Cyber Security Consultancy: Why Planning Prevents Costly Breaches

 

Introduction

The company website is attracting thousands of customers, and orders are flowing smoothly. Everything looks good. Then it happens… 

You find out that customer credit cards have been compromised. The website is suddenly a key point of focus – for the wrong reasons. A cyber-attack has led to the unauthorised collection of customer payment card details – harvested without knowledge. Many unauthorised payments have been made, with the website being identified as the root cause. An investigation starts and takes months to complete. Teams of experts review systems, incurring huge costs. Media attention is high, brand is damaged. The Information Commissioners’ Office (ICO) issues a penalty notice for thousands or millions of pounds…

This introduction is based on a real-life example. In this article, we focus on the theme of planning – we reference a specific case study, provide general guidance, and make recommendations

 

What is Planning?

Cyber security planning is about forward thinking to avoid problems before they occur. It can relate to day-to-day activities, as well as big projects. It’s about having the right level of security and not just considering it as an afterthought – with effective cyber security being ‘built in’ rather than ‘bolted on’. Security measures can be introduced at the right time, and organisations can demonstrate increased cyber resilience, with greater efficiencies. Major incidents can also be avoided.

 

Relatable Case Study 

• Organisation: British Airways (BA)  
• Incident: In 2018, BA suffered a major data breach where attackers injected malicious code into its website and app, diverting customer payment details to a fake domain. Over 400,000 customers were affected, with the breach being unnoticed for around two months. 
• Financial Implications: BA initially faced a £183 million fine from the Information Commissioner’s Office (ICO), which was later reduced to £20 million
• How it Links to Planning:

1. Project and operations – the ability to secure third-party scripts on the website can indicate oversight in web development processes and operational security gaps
2. Proactive planning – Absence of effective website checks and incident response can delay breach detection

• Source Information: 

1. https://www.edpb.europa.eu/news/national-news/2019/ico-statement-intention-fine-british-airways-ps18339m-under-gdpr-data_en
   
2. https://www.bbc.co.uk/news/technology-54568784

   

General Guidance – for Planning

• Planning can relate to strategic and annual goals, as well as tactical day-to-day decisions
• Consider information security as part of the project activity
• Reduce supply chain risk by reviewing how suppliers interact with data 
• Take a risk-based approach to supplier selection and procurement 
• Consider risk to support ‘right-sized’ security 

 

Recommended Actions – for Planning

1. Keep it simple and secure
2. Use a risk assessment to determine appropriate action
3. Develop business objectives that relate to information security and continuously improve 
4. Demonstrate information security is in place – through policy, projects and operations
5. Maintain a list of suppliers, third parties and partners, capturing their security posture – such as whether they’re Cyber Essentials or Cyber Essentials Plus certified 
6. Seek guidance and support from a Certified Information System Security Professional (CISSP) – such as RB Consultancy Ltd

 

How We Help

At RB Consultancy Ltd, we support organisations by:

• Providing templates, guidance and experience to support
• Explaining what security measures are available and how they can help 
• Collaborating to implement security controls 
• Assessing and issuing certifications – such as Cyber Essentials and Cyber Assurance 
• Contact us for consultancy and certification support

 

Conclusion – Why Planning Prevents Costs Cyber Security Breaches

Effective planning with cyber security in mind can help avoid major security incidents. A cyber security incident can severely damage an organisation’s reputation and finances, as shown by the British Airways 2018 incident, where over 400,000 customer payment details were compromised, resulting in a £20 million fine. 

This article helps identify the importance of proactive security planning to support resilience and help avoid incidents. Planning means integrating security measures into daily operations and major projects from the beginning – not adding on as an afterthought. A risk-based approach can help identify the specific security controls, measures, and steps to take for any organisation of any size. 

RB Consultancy Ltd helps organisations understand the importance of planning. We support the implementation of appropriate measures to help build cyber resilience. We are an IASME Certification Body and NCSC Assured Service Provider who provide services to empower and protect organisations. Holding CISSP and ISO 27001 lead implementer certification, you can Contact Us for assistance with cyber security resilience.

 

 

This blog is written by Remo Belisari, Managing Director of RB Consultancy Ltd. He is an experienced cyber security professional and cyber advisor. Remo holds certifications in CISSP, ISSAP, ISO 27001, Cyber Essentials, and IASME Cyber Assurance. He has many years of experience in IT and cyber security. He has supported organisations worldwide. His work includes helping a Fortune 500 company in the USA and over 100 organisations across the UK. The views in this blog are his own. They do not necessarily reflect the views of RB Consultancy Ltd, its clients, partners, or affiliates. The content is for general information only.