Cyber resilience - a major threat to business sustainability
Cyber resilience requires not only preparedness, but the ability to respond to a successful cyber attack, says Braam Pretorius, GM: Sales at ContinuitySA.
High on the agenda for boards and executive committees, in line with growing reliance on digital platforms and a worsening threat landscape, is cyber resilience, and yet many companies seem badly prepared for what has become a major threat to their sustainability.
Research by the New York Stock Exchange shows 66% of directors are less than confident that their companies are properly secured against cyber attacks. Recent events such as the WannaCry ransomware attack, and the hacking of the Democratic Party's systems by Russian agents, among others, suggest that boards are right to be worried.
"Governance codes like King and others now make ICT governance a board responsibility because of its importance to organisational sustainability, and yet most boards do not fully understand the issues," says Braam Pretorius, GM: Sales at ContinuitySA. "In fact, research by Dimension Data shows that 68% of companies have no plan to respond to a cyber security breach, and remain unprepared for an attack. Business resilience and cyber resilience are now just two sides of the same coin."
He argues that cyber resilience requires not only preparedness, but the ability to respond to a successful cyber attack. Response is critical because unless the organisation can recover rapidly from the attack and resume operations, it faces the real possibility of complete failure. Such cyber attacks are increasingly sophisticated, and can be very severe. He cites the recent example of a ContinuitySA client, 90% of whose production environment was encrypted by the Troldesh/Shade ransomware application. All data was lost and operating system files were damaged.
Luckily, the client subscribed to offsite server replication and work-area recovery service from ContinuitySA. It was thus able to have its systems completely restored over the weekend. A week later, the same malware struck again, so the entire process had to be repeated. Without the existence of this backup environment, it would have been out of business.
"In an age of cyber terrorism and rampant cyber crime, we recommend that organisations seriously consider subscribing to a fully managed, offsite disaster recovery and work-area recovery service, one that is regularly tested to ensure it operates," Pretorius concludes. "If one has no Plan B, one is not truly cyber resilient - and that means the business itself is not resilient, and the board and exco are not properly fulfilling their fiduciary duties."
 NYSE Governance Series, Cybersecurity in the boardroom (2015), available at https://www.nyse.com/publicdocs/VERACODE_Survey_Report.pdf.