Companies today are racing the clock to anticipate and de-fang cybersecurity threats before they happen. Organizations are taking proactive steps, but too many public and private organizations seem unprepared and fragmented, beyond the technical impact, in responding to crises after experiencing a breach or hack.
The reason? Inadequate organization-wide strategic preparation and response as well as not thinking about the business-wide implications. All too frequently, corporate leaders delegate crisis planning and response to IT employees because they mistakenly consider cybersecurity to be solely IT’s domain. IT teams will then, understandably, create deliverables and respond to a crisis in a highly technical way. Consequently, the investment in breach preparation, and infrastructure to prevent and address it, becomes siloed in these offices.
The fact is that a data incident could have a far-reaching, existential effect, but corporate and government leaders still aren’t making data breach response planning a priority for their entire organizations. For example, a recent survey of global executives found that only 37% of respondents said they have an incident-response plan in place. In reality, these are the executives who could be decision-makers during the crisis because the integrity of the business is at risk.
The widespread increase and impact of data security breaches in business and government over the last decade have spawned a renewed focus on crisis preparedness and response efforts to protect company data, intellectual property and other electronic assets. Common steps include making major organizational changes such as hiring a chief information security officer (CISO) and building staffing around this role, investing in and leveraging technology to secure and monitor systems and infrastructure, and preparing for worst-case scenario breaches. Yet these efforts still lag behind the planning for more traditional crises, such as natural disasters, supply chain interruption and workplace violence. This needs to change — and fast.
While the IT staff may perform these tasks at a stellar level, their good work will inevitably not account for the big-picture, organization-wide view that the C-suite should properly apply to a cyber incident that could pose the highest level of enterprise risk. Indeed, breaches can impact operations across the board to the point that they significantly impair or even force a business to shut down.
Effectively preparing only one area of an organization for cybersecurity creates the potential for a less coordinated, more confusing response where, quite literally, the left hand may not know what the right hand is doing. And, in the more severe data security breaches, the problem is not just a technical or access issue. Operations across the board can be impacted to the point that a business can be forced to shut down or significantly impaired. According to a CSIS study, companies around the world lost $445 billion from cyber incidents.
Isolating cyber incident planning and potentially a resulting crisis response to IT stands in sharp contrast to the kind of crisis planning for which organizations usually train, such as employee strikes or factory malfunctions. For those types of incidents, strategic and operational planning is elevated to take a holistic approach, tightly coordinating all internal stakeholders. It’s time to follow the same approach for cyber crises.
Leaders of PwC’s Global Crisis Centre work directly with clients to focus on the business impacts of crisis, whether it starts with a cyber incident or another trigger, as well as the technical or tactical details that need resolution to get back to business as usual. Corporate leaders should consider taking the following steps toward more holistic and effective cyber incident preparation when considering the incident could have more far-reaching impact on their organization:
First, move cyber incident planning outside of the exclusive IT domain and treat it as a business-wide crisis-planning exercise. Management should identify the key internal stakeholders, ensure they know each other, and integrate them into organization-wide preparation and response efforts.
A cyber incident preparedness and response plan must be consistent with the organization’s other plans for dealing with threats to overall business operations. It could take the form of a separate plan or be a part of the company’s larger crisis planning playbook. Executive leadership should be predetermined – and a senior leader who’s appropriate for one type of crisis may not be best for a cyber incident. Decide this in advance.
Cyber incident preparation is every employee’s business. Not only should companies hold regular training about cyber threats, safeguards and appropriate steps for all employees (not just the data incident response team), but they should try to incorporate awareness into daily work life, including through creative apps or plug-ins.
Training exercises and simulations are great ways to get executives and staff familiar with the steps to take and the complex issues to address in a cyber incident that could create an organization-wide crisis. The focus is to keep this about a cyber incident that may evolve into a broader crisis and the interplay in preparing for each while preparing for both.
Organizations that confine cyber incident planning to their technical employees are in danger of missing the big picture and risking greater damage to their reputation, business and recovery costs. Clearly, the IT team needs to drill down on the technical aspects of preparedness, and it is equally key that executive leadership help connect a company’s legal, compliance and risk personnel so that everyone is engaged with each other in a time of calm.
Overall, the recommended approach is to elevate planning to an organization-wide priority, view cyber incidents as part of a greater landscape of crises for which to prepare, and see it for what it is – a potentially bet-the-company challenge.
Principal, Cybersecurity & Privacy, PwC US