Talking about crises might seem appropriate for 2020 so far, but people have been navigating crisis impacts on their businesses for many years. If there’s one person who can claim that they own the word ‘crisis’ it’s Grant Chisnall. He’s the host of the Crisis Talks podcast and founder of Left of Boom, a company that helps you proactively manage business risks. Grant believes that with the right preparation and mindset you can see your business thriving instead of just surviving, particularly through a cyber crisis. His combined approach to business continuity and crisis management consists of: stakeholder engagement from the corporate affairs side, planning and training leadership, and decision-making under pressure throughout crises. The last part of which was born out of his twelve-year military career. Below are some primary takeaways from this interview with Grant and Cyber in Business.
1. Cyber Risk is Fundamentally a Business Risk
The risk on the corporate side is significantly high because of its disruption; we know it has a major impact on operations, data, and the reputation of the business. Australia has had a year of major cyber attacks on large businesses such as Toll Group, Lion, and Bluescope. Back to back attacks on top of the pandemic is a scenario that few in the business world would have believed, and in a way it’s a perfect storm for nefarious activity. “What we’re seeing is ransomware as a service globally is being delivered at scale and at industrial scale like we’ve never seen before,” Grant explains. Even if the nature of the attack varies it’s about the most efficient way to achieve a criminal intent. If it means that criminals can stay at home and achieve the same goal by targeting a cyber vulnerability, then significant time and effort is saved on their part and they can achieve it at scale. All of this really does bear the question around the assurance that you’re able to provide to a client about the protection of their data and the delivery of their services on time.
2. Understand the Risk Environment Before Creating a Plan
“Crisis in general really comes down to understanding what the risk environment is to start with, and then having the right measures in place to deal with it.” This starts with defining what is important to your business and where you derive your most value from. When it comes to creating a plan, people sit on either end of the spectrum. A really detailed plan is difficult to develop because no two situations are going to be the same. “My advice is somewhere generally in the middle. You need to have a really strong framework, a really strong structure, and you need to have the right connections with people to activate the whole thing very early.” If you invest in the leadership capability at the start then generally people will be able to put their heads together to solve the problem at hand. A bit of process really helps to tie all of this together. The real-time planning for uncertainty is a real challenge, which is why it’s crucial to have planning cycles to address these things.
3. Respond Versus React
The only thing you can control is how you’re going to prepare your response to a cyber crisis. “More often than not businesses start to react, and while you’re reacting you get caught in a cycle of reaction, and when you’re in that reactive cycle you’re never actually getting ahead of what the situation is.” It’s important to react but even more important to respond, and respond so proactively. Start with getting the right activation, then get the right assessment about the situation (this is where it’s important to call on external support), get the right team together, and then start responding. What makes a big difference in your response is how you communicate with your clients and when. This relies on a strong technical expertise in supporting your response, so bring in those experts early, such as people like CTRL Group, who can effectively conduct cyber restoration, cyber root cause analysis, and forensics. Ultimately you want to understand what’s going on, what the impact is going to be, and how that translates into action. Getting across the situation quickly will allow you to plan the next steps by putting a team together that’s going to start working through that problem.
“So that investment in your people, investment in your teams, and investment in preparation really comes to the fore when you’re dealing with this real uncertainty. The leadership then really starts to shine through – if you’ve got the right capability, the right team, the right preparation, then you have the opportunity to really demonstrate strong leadership in these events, which is one of the positive outcomes we find.”
4. Maintain an Integrated Approach
In order to manage risks and prevent them from occurring a business needs to take an integrated approach to response. Disaster recovery and business continuity will need input from all of the various parts of the business in order to manage various impacts from the crisis. The last thing you want is a siloed response that leaves people wasting precious time and energy rather than working effectively. Insurance plays a big role in this, as it helps to check that you have everything tied together. Integration is also a key aspect of the business impact assessment, this is where disaster recovery and restoration schedules naturally come out, and that should give you a strong priority of effort particularly in a cyber attack. “If you lose access to your servers or have to restore certain components you could lose a lot of time trying to work out what that priority of effort is.” The impact on the operations becomes very critical, so having very strong communications protocols through your normal lines of management as well as other means of communication becomes critical too. This includes customer and consumer engagement, corporate affairs teams, and legal becoming really critical in the response.
It’s common for most people to think “this won’t happen to me,” but if there’s anything that recent events can tell you is that it happens to anyone. The businesses that are well prepared are the ones who have moved from that survival mode into thriving. The silver lining out of any of these incidents is that you become more attuned to these situations and you can apply those learnings in different environments.