When to pull the plug on an ecommerce site

The Tesco website outage late last year reminded us of the fragility of enterprise cyber security. While organisations in every sector are at risk, cyber criminals often choose their targets based on the potential to cause disruption at scale and in the full glare of negative publicity.

Those reliant on ecommerce services are prime candidates for attack. Not only can a breach bring an immediate and major financial impact, but the disruption is often amplified by customers sharing justifiable concerns about whether their data is safe and when services will be restored.

Adversaries rely on the pressure this puts on organisational leadership – some of whom must determine when to pull the plug on their ecommerce sites. Doing so is, of course, not always at the behest of the CEO or chief information security officer (CISO) – the decision can be taken for them if an attack is particularly effective or poorly defended.

To explore these issues, I spoke to Dougie Grant, a cyber security veteran with 25 years’ experience, with the last five spent in the NCSC Incident Management Team before becoming a director at UK-based Nihon Cyber Defence.

To be better prepared, he believes leaders first need to engage with cyber security more effectively. “In the past, organisations have dealt with cyber attacks as a matter only for the CISO,” said Grant.

Instead, they should be treated as business-wide crisis management incidents and addressed with a holistic response led by the CEO. This should include finance, communications and legal teams, and, ideally, every internal stakeholder must be involved in the planning process and fully understand their role when a crisis hits.

That’s a key point. Yes, the CISO is critical in addressing the technology issue and driving the recovery process, and while, ultimately, it will be the CEO who gives the final order that shuts down a production line or ecommerce website, there’s more to it than that. A CEO who is already engaged with their organisation’s cyber security strategy and incident response planning – even at a high level – will be in a better position to lead their team through the crisis.

A cyber security crisis is not the moment to be defining or changing responsibilities – that’s a recipe for confusion that can impact response effectiveness. Instead, conversations between the CEO and CISO should be focused on what is required to ensure the quick and decisive implementation of response and recovery plans (if any exist).

As Grant further explained: “This will determine how well organisations will emerge from an attack. It isn’t just about having a playbook ready for when things go wrong, it requires a commitment to developing processes that are well-rehearsed and address fundamental, fast-moving challenges.”

From legal and reporting and legislative responsibilities to company operations, consumers, and just about every function where technology plays a part, the responsibility for dealing with and reducing the consequences of a severe breach falls on the whole management team.

Rather than considering the worst-case scenario, teams may fall victim to optimism bias. When in-house workers are quickly overwhelmed by the huge strain of dealing with the scope of an assault, the negative impact of this typically becomes obvious. While external, professional help and incident response are all crucial, it’s always best to consult specialists ahead of time rather than in an emergency.

In the teeth of a security crisis, organisations that haven’t prepared can be left with one unpleasant option: hope. When lost ecommerce revenue is climbing by the minute, hoping the crisis will be resolved quickly is a mistake most leaders will only make once.

Initiating and following a well-considered plan, however, can help keep decisions such as when to pull the plug on an ecommerce site in the organisation’s own hands.

Danny Lopez is CEO of Glasswall.