Like many of you, in the waning days of 2020, I took some time to reflect on the year that was. And what a year that was! Undoubtedly, it was unprecedented—if only in part for the unprecedented use of the word "unprecedented" in print, virtual presentations, and other media.
Nevertheless, as I reflected on my and my family’s experiences and challenges in 2020, it struck me that our household, like hundreds of thousands of others, was suddenly coming face-to-face, in a very real and new way, with the concepts of risk management and continuity planning.
I know, I know: managing personal risk is what adults do all the time. It’s why we have things like insurance plans, smoke detectors, burglar alarms, retirement accounts, and even extended warranties. (I am not the only person to buy those, right? Right?!) But in 2020, it was different. COVID-19 meant we all had to take in and analyze new information almost every day, then use that information to manage risks across the health spectrum: physical, financial, mental, spiritual, and so on.
Just like every mature business organization, families around the world regularly asked themselves, "What are our risks and what can we do about them?" They repeatedly identified their risks, established their risk thresholds, and then—after determining acceptable levels of risk (is that trip to the market really necessary?)—tried to operate strictly within those risk parameters. To ensure they could continue business as (un)usual, they had to continually and proactively understand, anticipate, and take action to reduce, mitigate, and eliminate their risks.
This idea ties nicely to a whitepaper that Schneider Electric (a member of the ISA Global Cybersecurity Alliance) published toward the end of FY20. The premise of the paper is that, while most companies have business continuity plans that ostensibly help them prepare for—and respond to—a crisis, not integrating cybersecurity into the plan from the very beginning jeopardizes the company’s ability to withstand that crisis. This is particularly true when the crisis wreaks havoc on global communities, supply chains, and entire industries and economies.
An incident that affects only your business or only one part of your business, like a single facility, would be considered an "unsystemic" risk. Unsystemic risks, which include cyberattacks, are usually already top-of-mind for the risk management professionals within most companies, because they are very likely to occur. Therefore, a response needs to be anticipated.
Systemic risks, on the other hand, disrupt entire industries, or—in extreme cases—the global market. These risks and events include things like natural disasters, geopolitical conflicts, financial crises, and—yes—pandemics. The Great Recession of 2008 is an example of a systemic crisis: its impact was not confined to one banking institution, one stock exchange, or one country. It ultimately affected people and businesses in every region of the world, and in practically every industry.
While the probability of a systemic event is extremely low, when they occur, they affect almost every aspect of your business. Therefore, they too must be a factor within your BCP because systemic events change all your other risk assumptions, including your assumptions and your appetite for things like cyberattacks and other unsystemic risks. That is why not making cybersecurity a foundational element of your BCP could jeopardizes your company’s ability to respond to and recover from COVID-19 (or whatever horrible event comes next).
When companies scramble and reallocate resources to respond to a systemic crisis, it is critical to keep cybersecurity top of mind. That’s because cyber criminals are eager to take advantage of the uncertainty. Since COVID-19 erupted on the scene, bad actors have been targeting supply chains and critical infrastructure to disrupt, interrupt, and corrupt the global economy and response. Now more than ever, companies need to make protecting and securing their people, their assets and their operations part of their BCP.
First, they had to survive a health crisis. Now as we have moved in 2021, they have to continue to survive a global recession and downward markets, which some predict will last deep into the year (or longer). It seems likely economic conditions won’t return to “normal” until demand for product is back, but that demand won’t return until all the millions of people who are out of work as a result of the pandemic are back on the job.
Many companies have successfully executed their business continuity and risk management plans to outlast the pandemic so far. But as COVID-19 and its derivatives continue to pile on the pressure, a cyber incident could be the difference between recovering long term or not. Ensuring safe, secure operations now will help many companies rebound more quickly when some sort of normalcy returns.
If you are interested in reading more, the entire whitepaper, titled "Is Cybersecurity the Key to Your Business Recovery?," is available here.
A version of this post also appears on the Schneider Electric blog. It is republished here with the permission of its author.
Interested in reading more articles like this? Subscribe to the ISAGCA blog and receive weekly emails with links to the latest thought leadership, tips, research, and other insights from automation cybersecurity leaders.