The number and complexity of critical events impacting businesses and governments are on the rise.
Today’s crises are triggered by events both inside and outside of an organisation’s control: the global pandemic, severe weather changes, IT outages and even cybersecurity threats. They disrupt operations, threaten people, compromise assets, and impact reputation.
In this high-risk environment, organisations need to leverage the right technologies, people and processes to make informed decisions, with consistent monitoring by multi-disciplinary team members. As a result, decision-makers have been on the look-out for solutions to overcome systemic problems and maintain business operations in the long term.
While the world is focused on the health and economic threats posed by COVID-19, cyber criminals around the world undoubtedly are capitalising on this crisis. Cybercriminals know that we are vulnerable. A spike in ransomware operations globally is adding to an already complex crisis management cycle for many organisations. It won’t stop there. Challenges have increased as cyber-threats and more IT incidents emerge due to inefficiency in responses and processes, causing downtime and rise of cost. Providing an adequate cyber risk management strategy, therefore, is imperative.
To address these issues, experts in the field of critical event management processes gave extremely helpful presentations during the OpenGovLive! Virtual Insight not just on projected effects of cyber threats, but on procedures that must be put in place in case of an actual cyberattack.
The session held on 10 December 2020 was attended by delegates from the Indian and APAC region, all eager to engage in an active discussion on the topic of Strengthening Cybersecurity and Emergency Preparedness: Enhancing Readiness, Response and Recovery
Planning ahead and adopting a resilient strategy
Mohit Sagar, Group Managing Director and Editor-in-Chief at OpenGov Asia, set the tone and stage for the discussion. He acknowledged that incident management was not a new concept but remains one of the top priorities of companies even today. The reason, Mohit said, is that incidents involving data compromise and those related to cyber threats continue to grow in complexity and number.
The outright reaction of most enterprises after a critical event is that they feel lost, even though they may have prepared for such an event. The question to be asked, Mohit stressed, is not why a critical event happened. The more appropriate question to raise is up to what extent a company has prepared itself for that incident.
Another relevant point raised by Mohit was a critical event’s impact on staff. Most employees are uncertain if they should admit they lack the readiness to comply with protocols in the event a critical situation arises. No employee should bear the brunt of a company’s lack of preparation for emergency incidents. Readiness is always key.
The solution, Mohit opined, is a resilient strategy to counteract the effects of cyber and other critical emergencies. This element is crucial and has been epitomised during the COVID-19 pandemic when many businesses were left at a loss on how to recuperate.
With regard to planning ahead, the issue is at what speed and cost? This is where operational resiliency comes into play. Similarly, another key issue is culture. The problem involving culture is reflected more clearly in the case of conglomerates which find it hard to keep everything working large-scale.
In the end, there should be seamless communication, a well-orchestrated platform for critical events management and seamless delivery of services. This, Mohit said, can be achieved, by teaming up with the right partners who can help keep the business working in top shape.
What makes incident management complex
One of the key challenges in coming up with an incident management strategy is that many consider it a difficult process to manage and oftentimes, confusing.
Sonia Arista, Vice President and Chief Senior Information Security Officer, Everbridge, dispelled this worry. She discussed that critical event management is not a singular process. Many factors are at play in setting forth a CEM strategy. There are also different stages in standard critical event management.
At the initial stage, companies must assess the type of disruption that might occur, as well as the extent of damages. From there, decisions must be made on who needs to know about the CEM plan and who designated response teams are. The last phase is communication. Companies should not keep any incident hidden from employees. Communicating to shareholders and customers is likewise advisable.
Aside from these, a post-mortem analysis identifying areas of improvement should also be conducted.
Sonia went on to enumerate some of the critical events that might occur at any particular point in time. These include theft, IT failure and cyber attacks. In many cases, a company is not just hit by one emergency but a plethora of critical events. This is where a critical event management process comes in.
Sonia wrapped up her presentation by reiterating the useful components of an effective CEM plan. She stated that companies should always be knowledgeable about a possible emergency. It must notify all concerned persons and improve on its existing incident management process.
Building cybersecurity readiness
When it comes to cyber threats, having an incident management protocol means more than just ensuring that everything and everyone is well-prepared.
This was the clear message of Charlotte Wood, Director, Policy and Awareness Cyber Security NSW of the New South Wales Government, to participants during the OpenGovLive! virtual session.
According to Charlotte, three things should be considered in the fight against cyber attack: confidentiality, integrity and availability.
Confidentiality means only authorised users and processors shall have access to data and integrity relates to the way data should be handled. Likewise, authorised users must always have access to available data.
Speaking about risks, Charlotte identified the financial risks associated with cyber attacks. To plan, Charlotte says, the trick is to look at risk likelihood and risk impact.
She added that people are the biggest vulnerabilities of companies. To address this, there must be a process on people control. As to possible threats, Charlotte outlined a few. These include human error, insider action and sabotage. In anticipation of these threats, putting a set of controls is important.
Preparation to reduce the impact should occupy the biggest slice of the pie when setting up a critical events management process. Focusing on technical teams for real-world events and in-depth exercise for tech teams in case of a data breach and similar incidents would mitigate the impact of cyber threats.
Charlotte ended the discussion by leaving some food for thought for the attendees: softening the blow of critical events should be a continuous process. It is about educating people as well as encouraging early detection.
Lastly, Charlotte emphasised the importance of having people in charge know what is happening and its impact to make the right decisions.
Going beyond technological aspects
Many businesses and organisations believe that the tech aspect of a critical events management process is a top priority. However, this aspect is just the initial stage of addressing risks and their impact. What needs to be focused on is how to have a structured approach when a critical situation arises.
Jim Fitzsimmons, Director – Cyber Security Consulting at Control Risks, gave thought-provoking points during the OpenGov Asia session. He emphasised that addressing lapses in the technological aspect of operations is often the starting point which can branch out into bigger problems like regulatory impacts and in some cases, health and human safety impact. These are things that go beyond what emergency response teams can do. Businesses must acknowledge that issues arise not just due to technology.
For Jim, information gaps regarding incident management are rarely addressed by companies. Oftentimes, many companies find out about an incident after it has happened. This leaves them taking up considerable time trying to figure out what happened and why an incident happened.
The solution, Jim said, is to be more structured on the type of questions to ask. These may include what to do during the onslaught of critical events and how to address them. This way, a critical events management strategy will not be a blind process.
To sum up his discussion, Jim added that it is equally important to approach problems through collaborative effort and see incident management as a process that cannot be purely delegated to the tech team. The trick then, he noted, is to have a balanced, well-structured approach with a view of potential risks and impacts while working collaboratively as a team.
After the interesting points discussed by the speakers, participants of the virtual session were engaged in polling questions regarding incident management and cyber attacks.
When asked about key concerns in cybersecurity that the participants’ organisations consider, almost half (40%) answered that employee education in IT security is a challenge.
A senior delegate from the public sector in India shared that the primary issue that they had to address was reluctance from employees to report cyber attacks. He felt that most organisations tend to have a standard response to all cyber threats. The problem with this is that the type of response must be based on the type of cyber attack.
As to how organisations measure the effectiveness of cybersecurity, an overwhelming number (85%) of respondents chose the ability to respond effectively to an impending cyber threat.
To elaborate, a participant from Hongkong stressed that it is not enough to only have protocols on managing cyber attacks. She believed that it would be risky if there are no methods which could be utilised to measure the extent of cyber threats. This is in addition to the reality that measurement of damage is difficult to manage.
In rating their level of preparedness for an impending cyber attack, a majority of attendees (85%) said that they are well-prepared but are not sure if they can withstand the resulting infiltration brought by cyber-attacks,
The session came to a close with Sonia leaving a reminder that risks are all around and may arise unexpectedly. Cyberthreats come in many forms including internal threats. The solution, she said, is for companies to keep an eye on the likelihood of risks and also doing a thorough assessment of critical events.
To be able to come up with a sound critical events management strategy which promotes preparedness, resilience and recovery, Sonia encouraged participants during the session to reach out and work hand-in-hand with highly-skilled incident management groups. By partnering with experts like Sonia and her team, companies and government agencies can be assured of a reliable mechanism that will be an additional safeguard in case of any unforeseen incident in the workplace surfaces.
