Over the last few months, I have had the honor to conduct about 15 detailed podcast interviews with executives from the leading Cybersecurity start up firms located all throughout the United States. I had my last one for 2018 just yesterday.
Towards the end of the show, I usually ask my guests what they think the biggest issue will be for 2019. Most of them have said that attacks to Critical Infrastructure will be a huge threat, as well as new variants of existing Cyber threats (such as that of Ransomware, Cryptojacking, etc).
But one thing that was never brought up (or perhaps I should have asked about it) is also the issue of how a business would continue operations after they have been hit by a Cyber-attack. We all assume of course, that we will never be a victim, and as a result, a majority of Corporate America do not have any plans in place to recover, which is quite alarming.
Also, keep in mind that it does not just have to be a direct Cyber attack on an IT Infrastructure that brings down an organization. It can also be acts of Social Engineering, the spreading of false rumors of a business entity on Social Media, or for that matter, even a natural disaster itself.
This topic of how a business or a corporation will survive is expected to survive after being hit is also expected to be a growing issue in 2019 as well, at least according to a survey that was conducted by a Cybersecurity firm known as “OnSolve”.
There were well over 300 respondents that took part in this, and the following are the top issues that came out as to what Corporate America needs to do after they have been hit (BTW, this has a technical term as well, and this is known as “Business Continuity Planning”):
*Sending out real time notifications of being attacked:
Obviously, when an organization has been impacted by a Cyberattack, the first thing that comes to the mind of upper management is in letting all of the employees know that they have been hit, and assuring their safety. Of course, the speed in which these notifications are sent out is of paramount importance. But, keep in mind that we are depending upon other forms of technology to alert the rest of the crowd, and it has to be taken into account as well that these could also be a target of the Cyber attacker. According to this survey, the respondents felt that the following types of Cyber attacks would impede their ability to send out quick notices to employees:
*Malware @ 65% of the respondents;
*Ransomware @ 63% of the respondents;
*Phishing @ 63% of the respondents;
*Business E-mail Compromise (BEC) @ 63% of the respondents;
*Rogue Software @ 33% of the respondents.
Also, according to the leading market research Garter, an organization experiences an average loss of $5,600 per minute for every minute that they are out of operations after being hit by a Cyber-attack. This only underscores the importance of bringing back up critical processes, even if it is at minimal levels.
*Making sure that employee contact information is kept up to date:
Apart from having the ability to notify employees as quickly as possible, equally important is making sure that the contact information of all of the employees are up to date as well. This includes primarily cell phone numbers, work numbers, home numbers, E-mail addresses (both work and personal), physical mailing addresses, and even the employee’s emergency contact information (such as their spouse, or other close family member). After all, what is the point of even trying to communicate if your contact roster is out of date? According to the survey, even this is an area that is severely lacking in Corporate America today. For example:
*Only 25% of the respondents claimed that their employee contact roster is up to date;
*Only 27% of the respondents felt “extremely confident” that their roster has been updated.
The survey also revealed that the following types of communications mechanisms are used the most amongst the respondents:
* 85% use email;
*59% use text messaging;
* 52% use phones (either cell or landline);
* 17% use mobile apps;
* 13% use desktop instant messaging alerts.
*Reaching out to a workforce that is becoming more remote:
Given the advances in communications technologies, the days of reporting to work at a traditional brick and mortar office are fast dissipating. Also, in an effort to keep costs down, Corporate America is now letting employees to work remotely from home, and even hiring employees or contractors from different countries. According to the survey:
*24% of the respondents claimed that they have the means in which to notify remote employees after being hit by a Cyber-attack.
The respondents also felt that the use of geo-targeting communications technologies in this regard is very important in this aspect, so that even the most geographically remote employees can be notified quickly of a Security Breach.
My thoughts on all of this?
I am not at all surprised by the numbers that have revealed by this particular survey. It is clearly evident that Corporate America still has a very long way to go in making sure that their most critical business systems and processes can be brought up within a matter of hours, not a few days.
Thus, the importance of having a Business Continuity Plan in place is now of grave importance. But equally critical as well is making sure that the crafted plan actually works – meaning, that it should be practiced and rehearsed at a minimum of at least twice a year to make sure it is always up to date.
But what I found most concerning is the lack of confidence level amongst the respondents when it came to making sure that their employee contact roster is up to date. There really is no excuse for this, whether there is a Cyber attack or not. This process must start when an employee is first hired, and he or she has started their onboarding process. It is the sheer responsibility of Human Resources to make sure that this list is always up to date – meaning, employees should be asked again at a minimum, of at least twice a year to confirm or revise their particular contact details.
As it has been described, Corporate America makes heavy usage of multiple communications channels – thus, an organization must implement two-way communications in the event of a catastrophic Security Breach. As a result, representatives from upper management, HR, and the IT Security staff will have the ability to get responses of all employees in real time.
This is to ensure they are safe or to provide further details on the context of what is happening. Also, a running tally of who still needs to be contacted can also be created. It is also important to keep in mind that Social Media can be a very useful tool in this regard. But the danger is that it can also be the source of false information if it is hacked into.
Thus, only those employees that must have access to an organization’s Social Media sites should be given those permissions. Also, these sites must be monitored on a daily basis to ensure that only genuine and authorized content is being posted.
But remember that having a Business Continuity Plan in place is not just preparation for surviving a Cyber-attack – it must be equally effective as well in the case of a natural disaster striking as well. A prime example of this are the recent wildfires in California – this has cost businesses and corporations over $1 Billion.
Finally, more details on this survey can be seen at this link: