A cyber crisis is a business crisis, not an “IT issue”.
If you are a CEO or a C-level leader of a maritime and logistics business, stop scrolling the phone for a minute and read this blog. Speaking from experience of helping many companies survive cyber attacks – It might save your business too one day.
The difference between companies that believe they can defend vs. those that accept that they will be breached and prepare for it by building resiliency is crucial. And it all starts at the top.
Management teams, from C-levels, to the senior managers who report to them are almost never personally responsible for cyber attacks. And yet, they are almost always on the hook and need to take action, when cyber attacks occur.
After all, your company stakeholders aren’t going to be pointing fingers at the anonymous engineer whose oversight enabled an attack against your IT or OT infrastructure. They’re going to come after the management team, asking why they left their companies vulnerable to attack.
Likewise, your company’s employees, who are siloed into different departments and business units, aren’t likely to be able to manage a response to maritime cyber security incidents entirely on their own. They need a guiding force in the form of senior leadership, who can view incidents from the perspective of the business as a whole and organize response activities accordingly.
Lastly, when a cyber crisis occurs, it is far more than an “IT issue”. It is first and foremost a business crisis. The IT and cyber leaders are tech oriented and will focus on the tech aspects of the crisis. They can not be expected to manage the business aspects of the crisis, nor to be responsible for maneuvering the company to operational continuity. This is the CEO and C-level’s task.
This understanding is exactly what separates companies that still rely on the notion of focusing on protection and reliance on the IT team’s ability to fend off attacks, and companies that accept or even embrace the new reality; that a major cyber incident is a matter of time. A when, not an if. It’s the shift from a protection mindset, to a resilience mindset.
That’s why management teams need to take a “shared accountability” approach on cyber readiness and be prepared to play key roles in responding to cyber incidents. And we’re not talking just about CIOs or CISOs here. All executives or high-level managers – including those in non-technical roles – need to be ready to act when cyber attacks happen.
Another common misconception of C-level teams relates to the magnitude and complexity of a cyber crisis. They are mostly experienced managers who have dealt with various types of crisis situations throughout their career, but dealing with a cyber crisis is something completely different.
A cyber crisis tends to happen fast, escalate quickly, involves high levels of uncertainty, facing a sophisticated adversary and has far reaching implications on all aspects of the company. It is likely to be lethal in the short term, and/or at best, leave the company beaten in the long term. There is a definite line that is drawn in the business conduct before and after a cyber crisis. Management’s level of preparedness will determine the scale of damage.
So what should senior managers be ready and prepared to do following a cyber attack? And how can they prepare to do it?
The role of senior managers in maritime cyber security
Senior managers rarely play a technical role in security incidents. Indeed, most don’t have the technical background or skills necessary to understand exactly why an attack happened, or which systems it affected.
None-the-less, they are accountable when a cyber incident occurs. They’re in the spotlight, and they play a key role in managing the crisis. They’re required to help make difficult decisions about which systems to restore first, how to prioritize resources, how to communicate with stakeholders about the crisis and so on. And above all, they must work to ensure that the business can continue operating to the fullest extent possible until the incident is definitively resolved.
To accomplish these goals, everyone on the management team needs an understanding of:
- The nature of the threats and cyber risks that the company is facing.
- The specific roles that they themselves will play in cyber response and business crisis management.
- Which crisis management and business continuity measures are in place and what needs to be done in order to adapt them to the risks and threats.
- Which 3rd parties are required in order to support the company when it is attacked and securing on-call agreements with such 3rd parties (on top of, or as alternative, to the cyber insurance coverage).
- Making sure that the plans are being regularly rehearsed and tested
Without this knowledge, senior leaders are left flying blind when a cyber attack occurs.
Be part of the solution, not the problem
Despite the critical role that senior leaders should play in cyber incident response, not all managers are prepared. For example, surveys show that nearly 90 percent of senior managers place sensitive work files at risk by uploading them to storage managed by third parties. In addition, about half of senior managers have sent sensitive information to the wrong people or removed work-related data from job sites.
It’s easy enough to understand why managers do these things. They’re under pressure, they have busy schedules and they don’t always have time to learn or adopt cyber security best practices. The fact that senior leaders are often targeted by spear phishing or other types of focused attacks only exacerbates the challenges they face.
Still, the fact that company leaders have such poor track records of adhering to good security practices suggests that they’re more likely to contribute to security problems than to help solve them. And that’s a major liability for businesses, given how important senior leaders are to effective cyber response.
So, be the change you want to see in your company. Set a role model when it comes to cyber security standards, demonstrate zero tolerance approach to cyber violations, prioritize the subject in your management meetings and see the change happening.
“If you build it, they will come”.
Your CIO won’t save you (and s/he should not be expected to)
If you’re thinking that your company’s CIO, CISO or the IT team as a whole will simply pick up the slack and direct an effective cyber response, you’re mistaken. Although these stakeholders specialize in IT management and (in many cases) cyber security, they alone can not be held accountable for crisis management or business continuity. Their role is to manage the technical aspects of cyber incident response and maritime cyber security. They’re not managing the stature of the business as a whole.
Thus, if other executives’ cyber response plan is to assume the CIO will tell everyone what to do when a crisis strikes, your business is not prepared. That’s not the CIO’s job.
Incident response is instead the job of the entire senior leadership team. They must manage and allocate the business’s resources to guide both the technical and the business facets of crisis management.
Crisis management planning
So, instead of assuming that your business will figure out how to manage a crisis on its own, or that IT experts will handle the challenge, you should invest in measures that prepare all senior leaders for this important work.
Training programs are a start. They show management how to handle cyber incidents, while also raising their general awareness.
But training alone only goes so far. And since every business is unique, crisis management preparedness programs need to be tailored to each business’s priorities.
That’s why investing in crisis management planning that is tailored for your company and leadership team is another crucial step toward getting ready for cyber challenges. Talk to us to learn about how we prepare organizations to respond effectively to cyber incidents, and how our cyber simulations help to raise awareness of the importance of business crisis management among senior leadership teams.