Throughout 2022 we’ve seen an increase in cyber threat activity and the risk of an infrastructure breakdown due to a cyberattack is the top concern for cybersecurity experts - but, surprisingly, not for many CEOs.

Data from the European Communications Monitor showed that already back in 2020 more than half of organizations reported that they have been at least once a victim of a cyber attack - with enormous and sometimes disastrous short- and long-term damages to organizations in terms of legal consequences and economic cost.

Unfortunately, most business leaders are not thinking about cyber security in the right way. The State of Cybersecurity Resilience research among 4,744 global respondents (including 500 CEOs & CFOs) indicates only 5% of companies are getting business and security alignment right.

That’s why governments and organisations around the world, such as at the World Economic Forum and others, have sounded the alarm and asked business leaders to operate at a “heightened state of readiness”.

To succeed, CEOs should align their business and security teams around one cohesive strategy and plan of action to create safe and trusted environments for customers, employees, investors, and vendors.

Despite the immense financial, legal, and reputational risk - and despite established best practices - most efforts as a response to cybercrime incidents do not succeed.

Some efforts may even make matters worse. Here is why:

• Lack of awareness—Many business leaders are simply not aware of cybercrime and some deliberately choose to ignore it. In ‘it can’t happen here’-style, many assume they won’t be affected arguing that their organization is not big enough. True, but this is changing as small and medium-sized businesses are now at the center of cybercriminals’ sweet spot. Today, every organization in every industry is a target;

• Lack of skills—Many business leaders don’t understand cybercrime and are unable to discuss it. Case in point, many don’t know the terminology—think of terms such as ‘spoofing, whitehat hackers or zombies’ as examples. On the corporate communication side, typical mistakes include saying too much or too little too soon or too late, or social media missteps - and, yes, this includes tone-deaf C-level executives. While technologies offer support, it is an organization’s workforce, including communications and marketing teams, that are key in causing, preventing, and managing cybercrime incidents;

• Lack of data—As for their experience with media monitoring, social intelligence, and audience research, marketing teams are experts in scanning environments for relevant (data) signals. But even these teams, typically, exclude threat intelligence which scans major sources of cybercrime, such as the Dark Web, for risks;

• Lack of tools—Today’s standard SaaS tools, specifically when it comes to marketing technology, don’t offer any of the required solutions. There is a growing list of threat intelligence providers but their offerings are not geared toward the needs of marketing, HR or other relevant corporate functions.

That's why business leaders need to take a leading role in safeguarding their organizations, colleagues, investors, brands, and reputation from cybercrime. To be effective, they need to master a new skill: Cyber Resilience.

Cyber resilience is often referred to as an entity’s ability to continuously deliver the intended outcome, despite adverse cyber events. [1] Matt Torrens, COO at Sprout Technologies, goes further by adding that “a true cyber resilience approach blends protection, detection, response and recovery to form an organization-wide, collaborative strategy.”

Both definitions fall short in a number of areas though, most notably on the dimensions of incident prevention and an individual’s accountability. So, to me, cyber resilience consists of the combined ability of an organization, its affiliated individuals, and partners, to develop and implement a holistic approach to preventing, preparing for, responding to, and recovering from a cyber incident. [2][3]

So, how do you develop a cyber resilience strategy and the required skills? Consider these elements:

• Prevention—The key is to constantly monitor and communicate organizations’ risk exposure. By scanning the, for example, the Dark Web for relevant signals, such as a brewing attack, risks can be identified and assessed. Interpreting conversations on so-called paste sites, marketplaces, or chat rooms, requires an upskilling since the media structure of the Dark Web, the lingo used and actors’ behavior differ fundamentally from other parts of the Internet.
  By understanding the vulnerability landscape, business leaders can help develop and implement effective plans, in close collaboration, for example, with HR, Digital Security, Marketing, and Internal Communications teams. That way, all employees are aware and know what behavior and practices are safe;

• Preparation—There are many different cyber threats such as birthday attacks, Dark PR or Disinformation-as-a-Service (DaaS) campaigns. Organizations will need effective crisis communication plans: Be prepared and have answers ready to questions such as ‘Who will be part of the crisis team responding to the incident? How quickly will you inform your various publics and in what order? How do you secure communication when essential systems are down, such as email? And, how do you visibly demonstrate your commitment to protecting all of your stakeholders? To check the effectiveness of crisis plans, organizations should regularly benchmark plans, train employees, and also run simulations;

• Response—Actual breaches need to be identified as quickly as possible. The response capabilities will be determined to a large degree by the access to and quality of your incident-related data. Regular internal “what do we know and what does it mean” sessions will help establish the facts and understand implications across corporate functions. Data from these digital forensics-driven activities will be key in communicating effectively and transparently post-incident (‘we were attacked by XX and have taken XX measures to secure XX’) and are therefore instrumental in terms of re-establishing trust with all relevant publics;

• Recovery—Moving on from a cyber incident is not easy. Reputation repair is key in this phase which will largely be driven by credibly communicating to all audiences what steps will be undertaken to avoid similar incidents in the future. Proactively plan narratives that resonate with the target publics — this will help avoid prolonged brand damage and loss of trust. Sharing learnings from the incident and how to prevent attacks should be part of the communication tactics.

Developing effective cyber resilience is key for business leaders given the explosive growth of the number and quality of attacks. Only business leaders with the required level of competence and awareness, granting their teams access to forensic, incident-related data and tools as well as strategic plans will be able to implement successful prevention, crisis, and recovery plans

+ + +