Hacked companies had backup plans. But they didn't print them out before the attack.
Boardrooms still aren't taking cybersecurity seriously, leaving organisations vulnerable to cyberattacks – with executives only paying attention after things have gone bad, according to the new National Cyber Security Centre (NCSC) boss Lindy Cameron.
"I think in terms of what we want organisations to learn, it is that this is the kind of threat they need to think about. This is the kind of thing that should be as much a regular feature in risk conversations in board rooms as legal risk or financial risk – the CEO see the CISO as often as they see the financial director," Cameron said. She said it should not be a simply a technical conversation with the IT department, but the kind of conversation that's held in the boardroom itself.
"I want organisations to learn how serious the impact can be when this goes wrong," Cameron said. And even if an organisation thinks it has a plan in place, things can still go wrong if some basic elements aren't taken care of.
"I've talked to organisations which have walked in on Monday mornings to find they can't turn on their computers or phones, the backup plan was not printed out so they couldn't find a phone number," Cameron said.
SEE: Security Awareness and Training policy (TechRepublic Premium)
Organisations that fall victim to a cyberattack will often use it to re-prioritise their security strategy.
"There's no doubt that organisations that have experienced that have a much more visceral sense of what it feels like to experience a ransomware attack or cyberattack, and therefore they're prepared better for that," Cameron added.
The NCSC offers tools like Exercise-in-a-Box and cybersecurity guidance for boardrooms to help organisations think about cyberattacks. Exercise-in-a-Box, for example, allows organisations to test their network defences against real cyberattack scenarios and take lessons on how to improve their security from that.
Meanwhile, boardrooms should be involved when it comes to contingency planning against cyberattacks – they're more likely to understand the potential threats if they're discussed not as a technical problem, but a problem with risk, in a similar way to how they'd consider financial risk or legal risk.
"It's the same as any sensible contingency planning. It's worth thinking through what's the worst possible scenario, what's the thing that could go wrong that you need to manage," she added.
SEE: Ransomware: Why we're now facing a perfect storm
That worst possible scenario depends on the organisation; it could be a data breach, it could be an interruption of services, or it could be disruption to cyber-physical systems. But the important thing is for organisations to think about the cyber risks out there and to have a plan to defend and mitigate against them – and if that happens, hands-on aid from the likes of NCSC won't be necessary, because solid cybersecurity strategies are in place.
"Ideally, more and more instances are handled well and handled without additional help," said Cameron.