Malware attacks are wreaking havoc on the international economy and costing businesses billions of dollars in lost revenue, operational shutdowns, and reputational damage. It’s likely that you may have even experienced an episode like this at your firm. The latest industry research indicates that 50% of surveyed executives experienced disruptions from malware 6-10 times over the past five years.
And while many executives are highly attuned to the customer expectation and compliance requirements of protecting personal data, focusing on data protection alone is not enough to contain the full extent of the damages.
The best way to deal with inevitable security incidents and breaches is to make your network and your business resilient. This means taking a company-wide, high-level approach when evaluating your network’s interdependencies and vulnerabilities. In many cases, it means a changing your organization’s culture.
But taking a fresh approach to cybersecurity — and adopting a cyber resiliency mindset — is critical to mitigating the operational impact of network breaches.
Even organizations that have invested in cybersecurity and consider themselves ready to combat attacks often view security too narrowly. They focus exclusively on data protection and regulatory compliance at the expense of a truly holistic, evaluative approach to the interdependencies and vulnerabilities across their business operations.
Look closely at recent breaches and you’ll see that companies affected by the theft of customer data (with few other business disruption effects) ultimately recovered quickly and maintained customer trust. Those involving significant interruption of business operations resulted in consequential losses and serious reputational damage.
The common solutions most reach for — buying additional software or hiring more engineers — fall short of what’s needed to address the full scope of cybersecurity threats while also ensuring operational resiliency.
The solutions companies must look at are not necessarily “cyber” as they don’t require additional software and engineer. To successfully build out a vision of cyber resiliency, the effort must include considerable time, thought, and investment into infrastructure, backup solutions, accurate mapping of network and dependencies, planning for the right redundancies, and continuous scenario planning with interdisciplinary teams of IT and business operators.
Instead of responding crisis to crisis, leadership teams must take a farsighted view and recognize the question of cybersecurity and resilience for what it is — a foremost priority for long-term investment. It’s as critical to a business’ long-term success as careful budget management.
Consider ways to improve communication to facilitate the right actions and investments. By nature, boards and executive teams are concerned by what they can’t see or don’t understand. Are they asking the right questions? How can your IT and operational teams do a better job of presenting information and risks in business terms? How will you secure the necessary funds for consistent, long-term investments for resiliency?
Finally, and perhaps most significantly, adopting a cyber-resiliency mindset will have you reconfiguring teams, creating new action plans, and implementing regular systems tests and drills. Resilience is about redundancy and protection, often at the cost of convenience. It is inconvenient for employees to log in with multi-factor authentication — but doing so reduces the company’s risk substantially.
Start addressing the gaps revealed during scenario planning, document priorities and determine a course of action. For example, if you run a hospital you might print backup records of each admitted patient so that treatment can be ongoing for active patients, even if your Electronic Health Record (EHR) system goes down.
More broadly, think through your backups — what data is critical, where is it stored, and how you can optimize for the availability of data. Attackers often prioritize finding and encrypting backups as their first tactic to make victims more likely to pay the ransom. Plan for and run a full-scale test to practice shutting down different data systems and getting backup plans in place.
Document the dependencies. Planning scenarios should be done at least annually — perhaps every six to nine months. The table-top security team should plan to move from theoretical discussion into real drills to tests. Every time aspects of the business change (new manufacturing system, different logistics supplier, etc.) — the table-top plan should also be adjusted.
In the event of an attack, do you have a cyber-resiliency plan in place to recover and recover quickly? How do you maintain trust with your customers? How can you minimize exposure and operational downtime?
Learn more about how to take a fresh approach to cybersecurity by and create change within your organization by downloading our latest white paper, “The Cyber Resiliency Mandate: Preventing Business Disruption in an Age of Cyberattacks”.