When it comes to cybersecurity, companies often focus solely on preventing potential cyberattacks. However, it is impossible to be completely protected from every threat.
In Harvard Business Review, Keri Pearlson, executive director of the research consortium Cybersecurity at MIT Sloan, says it is crucial companies move from a prevention mindset to a resilience mindset. Although focusing on prevention means doing all you can to keep cybercriminals out, focusing on resilience adds an additional layer as you work with the expectation that a cyberattack still can happen and invest in preparing to respond and recover when it does.
Pearlson shares the following things leaders of cyber resilient companies do differently.
- They build a culture of cybersecurity. These leaders have ensured everyone in the company—no matter their positions—play a role in helping the company be secure and resilient. They build values, attitudes and beliefs about the importance of keeping the company resilient rather than simply relying on technology-based barriers.
- They prepare responses to a cyberattack—and practice. These companies conduct exercises and drills so everyone knows what to do if an incident occurs. Leaders can stress-test processes, structures and technology so they respond more quickly. Pearlson says the most common way to test business recover plans and incident response plans is to design an exercise that simulates a cyberattack and then employ the response plan. You even could include third parties, such as suppliers, customers or consultants.
- They are “secure by design.” The concept of secure by design typically refers to the practice of thinking about security of a digital system or application at the earliest stages of the design process; however, leaders can apply the practice to their entire company. Leaders can look for ways to design their organizations, processes and technology with consideration for security and resilience from the beginning.
- They have the right communications processes in place. When considering crisis communications, it is important to have a back-up plan. For example, a company’s crisis communications plan may involve communicating via email, but if a breach occurs, email communication may be compromised and unavailable. Delays caused by an unclear or ineffective communications plan can harm the recovery process. It is important to have a specific crisis communications plan in place that considers various types of communication.
To help contractors address cyber liability risk, NRCA has partnered with BPM Insurance Services and Acrisure to create NRCA’s Cyber Liability Insurance Program.