It takes some abstract thinking but let’s give it a shot.
I want you to think of your business as a complex string of interconnected components in a highly complex value chain.
Then, I want you to think about all these pieces and processes – management, finance, communications, marketing, logistics, HR, IT, business partners, customers – and how people and systems constantly interact. Making and moving products; selling and buying goods; coordinating and clearing decisions and so on in an endless flow.
And… now! Pull the big plug. No more sound, no more light, no more business buzz. Just silence and pitch black.
Of course, this harmless little experiment in front of your screen doesn’t come even remotely close to the feeling of being completely shut out of business in the aftermath of a severe cyberattack. But in reality, that is what happens. Companies who have experienced such attacks report a disturbing sense of nothingness in the hours and first days after a devastating cyberattack.
The recent development in the world has shown an uptick in cyberattacks. What’s even more alarming is that some of these attacks have not been economically motivated which is usually the case. Their aim has been pure destruction.
This development in threat assessments and risk assessments calls for another approach to digital resilience.
Practice for hurricanes, not light breezes
Today, a lot of companies still invest a lot of money and time in security measures designed to keep cyber attackers out. They are right to do so. It’s also wise to make contingency plans and practice who does what, if/when a cyberattack hits their company. But what many companies fail to do is plan for a true worst-case scenario.
“Often, they practice what’s it’s like to have single systems and applications individually unavailable, and that’s it. But that’s like preparing for a summer breeze when in fact a hurricane is coming your way,” says my colleague and partner in Deloitte, Anders Morand.
“When a company is put out of business it’s not only a number of systems and applications or even a datacenter that suddenly plunges into darkness but all components in the operating model. Phones can be dead so people can’t communicate. Customers can’t buy products, so from one day to another there is no revenue. Computers are down. Your backup can be compromised. It’s a total lack of control.”
Aim for digital resilience
Digital resilience is a term that describes how to build, prepare, and train for a robust business operation that is designed to ensure, that the company can manage and recover from a cyberattack in the best possible way. Where there is a controlled and agreed way back to first a minimum viable company and then gradually to business as usual.
The minimum viable company can be seen as the “ugly version” of the company where only the absolute necessary processes of the company can run. The fewer and leaner processes the better since the company will be able to reach this state quicker. The purpose of the minimum viable company can for example be to provide a service, to generate cash or to fulfill external requirements.
The blueprint for a digital resilience strategy differs from company to company. It’s something that must be discussed and agreed upon on absolute top level in each company. That’s also why digital resilience strategies are not something that can be handed over to the IT department to make it their responsibility. It is about core business and about still running in devastating times.
Keep the business afloat
Top management must address which processes are vital for keeping the business afloat. Salaries? No, that can be arranged. Payment of suppliers? No, that can also be addressed later. Selling and distributing your products or services? Yes. That’s how you are going to stay in business if the attack drags on for many weeks and even months.
Anders Morand again:
“When companies reach out to us after a colossal cyberattack, we can in many cases see that the scenario they prepared for, and the scenario they experienced, were not the same. Their expectations weren’t scary enough. I don’t say this to cry wolf. I say it because we want to give companies advice on what they can expect if they are hit by a severe cyberattack. There is sometimes a fear of looking too hard at how bad a catastrophic attack could be.”
Make investments today
So. What can you do to prepare for an absolute worst-case scenario? What kind of digital resilience is required to run a business in a highly volatile and complex market?
Think of an alternative and minimum viable way to run your business. Usually that will require some level of IT and a communications system. Do you have that in place? I don’t mean as a plan because plans can take weeks to put into action. You need to make investments today in measures that will allow you to reach the minimum viable company quick and the go from there in a structured way back to business as usual.
Key questions to answer are: Do your top executives know how to get in contact with each other? Can you communicate with your organization if the phones are dead, and the e-mail system is down? Do you know how to set up a primitive sales channel? How can you ship products? Does everyone in the chain know their role in a digital crisis, have they practiced it, and is everyone confident that they can operate despite a significant cyberattack?
And remember: You need solutions in place, not just plans.