The CRIF Framework - Respond & Recover Phases
Respond and Recover Phases
It is safe to say that without reviewing your cyber risks [via a formal risk assessment] and the appropriateness of your security controls, processes and procedures, then your organisation will not be best placed to Respond or Recover (R&R) from a cyber attack or data breach. Essentially if you don’t Protect and Detect effectively i.e. commensurate controls to protect your business assets, then there’s limited opportunities for the organisation to actually respond to the cyber attack because you won’t know it’s happened or still happening. Typical attributes of an adequate Respond strategy are having formal relationships or capability around forensics, crisis management, cyber incident response and first responder training.
Consequently, it’s the R&R phases that cause UK business the biggest pain as this is where specialist skills are required and business buy-in that a cyber problem actually exists and the removal of the ‘it won’t happen to me’ mentality. It’s also where the largest proportion of hidden costs (£) are for a business e.g. lost website sales due to a DDoS attack or change in processes and education due to a data breach. A business should not underestimate the total cost of managing a cyber incident, or the impact such an incident may have on its brand, its reputation in the market-place and its customer loyalty.
As with other more traditional forms of risk, organisations need to quantify the impact on its business and its ability to continue normal operations when faced with a cyber-related incident. Part of that quantification process is to identify the likely costs to the organisation, be they legal expenses, potential liabilities, customer notification and public relations (PR) in the event of a hack of personal data, or loss of revenue, increased costs of working and reputational harm in the event of a critical network failure.
It is also important for organisations to understand the possible frequency of such incidents as persistent problems can considerably increase costs and result in greater damage to reputation. Frequency of incidents is also a key concern for insurance underwriters so must form part of any risk assessment.
Only once this exercise is complete can an organisation truly examine its risk appetite in this area and discuss internally how the risks can be mitigated through additional spend on IT services, infrastructure and network security, how much of the risk the business is willing to retain and the possibility of risk transfer through insurance, including being able to determine adequate limits, risk retentions and of course budget for insurance premium.
A cyber risk assessment standard or framework would greatly assist organisations in the all-important quantification process but any such standard or framework would do well to consider that organisations cannot be easily placed into “typical” brackets or categories by their size or industry. Such quantification analysis would however bring a deeper understanding of the often unique risks faced by different organisations and help highlight those risks in a much more coherent fashion to Senior Management, audit and compliance and the insurance industry.