Like many of you, in the waning days of 2020, I took some time to reflect on the year that was. And what a year THAT was! Undoubtedly, it was unprecedented, but mostly in fact for the unprecedented use of the word unprecedented in print, virtual presentations and other media.
Nevertheless, as I reflected on my and my family’s experiences and challenges in 2020, it struck me that our household, like hundreds of thousands of others, was suddenly coming face to face, in a very real and new way, with the concepts of risk management and continuity planning.
I know, I know: Managing personal risk is what adults do all the time. It’s why we have things like insurance plans, smoke detectors and burglar alarms, retirement accounts and even extended warranties (I am not the only person to buy those right? Right???). But in 2020, it was different. COVID-19 meant we all had to take in and analyze new information almost every day, then use that information to manage our risks across the health spectrum: physical, financial, mental, spiritual and so on.
Just like every mature business organization, families around the world regularly asked themselves what are our risks and what can we do about them? They repeatedly identified their risks, established their risk thresholds and then, after determining acceptable levels of risk (is that trip to the market really necessary?), tried to operate strictly within those risk parameters. To ensure they could continue business as (un)usual, they had to continually and proactively understand, anticipate and take action to reduce, mitigate and eliminate their risks.
This idea ties nicely to a white paper Schneider Electric published toward the end of FY20. The premise of the paper is that while most companies have business continuity plans that ostensibly help them prepare for and respond to a crisis, not integrating cybersecurity into the plan from the very beginning jeopardizes the company’s ability to withstand that crisis. This is particularly true when the crisis wreaks havoc on global communities, supply chains and entire industries and economies.
There are two forms of crises and risks: unsystemic and systemic.
An incident that affects only your business or only one part of your business, like a single facility, would be considered an unsystemic risk. Unsystemic risks, which include cyber-attacks, are usually already top of mind for the risk-management professionals within most companies because they are very likely to occur. Therefore, a response needs to be anticipated.
Systemic risks on the other hand disrupt entire industries or, in extreme cases, the global market. These risks and events include things like natural disasters, geopolitical conflicts, financial crises and– yes– pandemics. The Great Recession of 2008 is an example of a systemic crisis: Its impact was not confined to one banking institution, one stock exchange or one country. It ultimately affected people and businesses in every region of the world and in practically every industry.
While the probability of a systemic event is extremely low, when they occur, they affect almost every aspect of your business. Therefore, they too must be a factor within your BCP because systemic events change all your other risk assumptions, including your assumptions and your appetite for things like cyber-attacks and other unsystemic risks. That is why not making cybersecurity a foundational element of your BCP could jeopardizes your company’s ability to respond to and recover from COVID-19 (or whatever horrible event comes next).
When companies scramble and reallocate resources to respond to a systemic crisis, it is critical to keep cybersecurity top of mind. That’s because cyber criminals are eager to take advantage of the uncertainty. Since COVID-19 erupted on the scene, bad actors have been targeting supply chains and critical infrastructure to disrupt, interrupt and corrupt the global economy and response. Now more than ever companies need to make protecting and securing their people, their assets and their operations part of their BCP.
For many companies, the realities of 2020 have been stark
First, they had to survive a health crisis. Now as we have moved in 2021, they have to continue to survive a global recession and downward markets, which some predict will last deep into the year (or longer). It seems likely economic conditions won’t return to “normal” until demand for product is back, but that demand won’t return until all the millions of people who are out of work as a result of the pandemic are back on the job.
Many companies have successfully executed their business continuity and risk management plans to outlast the pandemic so far. But as COVID-19 and its derivatives continue to pile on the pressure, a cyber incident could be the difference between recovering long term or not. Ensuring safe, secure operations now will help many companies rebound more quickly when some sort of normalcy returns.
If you are interested in reading more, the entire white paper (Is Cybersecurity the Key to Your Business Recovery?) is available here. And for even better insight and discussion about how managing cybersecurity risks is a real business enabler, please check out our on-demand webinar and panel discussion How Cybersecurity is Key to Risk Management, which features a compelling conversation between several cybersecurity and risk-management experts. From there, you can register to receive a free Spotlight Report, compliments of Schneider Electric and LNS Research, which examines cybersecurity as part of an overall risk-management framework and offers insight on what top-down and bottom-up strategies digital transformation leaders should consider.
Of course, our global team of experienced, certified cybersecurity experts are always available and willing to speak with you about how you can better identify, manage and mitigate your risks. For even more content and to learn how our Cybersecurity Services team can help you secure your digital transformation, please visit our Cybersecurity Virtual Academy.
Thanks for reading!