Story image

Effective cyber resilience means thinking beyond the IT department

20 Nov 2019
Twitter
Facebook

Article by CQR Consulting chief technology officer and co-founder Phil Kernick

Ask a group of Australian business executives who should be in charge of their organisation’s cyber resilience plan and the majority are likely to point to their IT department.

They think resilience is all about keeping the servers humming and data flowing through networks.

Yet, while the IT infrastructure is certainly a critical component of any business, a cyber resilience plan needs to extend much further.

To be effective, it needs to cover all parts of an organisation and involve everyone from the CEO to the reception desk.

This is because potential disruptions are not limited to IT-related incidents.

They could arrive in the form of extreme weather, a supply chain failure or electricity outages.

You only have to look at events such as storms in South Australia or cyclones and floods in Queensland to see the potential for business disruption and loss.

For this reason, it’s worth investing time and resources now to put in place a comprehensive and effective business resilience plan that will ensure operations can continue should an incident of any type occur.

The key steps involved in developing such a plan include:

  • Involve more than the IT department
    A first step is to set up an incident management team that includes representatives from across the organisation. Areas to consider include IT, finance, facilities management, security, HR and public relations. This team should meet regularly and be prepared to swing into action when and if required.
      
  • Develop an incident response plan
    With the team in place, the first task is to develop a comprehensive response plan. This will become the template that maps out the specific steps to be followed and should go well beyond a traditional disaster recovering plan used by the IT department. Other areas that need to be covered include keeping offices functioning, vehicle fleets on the road, and customer requirements met.
     
  • Ensure your plan covers the entire supply chain
    As the plan is being developed, ensure it goes beyond the organisation itself and also contains action items covering critical supply chain partners. It’s all very well being internally prepared, but what would be the impact if suppliers or partners struck problems?
    It’s also important to evaluate the steps suppliers and partners are taking to ensure their IT systems are secure. This is particularly significant if they are making use of customer data as any breaches that occur could have penalty and brand risk implications for your organisation.
     
  • Make use of third-party resources
    Developing a resilience plan that is comprehensive and effective is not easy, and many organisations may not have the resources required internally to complete the task. Consider making use of an experienced external expert who can guide you through the process and ensure all elements have been covered.
     
  • Undertake staff education sessions
    Once the plan has been completed, arrange sessions where it can be explained to all staff members. Outline their roles during incident response and what changes might be required compared to regular operations.
     
  • Have a Plan B
    Even the best planning cannot be effective 100 per cent of the time. Ensure your resilience plan contains further steps to take in the event that the initial response is not effective. This could occur if the threat suddenly changes or other factors come into play.
     
  • Ongoing maintenance and training
    Remember that achieving effective business resilience is not a one-time activity. Plans should be regularly reviewed and staff training needs to be undertaken on a regular basis. Steps may need to be altered to take into account new areas of activity, supply chain partners and customer service channels.

By following these steps, Australian organisations can ensure they are as resilient as possible and best placed to withstand incidents that may occur.

Investing the time and resources to complete the job now will result in far less disruption and loss in the future.