How does business recover from a large-scale cyber security disaster?

Corporations need to get three things right in cyberspace: protect their valuable information, ensure that business operations continue during disturbances and maintain their reputation as trustworthy. These goals support one another and enable successful utilization of the digital world. Yet due to its dynamic nature there is no absolute security in cyberspace. What to do when something goes wrong? The best way to survive from a blast is to prepare for it in advance.

Cyber security requires transformed security thinking. Security should not be seen as an end-state once achieved through tailored investment in technology but as an on-going process that needs to adapt to changes in the environment. Effective security production is agile and innovative. It aligns cyber security with the overall business process so that the former supports the latter. When maintaining cyber security is seen as one of the corporation’s core managerial functions, its importance is raised to the correct level. Not only IT-managers and -officers need to understand cyberspace and realize how it relates to their areas of responsibility.

Integration of cyber security point of view in business process can be done, for example, via constructing and executing a specific cyber strategy for the corporation. This should start with enablement and consider opportunities that the corporation wishes to take advantage of in the digital world. It should also recognize threats in cyberspace and designate how these are counteracted. The strategy process should be led by the highest managerial level yet be responsive to ideas and feedback from both operational and technical levels of execution. Thus the entire organization will be committed to the strategy and feel it has an ownership in it. Moreover, the strategy will be realistic without attempting to reach unachievable goals or utilize processes which construction is technically impossible.

It is a common practice for corporations to do business continuity planning. However, operations in the digital world are not always included in this – regardless of the acknowledged dependency on cyberspace that characterizes modern business. There seems to be a strong belief in bits; that they won’t let us down. The importance of plan B is often neglected and the ability to operate without functioning cyberspace is lost. What should be in the plan B – which is an essential building block in cyber strategy – is the guidelines for partners, managers and employees in case of a security breach or a large cyber security incident. What to do; whom to inform; how to address the issue in public?

The plan B should include enhanced intrusion detection, adequate responses to security incidents and a communication strategy. Whom to inform, at what level of details and in which stage of the recovery process? Too little communication may give the impression that the corporation is trying to hide something or isn’t up-to-date with its responsibilities. Too much communication in too early stage of the mitigation and restoration process may lead to panic or exaggerated loss estimations. In both cases the reputation of the corporation suffers. Openness and correct timing are the key words here.

A resilient corporation is able to continue its business operations even when the digital world does not function the way it is supposed to. Digital services may be scaled down without customer experience suffering from it too much. Effective detection of both breaches and associated losses and fast restoration of services do not only serve the corporation’s immediate business goals but also enable projecting good cyber security. Admitting that there are problems but simultaneously demonstrating that necessary security measures are being taken is essential throughout the recovery period. So is honest communication to stakeholders at the right level of details.

Without adequate strategy work and its execution trust felt towards the corporation and its digital operations is easily lost. Without trust it is difficult to find to partners to cyber dependent business operations and customers turn away from the corporation’s digital offerings. Trust is the most valuable asset in cyberspace.

Planning in advance and building a resilient business entity safeguard corporations from digital disasters. In case such a thing has already happened it is important to speak up, demonstrate that lessons have been learned and show what is being done differently from now. The corporation must listen to those who have suffered and carry out its responsibilities. Only this way can market trust be restored.

- Jarno

Find Jarno on LinkedIn

Start a conversation with Jarno on Twitter

Read previous content from Jarno