By Robert Rutherford, CEO of QuoStar
Two-thirds of businesses have no financial plan in place to deal with the aftermath of a cyber-attack, according to a recent survey by Lloyds bank. That can be understandable: financial planning for the consequences of a data breach can seem like an unnecessary extra step.However, it is vital to ensure the business can effectively respond to an external threat, especially with additional regulation on the horizon.
Seeing the benefits
All too often, firms only focus on what has been accessed or stolen in the wake of a cyber-attack, rather than the wider implications for the business. However, depending on the severity of the attack, certain operations may need to be put on hold while repairs are made, or entire segments of the company frozen to make security improvements. Either way, the impact of a cyber-attack is rarely felt in only one part of the business.
Most obviously, any delays in repairing the business following an attack can damage how the company operates. If funds are not readily available, the damage from a data breach may be long-lasting. Indeed, the research from Lloyds found that 65% believed that recovering from an attack could take as long as six months. This highlights a growing need to not only reserve a budget to deal with the consequences of a cyber-attack, but also to understand what response is needed for business continuity.
Putting the money in the right place
It is more than just having money available. The key element is a practical plan to support the business should a cyber attack occur. Knowing what areas of the company will need financial support is just as important as having the funds available to provide it. An effective plan will review all areas of the business where investment may be needed after an attack, as well as help allocate the necessary funds.
Rebuilding is not the only area that needs investment. While it is important to recover lost data and re-establish operations, if the company is not able to improve its defences, it will remain vulnerable to attack. However, it is important the company recognises which part of its defences need to improve. If the business invests in improving firewalls, for example, but the cause of the cyber-attack was a member of staff replying to a phishing email, the investment will not necessarily help defend the business in future.
Making it an ongoing priority
Upcoming regulation is only going to add to the pressure companies face to prepare their finances for a cyber-attack. From 25th May, the General Data Protection Regulation (GDPR) introduces new requirements for data protection and security and harsher punishments for any failures. In the event of non-compliance, businesses face fines up to €20 million, or 4% annual global turnover – whichever is higher.
Hefty penalties have the potential to overwhelm smaller businesses and could prove irreparable if a stringent plan is not in place. While businesses should not be anticipating paying for non-compliance, it is vital they factor in the financial and operational changes GDPR will bring. These can range from employing a Data Protection Officer (DPO) to investing in the digital applications that improve the transparency of the business.
As the saying goes, failure to prepare is preparing to fail. For the business to continue running an effective operation following a data breach or attack, there needs to be a stringent financial plan in place, not only to deal with the aftermath but also to make practical changes to prevent the same situation occurring in future.