It might be time to drop the word “cyber” when talking about cyber security because managing cyber risk is really about managing business risk. IT certainly plays an important role in how information technology systems and stored data are protected, but executives need to understand that there is more at risk than they realize.
For example, executives sometimes make decisions in the name of productivity or cost savings that compromise security. Perhaps these decisions would be made differently if the executives realized what a risky situation their actions created and they asked themselves these five questions.
1. How will you operate your business without access to your computer systems and data?
If you have a cyber attack, or even suspect that your systems are compromised, do your employees know what to do? Are you going to send them home and tell them to work from their home computers? Is that even possible? It’s tempting to say that you’ll just go back to paper and pencil, but that’s a pretty unrealistic scenario when your business operations depend on technology.
2. Are you going to pay your staff when they can’t work because your systems are down?
If you can’t pay your staff during the downtime that results from a cyber attack, how is that going to affect their personal lives? How is that going to affect their morale and attitude towards you? While your operations are down and you aren’t bringing in revenue, do you have the reserves to draw from that will keep employees happy? Do a quick calculation to see how much payroll you’ll still have even if you’re not bringing in revenue. How does that math work out for you?
3. What will you say to your customers when you can’t deliver?
First of all, are you going to be able to communicate with your customers if you’re locked out of your systems? Does your security policy have an alternative communication plan? Your customers depend on you to deliver the products or services they ordered on time. Your failure to deliver could cause a wave in their supply chain that could mean trouble for them, not just for you. If you’re in the middle of a cyber attack, you won’t really know when (or if) you’ll get back to business as usual. Will customers be satisfied with that answer? How will they feel about the data you store for them being compromised?
Related Article: Executive Guide to Cyber Security: Essential Information for Managing Business Risk
4. What are you going to do if your backups don’t work or they are insufficient?
Just because you have a backup doesn’t mean it’s going to work. Backups and recovery procedures need to be tested from time to time, and they need to match business needs. Does your backup system take into account your tolerance for missed data? What if you have to go back a day or a week to get a workable copy of your data? Can you guess or recreate what’s missing?
5. How are you going to regain trust from customers and employees after a cyber attack?
This might be the most important question of all because trusting relationships with your employees, customers and the community are vital to your success. When employees don’t trust that you’ll be a stable employer, they might start to look for another job. This can be a huge drain on your talent resources when those people hold valuable knowledge and expertise. Customers who have been doing business with you for decades might suddenly have a reason to shop around when they feel that you have put them in the crosshairs of a cyber criminal. You not only compromised your own data and operations; you compromised theirs.
Time to uncover your cyber security blind spots
Because of its devastating impacts, securing your business against cyber attack is not just an IT responsibility. Get the information you need to make informed decisions and uncover the blind spots that might be inadvertently putting your business at risk.