If there is a successful cyber-attack, company managers need to relinquish control in the interests of business continuity management. And in other ways, too, this situation calls for a radical rethink at management level, and acceptance of some uncomfortable truths is necessary. Otherwise, the attack will turn into a chronic infection of the company.
No cyber, no business: it might sound slightly contrived, but it’s true. Without operative IT, no company is able to function. And without cybersecurity, the IT systems don’t work reliably for long—thus completing the circle.
For this reason, company managers and CEOs need to ensure that business continuity management (BCM) and cybersecurity work hand in hand. That’s because an attack using crypto-malware (ransomware) can be every bit as destructive as water damage or fire damage in a data centre. Fortunately, precisely the same precautionary measure serves to guard against such events: data backups in the Cloud, away from the site of your own data centre.
At least as important as the technical measures are the organisational preparations: a vital part of a BCM plan is identifying who is in charge in the event of an incident and decides, for instance, whether and when an external service provider is brought in to help ward off the danger. Typically, the answer to that question would be—the MD. However, that means the threat of a conflict of interests: due to personal liability and the duty to minimize the loss, an MD will generally decide to close down all network connections immediately, to shut out the data thieves.
But this reflex response has dire consequences. That’s because the experts need to be able to observe the criminals going about their work in order to find out where in the network the perpetrators have installed their back doors. If these doors remain open, then once the connection is reinstated the criminals simply walk straight back in again. So this is an instance where the aims of the company (i.e. in operating a secure, stable IT environment over the long term) are not in harmony with the aims of the people running the company. Instead of making a member of the top company management the crisis manager, it is better for the CISO (Chief Information Security Officer) or CIO (Chief Information Officer) to take on this role.
It is not only when it comes to the chain of command that company managers may need to bite the bullet. The same goes for decisions on expenditures. It is self-evident that the external specialists referred to earlier—generally forensic IT specialists—cannot be brought on-board in an emergency via an elaborate procurement process involving tenders. So the crisis manager needs to have the freedom to commit a previously-specified budget as he sees fit. And there is a further preventive action that needs to be taken: it is highly likely that any forensic IT specialists engaged will want to install software on the network that records all data transfers and examines them for anomalies. If management first initiates the discussion with the Works Council as to whether using this software is acceptable or not once the crisis has struck, then it is losing valuable time and possibly jeopardising the success of this detective work.
To be able to focus on the core activity, mastering the crisis, the crisis manager also needs to be released from his otherwise customary reporting arrangements: however understandable it is that the MD or the Board ideally wants to be updated every two hours—the crisis manager is bound not to have the time for that. It’s time that could be better spent on restoring the equation cyber = business. For effective Business Continuity Management, therefore, the management tier needs to surrender control, at least temporarily.