Boards: Don’t mistake business continuity plans for an effective resilience strategy in the face of growing cyber threats

The Covid-19 pandemic taught us all that life can change in the blink of an eye. 

Experts may, after outbreaks of avian flu or Ebola, have warned of the future prospects of a global pandemic, but few predicted the severity of Coronavirus. Even fewer prepared for it. We were left wondering why we hadn’t been more prepared to deal with the challenges of the last two years. Life is full of the challenges of such black swan events. The details may be unforeseeable, but surely, we should be able to respond to pandemics, financial volatility and extreme weather as predictable bumps in the road. Put simply, board members need to be thinking about long term resilience strategies.


Agility is no substitute for preparedness. Critical events can have devastating consequences for global organizations (or indeed entire nations) when they’re caught unprepared. The speed with which the unsung heroes of IT departments across the world were able to pivot to working from home at scale should not disguise the fact that few, if any, had planned for the scenario.   


After the 2007/2008 financial crisis, in which governments were forced to bail out under-capitalized banks, global regulators forced institutions to build financial resilience. They tried, not wholly without success, to incentivize banks to prioritize long term stability and growth over short term gain. More recently, regulatory focus has shifted to operational resilience, forcing banks and financial institutions to factor in the severe scenarios that they might otherwise discount as unlikely.  


As banks have become increasingly digital, closing smaller branches in the name of efficiency, their preparedness to meet cyber threats and IT issues has become of particular concern. No one wants a repeat of the April 2018 IT meltdown at TSB bank in the UK, the result of a badly executed IT upgrade, which left almost three million customers locked out of their accounts for days.    


We are at the stage now where boards need a well-considered resilience strategy. They need to assume the worst and commit sufficient resource, energy and strategic know-how to protect their long-term interests. They need to be able to prepare, respond and recover from all threats, including the most severe, by investing time and resource not just to prevent bad things from happening, but to assuming those efforts are unsuccessful. This is no time for complacency.


Cyber threats merit a special mention. With the rise in working from home over the last two years, reliance on functioning and secure IT systems has never been greater. The pandemic has accelerated the trend towards digitalization, just at a time when organized criminal enterprises, operating from out-of-reach jurisdictions, have recognized the lucrative proposition represented by ransomware attacks. It has never been more important to have a cyber resilience strategy in place. 


What is resilience? 

The intelligence community in the United States has been talking about the idea of IT resilience since the 1960s. I know the theme of cyber resilience is a prominent one, but I believe people lose sight of the fact that if you don’t have IT, you don’t need cyber. Cyber is all about those things that can be done to protect anything that resides on the network itself. That could be the network, the connected endpoints, the data, etc. All those things come under the banner of ‘cyber security’. In the old days we called it information security. It wasn’t really until the age of the internet that we started talking about cyber, which has become something of a buzzword now. 


So, IT resilience is obviously crucial to organizations. Simply put, IT must continue to work when things fail – and that cause might be in cyber, or hardware or software. Cyber is arguably the most important sub sector of operational resilience for businesses. Traditional cybersecurity measures have proven themselves insufficient to protect organizations from smarter, more aggressive, and more agile adversaries.  


But we are in a place now where cyber is a regular agenda item in the boardrooms of major corporations. Board members understand the severity threat and the reputational and regulatory consequences of becoming victim of such an attack. Cybersecurity is a world in which ‘blaming the victim’ is quite acceptable. But boards are now moving beyond a conversation about preventive and detective measures and are beginning to ask their CISOs and CIOs: What if those things don’t work? If your controls fail, what’s your response? How do you recover?  It’s a new mindset in which we assume that a major event, a near disaster, is going to happen and want to understand how we would deal with this. This discussion goes beyond an organization’s business as usual business continuity planning.  


The right board-level discussion does not center on the technical measures in place to restore business service, although that is clearly an important dimension. The discussion needs to focus equally on communications, both internal and external. How much to say and to whom? Insurance cover, legal liabilities, and decisions around, for example, paying a ransomware demand should all have been rehearsed and thoroughly discussed in advance of a real crisis when the red mist of war will likely cloud best collective judgment.    


Whose responsibility is resilience? 

The idea of cyber resilience is still in its infancy, even though broader IT resilience is something that has been discussed for 50 years or more. Regulators in the UK and the US are certainly leading the way, but there remains much work still to do. Other jurisdictions are beginning to turn their attention to the same challenges, at both a national and an enterprise level. The threats span government and enterprises. We need a concerted response from both if critical national infrastructures are to be properly protected and build the resilience to bounce back from major events. As the supply chain issues of recent months have demonstrated, the economic ecosystem can no longer be dealt with ad-hoc and in components. The weakest link really will cause unforeseen damage.   


There is a temptation for boards to think that because they survived Covid-19 and pivoted to new ways of working with surprising ease, they’ll be set up to manage through other major disruptions. But while the pandemic has been a test case for operational and cyber resilience, we should recall that in early 2020, Covid-19 was actually a fairly slow-moving crisis with lessons being learned from one territory to the next. Global institutions were able to essentially switch working practices at a relatively comfortable pace – days and weeks rather than minutes and hours. A cyber virus would certainly not move at such a leisurely pace. 


The cost of data breaches 

With the average cost of a data breach standing at $4.24m according to IBM’s Cost of Data Breach Report 2021, the really big challenge businesses are facing is data recovery. Some institutions are spending upwards of $100m fixing the damage of an attack. For businesses that take cybersecurity seriously, cyber resilience is an important step and there is no doubt that a resilience strategy helps your business to reduce risks, financial impact and long-term reputational damage from an attack. There are so many strands to resilience for modern businesses and resilience is just one piece of the puzzle.  


As the threat landscape increases, those that are able to plan ahead and commit to long-term resilience will likely be the winners in this game of cat and mouse.  


About the Author

Bob Flores is at Applicology, OODA LLC, and 2020Partners. Prior to working at 2020 Partners, Bob spent 31 years at the Central Intelligence Agency. While at CIA, Bob held various positions in the Directorate of Intelligence, Directorate of Support, and the National Clandestine Service.  Toward the end of his career, Bob spent three years as the CIA’s Chief Technology Officer where he was responsible for ensuring that the Agency’s technology investments matched the needs of its mission. In addition to his senior level leadership and management positions, Bob’s career included assignments in applications programming, training and education, contract and project management, and both line and staff management roles at various levels of the Agency.