As a small business owner, what happens if you have a bad day?
A bad day can look like accidentally getting locked inside your office (yes, this happened to me when the lockset broke). It can also look like your systems shutting down for over a week due to a cyber-attack. While we can’t help with your office door problems, we can help you survive a cyberattack.
On October 30th, the Eastern Health and Labrador-Grenfell Health regions of Newfoundland and Labrador’s healthcare system discovered that they had been hit with a cyberattack larger than any in Canadian history[i]. After shutting virtually everything down, they are still working on returning to operational status, only allowing certain patients to receive care. Admittedly, this is a very complex environment with thousands of medical devices, millions of patient records, and lives on the line. While you may not have an entire health system riding on your cybersecurity, you do have your livelihood and that of your employees.
That’s why cybersecurity isn’t just about defense—it’s about your resilience, how you pick yourself back up after the kind of bad day that shakes your business to its core. And to do that, you need a plan.
The first necessary step is an inventory of your assets. You must have an inventory of your assets (databases, computing devices, applications, etc.)—and an overview of how they communicate and drive the business (e.g., not all assets are created equal). But that’s not sufficient. You must also have a well-defined incident response (IR) plan. And, like a data backup plan or procedure, you must exercise that plan. Fortunately, there are many solid templates with which to accelerate the development of your IR plan, and well-defined and effective techniques to efficiently perform practice drills. These “tabletop exercises” are and low-cost, quick way to dramatically improve your resilience in the face of a cyber-attack. Remember, it’s not if, but when you will be attacked.
Three threats likely to disrupt your systems are power outages, internet outages, and ransomware (which encrypts and often simultaneously exfiltrates your data). As a company, develop methods to effectively address each threat. Also, note that this isn’t exhaustive; there are roughly five types of cyber-attacks a company should prepare for (a topic for another time). Think through the list: if there’s a power outage, what needs to happen first? One restaurant chain chose a simple principle: if the credit card machine goes down, don’t take orders. That was an agreed-upon and conscious decision by the executives. Why? Because it cut down on other material risks (e.g., employee and customer fraud) involved in manually taking credit card orders or accepting cash without proper controls.
In another scenario, we trained our database administrators to efficiently merge ongoing order/payment data sets (occurring after the outage) with the restored set if we incurred an interruption. We didn’t wait for the worst-case scenario to happen to have processes in place, and you don’t need to either. Have internal conversations and training with your company. Typically, a couple of hours-long exercises semi-annually and short reminders or discussions each month will go a long way to improve the decisions made in a crisis. Not only that, but it will help your business go from ‘crisis’ to ‘fully operational’ with more ease and speed.
However, there is a prevalent (up to over 60% in the past year) worst-case scenario that takes more than internal (including your IT services firm) hands-on training: a ransomware attack. Because these are so prevalent and nasty, you need to move beyond the physical actions for dealing with such a crisis and create an IR plan that involves your internal and external stakeholders. For example, how and what will you communicate to your stakeholders in the event of a ransomware attack? These communications are quite different if a data breach has occurred – a legal matter, a PR matter, and often a supply chain matter. We would argue that your communications be very carefully crafted and usually on a need-to-know basis unless there is evidence of a breach. Like the pilot of an aircraft, you don’t alert your passengers in every moment of concern. Instead, you use your communication meaningfully to propel them to action when it is needed.
There’s more to your cybersecurity than awareness training, password managers, and firewalls. While important, left on their own they cannot accomplish the heartbeat of cybersecurity—protecting your business for the long term. Instead, by implementing healthy habits and communication plans into your company, you can plan for the kind of bad day that Canada’s healthcare system has had.
Don’t know where to start? The Carolina Cyber Center can assist with the development, improvement, and testing of your company’s Incident Response and Disaster Recover planning. Contact us for more info!
