What can our reaction to the global pandemic teach us about risk?
No one could have predicted the COVID-19 pandemic. At least, that’s what I’m hearing. In reality, the ramifications and likelihood of a global pandemic have been predicted to a T as early as fifteen years ago. Despite this, none of us were adequately prepared for the impact on the economy, on social norms, or on our individual businesses.
Similarly, the ramifications and likelihood of a cyber-pandemic, particularly in the form of cyber warfare, are well and truly predicted. And, unfortunately, with the same lack of readiness.
The document, among other things, outlines critical vulnerabilities in several sectors of industry, including Fuel, Power, Transport, Electricity, Health & Water, and is an incredibly informative read that i recommend for any Australian citizen.
In a workshop conducted by the Australian National University, it was emulated that majority of attacks would be targetted against civilians, rather than military or government.
“Disruption of food and fuel supply chains was a common theme. Other scenarios targeted consumer banking, ticketing at major sports events, or “mum and dad” business networks, to increase public inconvenience and fears.”
Most notably, the document outlines that in a scenario of cyberwar, adversaries would not just exploit computer systems; they would exploit vulnerabilities in society.
Predicting the impact of macro-crisis, such as cyber-warfare or the current pandemic, can be difficult. No one could have predicted the impact on their business, because we’ve never needed to. The reason that so many businesses were completely taken by surprise, is because no one thought it would happen.
For those of us lucky enough to continue operations, and for those of us who have adapted our operations to fit these trying times; there is a lot that we can learn.
Firstly, in the same vein that you can’t stop a pandemic, you can’t stop cybercrime. But, what you can do is have a measured, established risk-based plan and response for your business.
We recommend putting time and effort into establishing incident response measures, as well as preparations for large-scale impacts on your business, both in cyber and key risk drivers.
While you can’t control the large-scale ramifications of a potential cyber-pandemic, such as the impact on supply lines, key infrastructure, and tech, you can prepare for and mitigate risk to your business.
Remember, even in the context of a general cyber-attack, there are huge large financial, operation and reputational repercussions to account for. In 60% of cases, one cyber-attack is enough to cause businesses to shut down within only 6 months.
Whether you already have an established risk-management plan or not, here are a few key cyber-points that all business should have covered:
- Identify your key assets. Every business has key data and critical systems that they could not continue to operate without. Common examples include confidential client & business records, network infrastructure or systems that are integral to your product/service.
In the same vein that many businesses in hospitality have suddenly lost their bread-and-butter services, and have been forced to adapt, cyber incidents have a similar, but much wider scope of impact to businesses.
Identify the crown jewels of your business, establish extra protective measures to ensure that they are safe (such as two-factor authentication and access control), and establish worst-case scenarios in which your business could temporarily operate in the case of a data breach.
- Back up your data. For certain types of cyber-crime, such as ransomware, the hardest part of recovering is getting the business back online. By regularly backing up your key data & systems, you can not only get back on your feet much faster, but you also remove some of the leverage that a hacker has over your business.
- Responding to the public and your client base. Regardless of whether a cyber-incident is targetted, or impacts you from a wider scale, your stakeholders will need answers. Establish a timeframe, template and plan-of-action that can be efficiently and promptly communicated to the public and your stakeholders. This not only ensures that you meet compliance, but it also saves you a lot of reputational harm.
For many of us, this pandemic is simply an affirmation of risk. Risk is real. While you can never remove 100% of the risk, you can understand it, identify what you are comfortable with, and prepare your business with a plan accordingly.
Having no risk assessment or plan in place is likely to leave you in a similar situation to many COVID-19 impacted businesses right now. For those in high-risk industries, such as airlines, accommodation and hospitality – did they have a plan outlining their key action steps in the scenario that their primary operations entirely stopped in 4 weeks?
No. And in hindsight, it’s become obvious to all of us that we should have been prepared.
While this sort of doomsday-level preparation would have seemed silly in January, it’s clear to all of us now that it’s entirely necessary and reasonable. COVID-19 should serve all of us as a wake-up call, and encourage us to be mindful and ready for sudden changes, and difficult scenarios.