Business disruption cyber attacks set to spur defence plans, says Gartner

By 2018, 40% of organisations will have plans to address cyber-security business disruption attacks, up from 0% in 2015, says Gartner

By 2018, 40% of large organisations will have formal plans to address aggressive cyber-security business disruption attacks, up from 0% in 2015, according to research firm Gartner.

Business disruption attacks require a higher priority from chief information security officers (CISOs) and business continuity management (BCM) leaders, the Gartner said.

"Gartner defines aggressive business disruption attacks as targeted attacks that reach deeply into internal digital business operations, with the express purpose of widespread business damage," said Paul Proctor, vice-president and distinguished analyst at Gartner.

"Servers may be taken down completely, data wiped and digital intellectual property released on the internet by attackers. Victim organisations could be hounded by media inquiries for response and status, and government reaction and statements may increase the visibility and chaos of the attack.”

Employees may not be able to fully function normally in the workplace for months, and attacks may expose embarrassing internal data via social media channels – which Proctor said could have a longer media cycle than a breach of credit card or personal data.

Read more about the cyber attack on Sony Pictures Entertainment

Sony attack highlights problem of complexity

To combat these types of attacks, Gartner recommends CISOs switch focus from blocking and detecting attacks, to detecting and responding to attacks.

The warning comes just three months after a devastating cyber attack hit Sony Pictures Entertainment, causing severe disruption to its business.

The attack disabled computers, and employees found they had lost all past email, contacts, distribution lists, budgets and anything else stored on the network.

"Entirely avoiding a compromise in a large complex organisation is just not possible, so an emphasis on detect-and-respond approaches has been building for several years, as attack patterns and overwhelming evidence support that a compromise will occur," said Proctor.

"Preventive controls, such as firewalls, antivirus and vulnerability management, should not be the only focus of a mature security programme. Balancing investment in detection and response capabilities acknowledges this new reality.”

Internet of things susceptible to disruption

Gartner said that the rise of ubiquitously connected devices and the internet of things (IoT) has expanded the attack surface, and commands increased attention, larger budgets and deeper scrutiny by management.

These revelations should not restrict digital businesses, said Gartner, but emphasis must be placed on addressing technology dependencies and the impact of technology failure on business process and outcomes.

Gartner recommends information owners should be made explicitly accountable for protecting their information resources, ensuring they give due consideration to risks when they commission or develop digital business systems.

The expectation that digital business will be a successful consumer business model relies on IoT devices being "always available". Gartner warns that any interruption at any point during the end-to-end transaction process means that business transactions may not be completed, negatively affecting customer allegiance and the revenue stream expected from the digital business offering.

As a result, Gartner expects the standard of due care for security programme maturity will increase, with risk, security and BCM leaders getting more pressure and more support from executive boards than ever before.

Fresh incentive for security investment

Executive boards have increased their attention on cyber security since 2012, but Gartner believes recent revelations of business disruption attacks provide a fresh opportunity to build the new business case for cyber-security investment and institutionalise more proactive thinking about cyber-security risks.

"CISOs and chief risk officers (CROs) can and should persuade executives to shift their thinking from traditional approaches toward risk, security and business continuity management,” said Proctor.

“Security is not a technical problem, handled by technical people, buried somewhere in the IT department, and organisations need to start solving tomorrow's problems now.”

Read more on Business continuity planning