After the current Petya destructive wiper malware and recent WannaCry ransomware attacks that effected large numbers of companies, it's a timely reminder for boards to ask their CEO about their company's cyber security preparedness.
Here are 5 key questions to begin with:
1. What would it cost our business to loose our IT systems for a week?
Think about Maersk who have closed down their whole global system to prevent further exposure to ransomware. They can't access the information required to load and unload ships.
What would be the impact on your company of a total loss of IT systems?
For a rough guide, if sales and turnover are dependent on your IT systems being available, divide your monthly turnover by 20 for the potential daily business impact from loss of trading, excluding the cost to get systems back on-line and damage to your business in the market.
IT systems can be impacted by a wide range of risks, the following of which I've seen suppliers and clients suffer from over the years:
- Flooding from an airconditioning fault soaking servers and ruining them. Ensure valuable computer equipment is raised off the floors.
- Fire in a neighbouring floor closing down the office with access to IT systems being cut off. The same was experienced with the Christchurch earthquake.
- Catastrophic hardware fault.
- Theft of servers and the backups.
- Virus attack preventing normal function of IT systems.
- Ransomware encrypting business critical data such that it is unusable.
2. How valuable is our data?
One way to get a feel for this is to ask two questions.
What would happen to our business if we lost our data?
What would be the impact on our business and our customers if a copy of our data ended up in a cyber criminal or a competitor's hands?
3. How securely do we backup our IT systems?
- Are they running reliably? How do we know this? Do we do a periodic test restore, eg quarterly?
- Where are the backups kept? They should be somewhere safe off-site
- How many days + weeks + months do we retain backup copies? The very minimum should be 30 days of daily backups.
- Do we backup everything, ie operating systems, software and data?
- How long would it take to restore a complete system from backup and who would do it?
4. How secure are our IT systems?
- When was our network security last reviewed and by whom?
- How often do we update Windows patches on our computers?
- Do we have any computers running non-current Windows operating systems?
- What are our weakest points?
- What are our password security rules and how often are passwords required to be changed?
- Do our computers automatically log out after a period of inactivity?
- Who has access to our most critical passwords and how are they stored? eg are they stored in a secure password management system (recommended) or insecurely written down or stored in documents on the system?
- Is our physical security sufficient to protect against unauthorised access?
5. What staff training and awareness do we conduct?
- Many cyber attacks are delivered via malicious emails and they are getting quite sophistocated.
- Regular cyber awareness discussions help staff remain up-to-date, more aware, and vigilant.
This certainly isn't an exhaustive list but would be a good start to understand the risk to the business, the potential cost, and to encourage an action plan should it appear that the business is not well prepared.