In the last few years, I have noticed a shift in client conversations regarding cybersecurity and what motivates them to review and assess their current security posture and practices.
Three or four years ago, if you asked clients what their biggest fear was if a cyber incident happened in their organization, their answer would have been simple: reputation. Organizations were worried about what it would do to the public perception of their company once they had to notify customers of their compromised information following a data breach. Their customers would naturally have been unhappy to learn about such an incident, and many organizations feared that they would lose business to a competitor that customers would assume to be more secure.
However, today, that may not be the case. The harsh reality is that far more companies have been targets of some sort of cyber incident than haven’t. As a result, some organizations will tell me (off the record of course) “So what? My cyber liability insurance will cover it” to any discussion around reputational impact of a breach – and they’re not wrong.
Many of us have become numb to news of cyber incidents because they are far too common, and most won’t take their business to a competitor on the basis of a data breach alone. Do you still buy your home improvement needs from places like Home Depot and Lowes? Order pizza delivery from Dominos? When you travel, do you fly American Airlines? What do all of these companies have in common, other than being some of the largest and most popular in their respective markets? They have all been victims of at least one cyber incident. And for each of these household names, there are many more organizations who have been impacted by a data breach and haven’t seen a corresponding drop in popularity.
So, if reputation is no longer the driving force in the cybersecurity conversation, what is?
In my experience, the most useful conversation I’ve had with tech leaders has been around organizational resiliency. “Resiliency” is a term that refers to organizations being able to withstand any “unforeseen occurrence” without destabilizing their operations – and ultimately their ability to serve their customers. The unforeseen can include natural disasters (fire, floods, weather phenomena, etc.) or they could be of a cyber- or IT-related nature like a crypto attack. Most cyber liability insurance doesn’t cover the cost of downtime, so no matter how undeterred customers may be by the idea of a breach, the cost of lost business while down can typically never be recouped.
Organizations are now looking for ways to create a resilient IT infrastructure that can withstand these events while keeping the lights on. When an organization is developing a resiliency plan, they should account for three basic components:
- Cybersecurity Best Practices
- Business Continuity
- Disaster Recovery
Cybersecurity Best Practices
While the overarching motivation may have changed, the definition of what constitutes a secure IT environment still applies. Leveraging strategies like “defense in depth” and regularly assessing your vulnerabilities are still the best ways mitigate risk. And, as with any good cybersecurity plan, make sure you have a solid awareness program so that your employees become part of your defense as opposed to your biggest weakness. All of these tools remain critical for mitigating risk to your organization and limiting the chances of bad actors of taking your business offline.
Business Continuity
Business continuity planning is a process that goes beyond the IT department. Instead, such a plan examines the other operational needs of your business during these “what if” scenarios and develops mitigation tactics that can help keep your business and employees safe. How would you handle a flood at your location? Where would your team members go? Would they have what they need to work from an alternate site? Do team members know how to get there? How would the news get communicated? The answers to all of these questions are designed to ensure that your organization has access to the resources it needs to continue operating, whether it’s related to IT or to ensuring that every employee has the space, seats, desks, and other resources they need to be effective. This kind of planning requires ongoing attention and updates, but it is critical to the resiliency model.
Disaster Recovery Plan
The disaster recovery plan takes us back into the IT department and looks at the applications and data that drives the business itself. What applications do you use the most? How critical are those applications? If you needed to restore applications and/or data, in what order should you do so? What’s the higher priority? Said another way, disaster recovery planning asks that you provide an answer to “How long could we survive without _______?” Once you have an answer, a protocol should be communicated to your IT department so that they know how to triage restoration of access to systems, applications, and data.
Lastly, all of these items have to be rigorously tested. Pick a partner to scan your environment for vulnerabilities in your cybersecurity protocols. There will be some, but don’t panic; it’s better to know where the holes are before bad actors do. An effective partner can help you build a plan to remediate those vulnerabilities and plan another assessment. For business continuity and disaster recovery planning, you should regularly plan training exercises to ensure they remain effective. Plan days where you create mock exercises to test your ability to execute those plans. Review the results and create a list of lessons learned.
Remember, this is not a set-it-and-forget-it process. True resiliency planning requires your investment in time and resources to keep it up to date. Your customers will thank you for it.