itb-au logo
Story image

Effective cyber resilience means thinking beyond the IT department

20 Nov 2019

Article by CQR Consulting chief technology officer and co-founder Phil Kernick

Ask a group of Australian business executives who should be in charge of their organisation’s cyber resilience plan and the majority are likely to point to their IT department.

They think resilience is all about keeping the servers humming and data flowing through networks.

Yet, while the IT infrastructure is certainly a critical component of any business, a cyber resilience plan needs to extend much further.

To be effective, it needs to cover all parts of an organisation and involve everyone from the CEO to the reception desk.

This is because potential disruptions are not limited to IT-related incidents.

They could arrive in the form of extreme weather, a supply chain failure or electricity outages.

You only have to look at events such as storms in South Australia or cyclones and floods in Queensland to see the potential for business disruption and loss.

For this reason, it’s worth investing time and resources now to put in place a comprehensive and effective business resilience plan that will ensure operations can continue should an incident of any type occur.

The key steps involved in developing such a plan include:

  • Involve more than the IT department
    A first step is to set up an incident management team that includes representatives from across the organisation. Areas to consider include IT, finance, facilities management, security, HR and public relations. This team should meet regularly and be prepared to swing into action when and if required.
      
  • Develop an incident response plan
    With the team in place, the first task is to develop a comprehensive response plan. This will become the template that maps out the specific steps to be followed and should go well beyond a traditional disaster recovering plan used by the IT department. Other areas that need to be covered include keeping offices functioning, vehicle fleets on the road, and customer requirements met.
     
  • Ensure your plan covers the entire supply chain
    As the plan is being developed, ensure it goes beyond the organisation itself and also contains action items covering critical supply chain partners. It’s all very well being internally prepared, but what would be the impact if suppliers or partners struck problems?
    It’s also important to evaluate the steps suppliers and partners are taking to ensure their IT systems are secure. This is particularly significant if they are making use of customer data as any breaches that occur could have penalty and brand risk implications for your organisation.
     
  • Make use of third-party resources
    Developing a resilience plan that is comprehensive and effective is not easy, and many organisations may not have the resources required internally to complete the task. Consider making use of an experienced external expert who can guide you through the process and ensure all elements have been covered.
     
  • Undertake staff education sessions
    Once the plan has been completed, arrange sessions where it can be explained to all staff members. Outline their roles during incident response and what changes might be required compared to regular operations.
     
  • Have a Plan B
    Even the best planning cannot be effective 100 per cent of the time. Ensure your resilience plan contains further steps to take in the event that the initial response is not effective. This could occur if the threat suddenly changes or other factors come into play.
     
  • Ongoing maintenance and training
    Remember that achieving effective business resilience is not a one-time activity. Plans should be regularly reviewed and staff training needs to be undertaken on a regular basis. Steps may need to be altered to take into account new areas of activity, supply chain partners and customer service channels.

By following these steps, Australian organisations can ensure they are as resilient as possible and best placed to withstand incidents that may occur.

Investing the time and resources to complete the job now will result in far less disruption and loss in the future.

Story image
Visual development tools present real opportunity for A/NZ businesses
"It's only natural for enterprises in our region to gravitate towards the dramatic benefits of using visual development tools for building cloud-native applications."More
Story image
Cyber-attackers target COVID-19 vaccine supply chain in sweeping phishing campaign
IBM’s Security X-Force, a task force created in the early days of the pandemic with an aim to combat cyber-attacks related to potential vaccines’ supply chains, released details on a coordinated effort to disrupt the COVID-19 ‘cold chain’.More
Story image
Why legacy technology is swallowing too much of your IT budget 
Given the restrictions caused by legacy IT infrastructure, why are more organisations not pushing ahead with plans to rid themselves of the burden?More
Link image
Where is your data? You'll find out in 2021
Next year, we will start to realise exactly how much intellectual property was stolen by attackers during the 2020 remote working shift, writes Forcepoint global CTO Nicolas Fischbach.More
Story image
Webinar: The future of data centres in the face of climate change
Digital Realty has today announced a webinar based on its recent report exploring the role of data centres within the climate change debate, and will explore the viable solutions available to help data centre operators fight the rising tide of environmental challenges.More
Link image
How to supercharge digital transformation with Azure training
Cloud computing is proliferating fast in New Zealand, but many organisations are being held back by limited knowledge. Power up your transformation with Auldhouse's Azure training classes.More