Despite the escalated rate and severity of cyberattacks, leaders at most companies have not changed their approach to cybersecurity in the past few years to adapt to the increasingly challenging environment.
The goalposts have changed. And the question leaders should ask themselves is not, “is my data secure?” but “how prepared are we to minimize operational downtime in the likely event of a cyber breach?”
This requires a whole new way of thinking. And a whole new culture change.
Successfully building out a vision of cyber resiliency requires considerable time, thought, and investment into infrastructure, backup solutions, accurate mapping of network and dependencies, planning for the right redundancies, and continuous scenario planning with interdisciplinary teams of IT and business operators.
In other words, leaders need to create a culture of cyber resiliency. Here’s how:
Review your business continuity and/or disaster recovery plans.
Use them (if they exist) to take stock of what’s important. If they don’t exist, now is the time to establish holistic business continuity plans that include cybersecurity. These plans will help set the stage to determine which critical operations require the most investment and attention for cyber protection.
Next, focus on building your all-star cyber resiliency team.
Pull key personnel from IT, operations, sales, executive committees, and external consultants together for working sessions to consider what happens when critical systems are unavailable. Run through scenario planning and table-top exercises. Make sure to document possible impacts across all sectors of the business.
Plan for what recovery would look like in different breach scenarios.
Include specific details on who does what and how in order to get operations back on track after a disruption. Think through all the dependencies that exist for systems, personnel, real estate, and other assets. Estimate how long the recovery process will take and arm yourself with specific information on which services and products will be impacted. The more information you can be prepared with in advance, the swifter and smoother the recovery will be.
Document a detailed communication plan.
This plan should include assumptions like not having access to email, or not being able to look up contacts digitally. Prepare paper copies of critical records and ensure the right backups and redundancies revealed during table-top planning scenarios are in place. You’ll also need a plan to communicate internally and externally.
Address employee training and culture.
There may be a tradeoff between convenience and protection: How will you communicate the value of your efforts, make sure the message is heard, and bring all employees on the resiliency journey with you? For example, it is inconvenient for employees to log in with multi-factor authentication but doing so reduces the company’s risk substantially.
Think specifically about the impact to customers in both a total shutdown and slower recovery scenario.
First and foremost, your customers rely on your company to deliver the services and products they need. Is there a way you can continue to provide services to customers? How can you minimize trust loss? What will you tell them, when, and how will you do it?
Identify the necessary external partners who will need to help you address the breach and expedite recovery.
Most likely that will include outside counsel, a public relations or crisis management team, preferred external technical vendors, and consultants.
In many ways cyber resiliency calls for complete culture change. And that is intimidating.
But now is the time to start making the moves that will fully protect your business from network breaches that could lead to prolonged periods of operational shutdown, lost revenue, unforeseen legal and technical costs, communication chaos, and most crucially, canceled services and missed expectations for customers.
Learn more about how to adopt a cyber resiliency mindset and lead the culture change within your organization by downloading our latest white paper, “The Cyber Resiliency Mandate: Preventing Business Disruption in an Age of Cyberattacks”.