Information Security Forum talks up 'cyber resilience'

Security organisation advises firms on a strategy to deal with unpredictable cyber attacks

Organisations need to prepare to handle cyber security incidents that are difficult, if not impossible, to predict.

This message comes from membership group the Information Security Forum (ISF), which has made a report available to its members detailing the strategy it recommends to cope with unforeseen cyber events.

Michael de Crespigny, chief executive of the ISF, explained that businesses cannot afford to overly restrict their exposure to the cyber risk, due to the importance of the internet to most firms.

"In the business to consumer market, 80 per cent of business growth comes from online channels, so you risk your success if you're not actively involved," he said.

He added that there is often pressure internally in businesses to adopt the latest internet trends and services, such as using Twitter for marketing communications.

However, de Crespigny said that using new technologies always comes with risks.

"Technologies are used against organisations in ways that are difficult to predict," he explained.

He cited the example of Qantas, which last year set up a Twitter hashtag, entreating customers to tweet positive feedback about their experiences.

However, when the airline was forced to suddenly ground many of its aircraft, due to a suspected technical problem, the firm's stranded customers used the tag to vent their frustrations.

Sony and secure token specialists RSA also ran into problems last year, as both companies suffered embarrasing hacks and lost sensitive data.

De Crespigny said that, while the attacks themselves may have been hard to predict or prevent, the way in which the firms responded to the attacks could have been handled better.

Both RSA and Sony were criticised at the time for taking several weeks to fully inform customers that their data had been stolen.

He explained that what is needed is a an ability to respond not just technically, but in a co-ordinated and collaborative way. He termed the strategy cyber resilience.

"Organisations need to co-ordinate their response with their customers, suppliers and other stakeholders, so you know in advance how to react to the threats you're unable to predict," he said.

Functions like PR and IT must communicate internally, but suppliers, customers and shareholders also need to be involved.

"Many organisations may be affected - not because they have been targeted themselves, but because a supplier has been attacked. The approach must be collaborative," concluded de Crespigny.

The report will be made available to non-members next week from the ISF's website.