Cyber attack contingency plans should be put on paper, firms told

According to the most recent information, people should brace for future cyberattacks by returning to pen and paper. The government has sent letters from chief executives around the country, all advising that they should have physical copies of their plans available as a precaution. A recent string of hacks has highlighted the chaos that could ensue if hackers take control of computer networks. The warning comes as the National Cyber-Security Centre (NCSC) announced an increase in nationally significant attacks this year.

Marks and Spencer, The Co-op and Jaguar Land Rover, have all been affected by criminal hacks, resulting in empty shelves and production lines being suspended this year as the companies continued without their computer systems. Organisations must

have a strategy for how they will continue to operate wIThout their IT (and re-inITing the infrastructure at speed), according to Richard Horne, chief executive of the NCSC. Firms are being encouraged to explore beyond cyber-security controls into something called

resilience engineering,

which focuses on the design of systems that can plan, absorb, recover, and adapt in the case of an attack. According to the department, plans should be saved in paper or offline, and they should include information about how teams can collaborate without email and other analogue workarounds. These types of cyber attack contingency plans are not new, but it's notable that the UK's cyber authority is putting the information into its annual report. Although the total number of hackers that the NCSC dealt with in the first nine months of this year was 429, roughly the same as for a similar period last year, there has been an increase in hacks with a greater effect. Nearly half, or 204, of all incidents, were associated with

nationally significant

incidents. Last year, only 89 people were in that category. In the three highest categories of the NCSC and UK law enforcement categorisation scheme, a nationally significant occurrence covers cyber-attacks in the three most prominent categories: 4% (18) were in the second highest category

highly significant" this year. This is an increase of 50% in such incidents, the third year in a row. The NCSC will not disclose whether or not attacks fall into which category, whether public or classified. However, it is also estimated that the series of attacks on UK retailers in the spring, which affected Marks and Spencer, The Co-op and Harrods, would be classified as a significant event as compared to a benchmark. Last year, one of the most deadly attacks on a blood testing company caused significant difficulties for London hospitals. It resulted in significant medical disruption and directly contributed to at least one patient's death. The NCSC will not specify which class this incident will fall into. The overwhelming majority of assaults are financially motivated by criminal organisations who use ransomware or data extortion to blackmail a perpetrator into forking Bitcoins in ransom. Although most cyber-crime groups are headquartered in Russian or former Soviet countries, a revival of teenage hacker clans based in English-speaking countries has arisen. So far this year, seven teenagers have been arrested in the United Kingdom as part of probes into major cyberattacks. The government is advising small businesses that have completed the widely distributed Cyber-Essentials program that, as well as the tips about increased readiness and collaboration, that the government is encouraging them to make the most of the free tools and services offered by the NCSC, such as free cyber-insurance for small businesses.

'Basic protection'

It's no longer a case of if such incidents will occur, but when.

We were throwing £120,000 a year at [cyber-security] with insurance and equipment, as well as third-party managed systems,

Mr Abbott told BBC Radio 5 Live on Tuesday. He said he now focuses on defense, education, and contingency, the latter of which involves planning what is needed to keep a company operating in the event of an attack or outage.

The call for pen and paper may sound old-fashioned,

Graeme Stewart, head of public sector at Check Point, said, noting that digital infrastructure can be rendered useless after hackers attacked.

You wouldn't walk into a building site without a helmet,

he said, though companies continue to go online without basic security. "Cybersecurity must be treated with the same skepticism as well as health and safety: not optional, not an afterthought, but a regular part of everyday working life.