What would a cyber attack look like in the real world?

Could you visualise the impact of a cyber attack on your business? What would it look like if it happened in the physical world rather than in cyberspace?

In this article, I break down the barriers between ‘real’ and ‘virtual’ when it comes to addressing cyber security in your business, dispelling common myths and unlocking the secret to integrating cyber security into Business As Usual (or BAU).

Mission Impossible?

One of the main stumbling blocks to successfully implementing cyber security is being able to visualise the impact a cyber attack would have on the everyday running of a business.

Cyber crime is often thought of as an ‘unseen threat’, something elusive or intangible. Furthermore, the language can be intimidating at best. The fact that it all seems to exist ‘in the ether’ means it can be difficult to picture the threat landscape and translate that into meaningful and productive discussions between key decision makers and technical experts.

This is not surprising considering most businesses aren’t started with cyber crime or cyber security as a focal point – in fact the internet wasn’t even around when many of them first came into existence!

So, it has been a steep learning curve for many, but as technology continues to advance and develop at an exponential rate, it’s vital that we take cyber security seriously and integrate it into our BAU activity at the top level.

Visualising a cyber attack

So, I’d like to guide you on a short visualisation exercise – don’t worry, I’m not going to ask you to close your eyes or try to hypnotise you!

All I’d like you to do is to try to imagine what a cyber attack on your business might look like.

What comes to mind?

Some of you may not know where to start and draw a blank…

Others might see a ransomware message on a computer screen…

Some might think of a complete meltdown!

Regardless of what your imagination came up with, this video by Hiscox does a fantastic job of putting a cyber attack into a real world context.

This does come with a disclaimer; there are other equally reputable business insurance companies out there but, as far as I am aware, none of them have made a video like this!

This video has also prompted many people to get in touch with me to share their thoughts on it – if you’d also like to let me know what you think, you can share your feedback with me on LinkedIn, from previous feedback I’ve had, it seems to be quite an eye opener!

Common Myths

There are  plenty of myths and misconceptions around cyber security which only serve to muddy already cloudy waters. Here are a few of the most common ones I’ve heard during my time working in cyber security.

Myth #1 “Cyber security is complex; I won’t understand it”

Technically speaking, yes, cyber security is complex, but it’s all about ‘need to know’.

One way to look at it is every business is required by law to have a Health and Safety Policy in place, with a nominated employee (often a facilities or office manager) responsible for maintaining the policy and overseeing any day-to-day issues that might arise in relation to it. As a ‘top level’ decision maker, you don’t need to know the finer details such as which hinges are needed for fire doors or how the fire alarms or smoke detectors are powered, but you do need to approve a budget which is used to maintain, repair or replace these items, and you’ll most likely take part in a fire drill to test the emergency evacuation plan.

This is exactly the same approach when it comes to cyber security; you don’t need to be able to speak in ‘ones’ and ‘zeros’ or be able to type in code, but you do need to be aware of which assets are most vulnerable to exploitation, what threats are out there and how to defend against and recover from them.

Let’s do a little experiment, I’d like you to take away the word ‘cyber’ from the phrase ‘Cyber Security’ and replace it with the word ‘data’, ‘information’ or even ‘business’.

Not so alien now, is it?

Essentially, that’s all it is. Businesses all have valuable assets which need to be protected from damage or theft, be it in the physical world or the virtual world, it’s still the same threat and risk so it needs the same consideration when it comes to protection and prevention.

Myth #2 “Attacks are targeted, the criminals aren’t interested in us”

Not quite.

According to the Government’s latest cyber security breach survey, (which undertook a random probability telephone survey of 1,243 UK businesses, 424 UK registered charities and 420 education institutions from 16 October 2021 to 21 January 2022) 39% of UK businesses identified a cyber-attack in the previous 12 months, with 83% of these businesses reporting phishing attempts, and 26% identifying a more sophisticated attack type such as a denial of service, malware or ransomware attack.

Consider your supply chain, do you have government contracts? Do you work with any Operators of Essentials Services (OES) which could impact the national infrastructure? Are you partnered with organisations which you think could attract unwanted attention? Cyber criminals might use you to try to infiltrate the networks of more lucrative targets, you might be their back door, their way in.

It also works the other way; is there a potential weak link which could lead threat actors to your front door?

Myth #3 “Our cyber insurance has got it covered”

The National Cyber Security Centre (NCSC) published an article on their website about Cyber Insurance and in it they stress to businesses that “cyber insurance will not instantly solve all of your cyber security issues, and it will not prevent a cyber breach/attack. Just as homeowners with household insurance are expected to have adequate security measures in place, organisations must continue to put measures in place to protect what they care about.”

Make sure you understand in detail what the policy covers, and equally important, what is excluded. For example, some insurance policies will not cover monies lost through business email compromise fraud. Considering phishing has recently been identified as the most prolific attack vector, it’s vital you know if your policy will pay out in the event of a phishing attack.

As with other insurance policies, you should also let your insurers know when your circumstances change so that you’re still covered. If you’re claiming that security measures are in place when they’re not, the insurer may not be obliged to pay any claims. It’s also worth checking if the insurer requires certain conditions to be met for the policy to remain valid throughout its term. For example, some insurers now require Cyber Essentials certification as standard or may give a discount to those who have already been CE certified.

Integrating cyber security into BAU

The NCSC Board Toolkit advises businesses to “embed cyber security into your structure and objectives” and if we go back to my earlier advice about replacing the word ‘cyber’ in the phrase ‘cyber security’ with ‘data’, ‘information’ or ‘business’; you can see how it all starts to knit together, like a beautiful scarf bejewelled in best practice, up to date policy documents and comprehensive procedures.

It goes on to say “cyber security should be seen as an enabler: something that supports an organisation’s overall objectives rather than a standalone issue. It isn’t just about having good technology: it’s also about people having a good relationship with security and having the right processes in place across the organisation to manage it.”

It’s important to remember that cyber crime is a real threat, it’s not a case of ‘if’ but ‘when’. Simply put, cyber security protects your business, its assets and, in many cases, your customers. Don’t assume your cyber insurance is a ‘catch all’ solution, it’s part of a multi-layered approach which sits within risk management and business continuity.

Start the conversation…

It’s up to you to get the ball rolling so here are 3 key questions to ask yourself and your IT support team.

• Who is responsible for cyber security in my company?
• Do we have a process that ensures cyber risk is integrated with business risk?
• How would we know when an incident occurs?