The head of the National Cyber Security Centre (NCSC), Ciaran Martin, has said that it is a matter of “when, not if” the UK suffers a category one cyber attack.
Martin told the Guardian that he expects such an attack to take place in the next two years, and that the UK would be “fortunate” if it survived that long.
The NCSC defines a category one cyber attack as an incident that disrupts critical infrastructure, the financial sector or an election.
This prediction isn’t too bold, considering that the US and France have already been hit by category one attacks and the UK is a similarly big target. However, Martin’s statement brings into question whether organisations are prepared for this eventuality. Last year’s WannaCry pandemic wreaked havoc, but a category one attack would have much wider consequences.
Do you have a plan?
There might be no way to prevent a massive cyber attack, but Martin stressed the need for organisations to “cauterise the damage”. He’s referring to a business continuity management system (BCMS), which organisations should implement to mitigate the damage of a cyber attack or other disaster and speed up the recovery process.
Much of the damage caused by cyber attacks is a result of extensive delays as the affected organisation attempts to rectify the situation. The longer it takes to respond to an attack, the harder it is to get back to normal. Problems mount and the backlog of work grows steadily. Take WannaCry, for example: hospitals were still recovering from the delays weeks after the malware was contained.
This wouldn’t have happened had they had a BCMS in place. Instead, they would have been able to quickly transition to a backup plan that would have allowed mission-critical systems to provide an adequate level of service.
A BCMS should work alongside an organisation’s defence measures to form a two-pronged approach known as cyber resilience. This framework is essential to handling cyber threats effectively and realistically; you can’t expect to prevent all cyber attacks, but that doesn’t mean you should bear the full brunt of one.
Organisations that implement a cyber resilience approach:
- Reduce financial losses;
- Improve company culture;
- Protect their brand and reputation; and
- Meet legal and regulatory requirements.
This last point is particularly pressing for organisations in critical sectors of the economy such as health, energy, banking and transportation, as they are subject to the Directive on security of network and information systems (NIS Directive).
The NIS Directive
The NIS Directive, which must be transposed into EU member states’ national laws by 9 May 2018, mandates that organisations under its scope achieve a robust level of cyber resilience.
You can found out what that entails by reading our free NIS Directive compliance guide, which covers:
- The Directive’s requirements and the UK government’s implementation approach;
- The proposed assurance regime;
- Which organisations are in scope of the NIS Directive;
- The proposed security requirements for compliance; and
- How you can implement a compliance programme to meet the NIS Directive’s requirements.