In our latest Outsmarting Uncertainty webinar series, we delved into what makes a smarter strategic approach to decision making in the face of three geopolitical risk scenarios, examining the dilemmas facing business leaders in moments of global crises. In this insight, we’ll look at the third scenario, one involving a cyberattack, having considering two scenario in a previous insight.
In the live webinar we used ancient Greece to establish the backdrop and escalation of events and the decisions facing an imagined business in that era. For the purposes of this insight, we’re simplifying the stories, treat these territories and business as hypothetical countries not based on any specific locations, but with features recognisable to global organizations today, putting you in the shoes of senior decision-makers. Our aim throughout is to reveal some best practice approaches and practical frameworks to help your business remain resilient in the face of disruptive global events.
Let’s imagine you run a port and there’s a sophisticated cyberattack targeting ships’ on-board navigation systems as well as your own. Many vessels have to drop anchor at sea for days and await technical support. Port staff get messages saying their IT systems are locked, and error messages suggest your data is now encrypted. Nobody can get into any of the IT systems they need to do their jobs. The port is effectively closed.
The cyberattack is showing a high degree of planning and technical ability. It’s too early to be certain who is responsible, but you suspect these attacks are geopolitically motivated. Leaders will be under pressure to demonstrate their strength and sure-footedness in light of the attack, without aggravating the situation.
A cyberattack can quickly cost, both financially and reputationally. In the face of cyberattack, you need to make some critical decisions on your next steps, and you need to make them quickly, no matter what the geopolitical sensitivities.
It’s essential ahead of any cyber crisis, your organization establishes and maintains a thorough crisis management plan in the face of evolving cyberattacks. This plan should ensure you bring the right leaders together with a clear purpose and a range of pre-prepared trigger points, actions and resources to call upon. It should also specify what services you need to prioritize in your response and recovery effort.
In the absence of a comprehensive and well-tested crisis management plan, the other paths your senior leadership could take might include doing nothing or opting to voluntary shutting down your entire corporate network. Doing nothing is not an option. This would only make matters worse. And while a voluntary shutdown of your entire corporate network may make sense in a security context, it could prove a step too far, likely leading to further outages and downtime.
Given cyber incidents happen quickly and can escalate rapidly, first and foremost, senior leaders need to be ready for an immediate response. In the often stressful and frenetic atmosphere of being under cyberattack particularly when nation states are implicated, your board needs to have comfort in the readiness of both their crisis management plans and their overall response and recovery approach.
Testing your plans is also critical, allowing you, and the business, to interrogate the its efficacy in a controlled environment and can provide assurances to senior leader the business can be sufficiently responsive to a range of cyber incident and threat types.
Where you identify gaps in your response efforts, update your plan, and then conduct a further test. Also, consider what external, specialist support you might require for your cyber incident response, ensuring you’re aware of every third party – such as forensics, ransomware negotiation and payment professionals, communications and PR specialists, legal advice, government agencies – and what they do and, critically, what they don’t do.
In alignment to that plan, you can also look to develop a cyber crisis management playbook for your senior leadership team. This tailored guide should avoid technical jargon and the complexities of a typical cyber incident response plan and instead provide clear guidance for how they can achieve their objectives.
To demonstrate strong leadership and control of cyberattack situations, you should also develop a series of pre-agreed holding statements for a range of scenarios. You can use these at short notice for both internal and external audiences, allowing the board to focus their time and energy on the real issues at hand – keeping the business afloat.
While cyber insurance is not a substitute for day-to-day cyber security and risk management, it is there to support exactly these types of scenarios, covering losses and providing technical expertise to support you and ensure your response effort is immediate and effective.
Read the first insight in our Outsmarting Geopolitical Uncertainty mini-series.
Listen to our experts discuss board-level responses to geopolitical risk in our recent podcast. And to speak to our political risk specialist, get in touch.