Cyber resilience has become a key agenda item for boards and executive committees in line with growing reliance on digital platforms and a worsening threat landscape—and yet majority of companies seem ill-prepared for what has become a major threat to their sustainability.
Research by the New York Stock Exchange shows that 66 percent of directors are less than confident that their companies are properly secured against cyberattacks. Recent events such as the WannaCry ransomware attack, and the hacking of the Democratic Party’s systems by Russian agents, among others, suggest that boards are right to be worried.
“Governance codes like King and others now make ICT governance a board responsibility because of its importance to organisational sustainability, and yet most boards do not fully understand the issues,” says Braam Pretorius GM: Sales at ContinuitySA. “In fact, research by Dimension Data shows that 68 percent of companies have no plan to respond to a cybersecurity breach, and remain unprepared for an attack. Business resilience and cyber resilience are now just two sides of the same coin.”
He argues that cyber resilience requires not only preparedness but the ability to respond to a successful cyber-attack. Response is critical because unless the organisation can recover rapidly from the attack and resume operations, it faces the real possibility of complete failure. Such cyberattacks are increasingly sophisticated, and can be very severe. He cites the recent example of a ContinuitySA client, 90 percent of whose production environment was encrypted by the Troldesh/Shade ransomware application. All data was lost and operating system files were damaged.
Luckily, the client subscribed to offsite server replication and work-area recovery service from ContinuitySA. It was thus able to have its systems completely restored over the weekend. A week later, the same malware struck again, so the entire process had to be repeated. Without the existence of this backup environment, it would have been out of business.
“In an age of cyber-terrorism and rampant cybercrime, we recommend that organisations seriously consider subscribing to a fully managed, offsite disaster recovery and work-area recovery service, one that is regularly tested to ensure it operates,” Mr Pretorius concludes. “If one has no Plan B, one is not truly cyber resilient—and that means the business itself is not resilient, and the board and exco are not properly fulfilling their fiduciary duties.”
 NYSE Governance Series, Cybersecurity in the boardroom (2015), available at https://www.nyse.com/publicdocs/VERACODE_Survey_Report.pdf.