The news over the last few years has been full of stories relating to such disasters and the horizon scanning conducted to identify top business threats consistently ranks these issues at the top of concerns. So when, in the wake of the global WannaCry cyber attack that impacted health services in the UK, the UK Home Secretary said “Lessons must be learned” it begs the question why have they not already been learned and what are they?

The more positive news is that like all threats, hazards or vulnerabilities, cyber risk can be managed. In this digital age, cyber resilient organisations balance and manage their cyber risk, whilst maximising the opportunities presented by data processing, storage and transmission. But, just as Darwin saw that survival was based on the response to change, so must we evolve our approach to  the cyber challenge.

Addressing Cyber Basics

Many organisations imagine they have addressed the fundamentals of cyber security. This has nearly exclusively remained in the world of IT and concentrated on attempting to prevent attacks being successful. It has, as a result, tended to focus on technical solutions such as firewalls, patching, back ups and technical incident response procedures. In the minds, therefore, of many senior managers Cyber Security is something they don’t need to know much about, don’t really understand and believe is owned by casually dressed and baseball cap wearing people operating in dark rooms in the basement. As technically challenging as cyber security is it is not the sole domain of the IT department. The very fact that cyber attacks and data losses continue to occur points to the need for enhanced levels of senior management (C Suit) proactive engagement. There is a responsibility on senior managers to be able to appropriately assess the risks and interrogate the protective solutions developed by IT and others. That means senior managers need to know the difference between malware, ransomware and botnets and what the protection put in places offers and does not offer. Not all cyber risks, however, emanate from the world controlled by your IT department. The risks, as points of entry for a cyber attack, posed by the internal threat, social engineering of staff and supplier breaches highlight the softer areas that need to be addressed through training, awareness and good old fashioned security.     

Senior managers therefore need to be able to take informed risk based decisions to address any cyber threat gaps. They also need to be able to take timely strategic decisions during a crisis. For example provisions, such as implementation of the IT Disaster Recovery arrangements, often come with costs (money, limited capacity and perception/reputation impacts) and bring associated time penalties when eventually returning to normality. That makes them senior level decisions and so the C Suit needs to understand these provisions and their limitations so they can take those decisions.

The True Cyber Challenge

If you’re serious about your business and dealing with cyber threats and data loss risks, you’ll have response plans in place. These plans will consider how the technical response to a cyber attack or data loss will unfold, including how detection and escalation will occur. They will go further than this however by setting out how the response across the organisation will be coordinated to ensure continuity of critical services and products. Lastly, they will establish the processes by which the externally facing issues, including communications and reputation, will be coherently addressed. Do you have this level of planning and team capability? Is it integrated? Have you rehearsed the teams and plans – together – not in isolation? Are your staff skilled in detecting when your cyber defences may be breached?  Do you know how and when to escalate and invoke other response plans?  How will a cyber-disruption impact on your business continuity?  How will you make decisions and communicate? What about protecting your reputation (and your share price)?

The Solution

The integration of cyber-risk, cyber-security, incident management, crisis management, business continuity and recovery planning (to name just a few) is the best way to better (cyber) resilience. Seasoned people, plans and processes are fundamental to building this capability; and this seasoning is developed through training, exercises and a relentless attention to ongoing improvement and integration.

So will lessons really be learned, or will it be more of the same?