4 ways to prepare against cyber attacks
1. Align your response team. Swift coordination in a pressured situation requires a defined decision maker. The CEO needs to know when that decision-making power should sit with her and how the critical details to inform decisions will be shared. When facing a business unit incident that affects a global customer base and requires international regulatory alerts, that responsibility can get muddled.
The smoother the public response, the shorter the public follow-up cycle and scrutiny. That only comes with practice.
2. Consider the tough decisions. You want to be able to offer your customers something in response to a potentially protracted disruption. The first debate about exactly what that offer will be should not happen under the pressure of a tight deadline. As with any critical decision that could affect your long-term reputation with customers and employees, understand the likelihood of risks and weigh how you could respond.
When would you advise customers of a potential risk? When should you inform the market, given that it may be some time before you have a complete picture? How often should you communicate during the disruption? How will disclosure affect different parts of the business? You have to be prepared to communicate clearly but cautiously and your first communication has to be accurate.
How would issues in different regions drive decisions? Global companies must reconcile the different cultural and geopolitical pressures around the level of information expected in each market when hit with a cyber incident. Which of your markets will guide your response strategy? How would you respond to extortion? Does your executive team agree how you would respond to threats of extortion? Would you take a public stance around refusing to pay ransom, and is that more effective in your key markets?
3. Get to grips with the potential consequences. With the right questions, you can understand where you are most at risk of a cyber incident. That should inform both how much you put toward mitigation of key risks and how you prepare to respond. If a phishing attack could grant access to sensitive IP critical to your business, extra defenses and training are required.Are those most sensitive systems the first ones your information security team would check at the notice of potential unauthorized access? Do you appreciate the level of complexity involved in understanding what could have been accessed? Where will you need to be prepared to offer compensation and how much?
4. Increase your IT security literacy. There is a call to action for boards to increase their understanding of the cyber risks their companies face, and to do that they need to understand their current defenses. This extends to the preparedness of the members of your supply chain. In the case of a cyber incident, the brunt of the blame falls on the victim of the attack – not the perpetrator.