Apparently, there is no substantive evidence that the quote widely attributed to Benjamin Franklin “Failing to plan is planning to fail” was ever said by him! Nonetheless, it is a wise adage and still as relevant today as it was in 1790 when Mr Franklin wasn’t saying it.
Advance planning is valuable in many aspects of life – this is especially true within the realms of business continuity and cyber resilience. One of the first steps in any risk management based programme is the identification of risks particular to your organisation. In business continuity circles, the exercise of exploring these risks with stakeholders is known as a Business Impact Assessment/Analysis. In cyber circles, it could be the process of comparing the status of your organisation against some of the recognised frameworks, such as Cyber Essentials or ISO27001. If your organisation, like many charities and voluntary sector organisations, is not terribly mature in the cyber-stakes, the brilliant Cyber Health Check from SCVO is a great place to start. All of these processes will identify gaps and decisions can be made around the risks highlighted – do you accept, mitigate, transfer or avoid these risks? It’s a complex business!
Undertaking such an analysis is a great way to work out what remedial action your organisation may need to get into good shape, cyber-wise. Assuming that you have ticked all the tech boxes and trained your people, where do you need to go next?
When we cyber-folk talk to people, we state that every organisation should take a “When Not If” attitude towards being the victim of a cyber-attack. (Again, no citation but I would guess that the boffins at the National Cyber Security Centre (NCSC) say that all the time ). Having a proactive attitude to incident response planning may be the difference between recovery and failure of your business, so, where do you begin?
Fortunately, help is at hand. Colleagues at the CyberScotland Partnership have just collated the MOST EXCELLENT Incident Response planning pack, which covers the main steps towards cyber resilience and helps you prepare your response in a structured and managed way. This pack includes an introduction to IR planning, a prepare your business checklist and an emergency contact list template, as well as really helpful advice on reputation management and legal responsibilities during an incident. I can’t think of a better place to start than with this resource – it is more straightforward and logical than people think.
After you have complied your IR plan and shared it within your charity, a fantastic idea is to test the plan you have drawn up. Again, help is at hand from the Scottish Business Resilience Centre (SBRC) who provides facilitated sessions of the NCSC’s Exercise in a Box toolkit. Exercise in a Box is an online tool that helps organisations test and practice their response to a cyberattack. There are a number of different scenarios, including home working and digital supply chain and each scenario features a set of probing questions to help you understand if what you have in place is enough, and what else you could be thinking of implementing to strengthen your defences.
The best way to get value out of these sessions is to book on with your Incident Management Team and work through the facilitated process together with the SBRC Ethical Hackers. You leave the session with an action list for improvements and the opportunity to have a further one to one telephone call with one of the ethical hackers to explore next steps.
That does all seem like a lot to take in… risk analysis, incident response plans, exercising… all fairly heavy duty stuff, but help is readily available. Do contact me directly to discuss how your charity can get help work your way through this process. Let’s start planning to not fail by planning!