, as Josh explains. “Our business is an unlisted PLC, meaning that we must have an audit every year. But that audit is more than just a statutory requirement. Kreston Reeves’ work on the audit has instilled good financial discipline that has helped support double-digit growth over the past decade. The need for strong financial and management information is critical. “Businesses all too often overlook R&D tax credits, and again Kreston Reeves has been brilliant in guiding us and helping us understand what can be claimed. This has been particularly valuable when developing our packaging range and our e-commerce platform. “Most importantly, Kreston Reeves shares the same values as we do, making them a valued part of the team.” This year Kreston Reeves is celebrating 200 years of history. We are using the significant milestone as an opportunity to celebrate our clients, our colleagues, and our communities!
