At 12:38, Friday afternoon, a Wall Street Journal alert came across my phone as “Breaking News”.
I’m not sure this is breaking news. The number of troops amassing on the Ukraine border has increased, not diminished in the last few days. Speculation has been that an attack will likely involve tanks, fighter jets, missiles, and a cyber attack. I suppose the “Breaking News” part of the bulletin could have been that the Russian attack is expected in the next few days. Though, again, we have heard the attack is imminent and will happen any day now for a few weeks.
I am not trying to make light of the suffering and loss of life that will occur when/if Putin and the Russian government launches its attack, even as a minor skirmish or limited engagement, into Ukraine. However, in our alert-obsessed existence, every rehash of an idea is not breaking news.
A cyber attack on Ukraine would be designed to sow chaos and fear in the population and limit how effectively the Ukrainian government could mount a response to a physical military attack. With a few exceptions, targeted cyber attacks tend to find their way into the wild and grow past their intended objectives. Of course, this assumes that Russia will only be targeting Ukraine and not take the opportunity to sow chaos on NATO member countries or the United States specifically.
The consequences of a cyber attack that either accidentally or intentionally ends up impacting the United States will almost certainly go beyond hard military targets and soft government targets. Likely such an attack would spread from public systems to private systems.
A survey of Small Businesses from 2021 found that 60% of Small Businesses that are victims of a cyber attack end up closing their doors within 6 months of the attack.
Businesses need to be aware of the threat landscape they are operating in and create useable disaster recovery and business continuity plans. Insurance companies are beginning to require plans be in place, tested and reported on regularly to get new coverage or renew existing coverage.
An act of war may be excluded from a typical Cyber Insurance Policy, but that would vary based on the insurer and the coverage purchased. Companies that do not have Cyber Insurance policies may eventually be reimbursed by a government program to assist affected businesses. That type of assistance could take years and many businesses would be forced to close their doors before government assistance made it to affected companies.
Creating processes and procedures around data storage, data backup and steps to recover in the event of catastrophic event should be part of a company’s yearly planning cycle. Putting a test process, review process and “lessons learned” process is another step in the road to resiliency. Including in an education component for staff and vendors can limit the likelihood that an attack starts or would be furthered as a result of employee error.
There is not a great deal that the everyday Small Business owner can do to affect Russian policy in the Ukraine region. There are steps that we can take to limit the losses that our businesses suffer when a cyber attack ends up spilling over into our spheres of influence.
Stay safe out there.