Stress-testing a business’ preparedness for cyber attack is a crucial part of any risk or resilience function. Cyber incidents are especially tricky to handle, for a number of reasons:
It can take a while – days, potentially – for the facts of the incident to be established, but the shock and concern amongst those potentially affected ramps up as quickly as any other incident-driven crisis.
Depending on the nature of the incident, there can be an especially wide range of internal colleagues to involve, from technical staff to HR, legal to regulator, investor relations to media relations.
Explaining the nature of the vulnerability that has been exploited is a challenge, compounded by hypotheticals and best/worst case assumptions with few known facts.
These are the real-world drivers that clients use in their exercise planning:
The Digital Operational Resilience Act (DORA) is a regulatory framework introduced by the European Union (EU) to help financial institutions tackle cyber attacks and ICT disruptions.
DORA and other frameworks demand:
Cyber exercises are the single best method to test knowledge and coordination of all six of these requirements, within large financial institutions.
Groups such as Hunters International, believed to be aligned to Russia, have gone after cash targets such as payment systems and bank networks; whereas other state-sponsored attacks are focussed on espionage, as US defense contractors have experienced. The threats emerging from undisclosed vulnerabilities (‘zero days’) are some of the most difficult to guard against, and the geopolitical scale to these attacks obviously dwarfs the resources of all but the largest corporations.
As IT becomes the business, not just enables it, cyber due diligence becomes ever more important. Systems integration naturally introduces the complexity of more servers in more datacenters, with more suppliers and more users involved. While the task of auditing and securing those digital empires is one for IT, there’s a resilience task to make sure the teams managing them have oversight of what there is and who is supporting and maintaining them so vulnerabilities don’t simply emerge from oversights. In a nutshell: it might be a server you inherited, but when it’s breached for want of a software patch, customers will blame the brand they recognise.
The CrowdStrike incident wasn’t a result of a cyber attack, but it highlighted the challenge of integrated digital platforms, our customer’s dependence on those platforms, and how one break in the chain can have catastrophic results.
In the rush to adopt AI, businesses are suffering when they are perceived to be making money from other people’s work. Or when they are found sharing sensitive information online, in order to train AI models.
Communication has an important role to play here in being clear and frank with people about the basis on which a digital service is being offered, and how their data is used. Transparency builds trust, while the drip-drip of revelations about a business model can destroy it.
A cyber incident can be managed and trust restored, but lose trust with customers about your fundamental way of operating, and the damage runs much deeper – into your very licence to operate.
Preparation is key.
Scenario-based testing and simulations is a requirement of regulations such as DORA. Stakeholder management is a crucial aspect, whether it’s in an exercise or the real world.
Take a look at our stakeholder mapping graphic, and let us know what you think.
Find out how we can help your organization be prepared for a cyberattack
We’re approved contractors to US Federal Government CAGE code 88BP5 “Social Simulator Inc, The”
