Cyber Resiliency: Designing for Disaster

Cybersecurity is a method to protect your data and systems. Cyber resiliency is a way of doing business in the face of the inevitable.

When Hurricane Michael struck the Florida Panhandle earlier this month, it wiped away wide swaths of Mexico Beach, a coastal town on the Gulf of Mexico. Left conspicuously standing was a house built just last year of reinforced concrete, specifically designed to withstand a Category 5 storm.

The house, elevated on pilings to survive the storm surge, lost its stairwell—by design. It was built to separate from the building without damaging the structure itself. Other than the missing stairs, the house suffered only minor water damage and a cracked shower window.

This story is an important lesson, and a metaphor for cyber resiliency, taking steps to weather a data or systems catastrophe while maintaining ongoing business operations. The adoption of cyber resiliency is an important mindset shift for those dealing with cybersecurity.

Cybersecurity is the approach that focuses on the methods and processes of protecting electronic data – the goal is to thwart an attack, and emphasizes training people and systems to recognize infiltration so it can be stopped. Cyber resilience, on the other hand, assumes an attack will occur. The underlying premise could be summed up this way: “What can go wrong, will. What are you going to do about it?”

Many companies have made meaningful improvements in protecting their data. They have implemented better firewalls, procedures and training to reduce the likelihood of an attack.  While these steps are essential, implementing a cyber resilience program focuses on how the enterprise can continue doing business in the midst of and in the wake of an attack. Cyber resiliency requires a different set of tools and, more importantly, a corporate culture more attuned with surviving natural disasters. 

Consider the Sony Pictures breach of 2014. What made headlines were the snarky leaked emails and scripts of upcoming episodes of coveted shows. Lost in some of the reporting was the crushing failure of Sony’s computer systems, forcing first-responders to work out solutions with pen and paper and communicate via fax machine. According to the Washington Post, the breach cost the company $15 million.

Fast forward to last year, when the Danish shipping giant A.P. Moller-Maersk was hit with a cyberattack that snarled global shipping for two weeks and cost the company $300 million, a huge earnings hits. The attack briefly shut the Port of Los Angeles’s largest cargo terminal. Those in charge of righting the ship communicated via Twitter and WhatsApp and reworked transit logistics using Post-It notes. The financial cost was phenomenal, and not something easily recouped via business interruption insurance.

Incorporating cyber-resilient thinking comes down to several key areas.

  1. Bespoke Backup Plans. This goes well beyond data backup. Data stored elsewhere is no good without systems on which to access it. This requires systems backups and infrastructure redundancies. Think like a startup: what is the MVP (minimal viable product) needed to keep the lights on and the trains running? Consider the most basic aspects. What if your electronic key system is compromised and your engineers are essentially “locked down” to their current locations? What if your access to the grid is severed? Do you have sufficient alternative power sources to run mission-critical operations, so IT first-responders can do their jobs?
  2. Run “Irregular” Incident Response. It’s not enough to run the same recovery plan over and over. Smart CIOs add wrinkles to each exercise. Execute a recovery exercise, but tell your team all email is down, and see how they improvise. Or let them know that Step 2 of the recovery response is off-limits, and see how they problem-solve to get from Step 1 to Step 3. Not only will you come up with contingencies, but you are agility-training your entire response team.
  3. Think Holistically. We’ve talked about how a company’s cyber-response plan can be a model for dealing with all manner of disasters. Review your company’s other corporate response plans, whether it’s for natural disasters, a precipitous stock drop, a CEO scandal, or other crisis. Mine those plans for ways to improve your cybersecurity plan, and ensure that those response plans are able to work hand-in-glove with any cybersecurity response plans. Think like your customer: what do they need from you in an emergency? What is mission-critical from their standpoint? Don’t let your customer’s immediate need become a secondary, or worse, a competing interest.

In this day and age, our idea of “worst” seems to be ever expanding. Cyber-resilient companies embrace this kind of thinking. They accept the challenge that “what if” means “when,” and plan accordingly with creativity and resourcefulness.

Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Bob helps clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. He helps clients to develop and implement data breach response plans, and he and his team respond quickly to clients’ needs when a data breach occurs. Contact Bob at RBraun@jmbm.com or +1 310.785.5331.

JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.