Business Continuity

Business Continuity (2)

What’s the Bigger Business Risk: Cyber security threats or Cyclones?


What could potentially cause more damage to your business? A cyclone or a cyber attack?

If you said the latter, you’re in good company.

Even after the costliest hurricane season of all time in the U.S., 74 percent of business leaders we surveyed said they consider a data breach, hack or cyber attack a greater business risk than a natural disaster.

Now the Global Risks Report 2018 from the World Economic Forum (WEF) shows those concerns are far from unfounded. In the new report, among the “Global Risks of Highest Concern for Doing Business,” cyber attacks rank at number 8, while extreme weather events and natural catastrophes come in at 18 and 19, respectively.

While the report found extreme weather events and natural disasters to be both more likely and more impactful than cyber attacks, that all three rank among the most likely and most destructive events should be a warning for any business still failing to take action.

If you’re not prepared, an inevitable disaster could take your organization offline for hours or days, which can sometimes damage a business or brand beyond recovery.

When business risk becomes real danger

Both natural disasters and cyber security threats can hobble businesses.

What’s the Bigger Business Risk: Cyber security threats or Cyclones?

The Global Risks Report 2018 from the World Economic Forum (WEF) notes that cyber attacks against businesses have almost doubled
in five years, while citing attacks like WannaCry and NotPetya as examples of both the scale of attacks and the hundreds of millions
of dollars a bad email can cost businesses.

When Hurricane Irma swept across Florida, hundreds of businesses, from amusement parks to cruises, had to shut down operations and cancel plans. The estimated cost of property damage and lost economic output was estimated at $83 billion. Tropical Storm Harvey, which crippled Houston for weeks, was even costlier, with some estimates of the impact as high as $190 billion.

When Disney World announced it would be closing for two days during Hurricane Irma, some estimates put its losses at $90 million, not counting any damage from the storm. Six of the largest airlines lost $550 million due to closings and cancellations.

Cyber attacks are often as disruptive and expensive as natural disasters. Some estimates predicted the cost of ransomware attacks alone in 2017 would exceed $5 billion.

The NotPetya ransomware attack shut down a number of businesses, and Merck was one of the hardest hit. It left production suspended and employees unable to work, costing the company $300 million in the third quarter of 2017. It was on track to lose another $300 million in Q4.

Several years ago, the company Code Spaces, which had been in business for seven years, folded in just 10 days after a devastating ransom attack.

Unfortunately, the WEF predicts cyber attacks and extreme weather events will only get worse.

What the WEF report says is on the horizon

The report notes that cyber attacks against businesses have almost doubled in five years, while citing attacks like WannaCry and NotPetya as examples of both the scale of attacks and the hundreds of millions of dollars falling prey to a ransomware attack can cost businesses.

With the internet of things expected to hit 20.4 billion devices in 2020, up from 8.7 billion last year, hackers have more targets, the WEF report notes, and attacks are only expected to become more common, more damaging, and more expensive and quickly becoming the face of the 21st century disaster.

At the same time, the 2017 hurricane season contributed to extreme weather events that the WEF says continue a trend toward increasingly expensive recoveries. From wind and wildfires to floods and mudslides, these patterns will only grow more frequent in coming years, the WEF suggests.

Are you prepared?

In our survey of business leaders, we asked them to rank their confidence that they could overcome any disaster, with 1 being most confident. Only 10 percent said they were a 1, 2, or 3. A third of respondents placed themselves at the bottom of the scale, at 8, 9, and 10, the least confident.

The responses do show progress, however. Some 31 percent of respondents are now reconsidering their existing disaster recovery plans after the 2017 hurricane season, and 26 percent will likely implement a new plan.

Still, 40 percent said they had no plans to change how they plan for disaster recovery.

Share this story

Data Breach Response: 4 ways the most resilient businesses respond to hacks


Data breaches can trigger fines, deflate stock prices, irreparably damage reputations, lose customers and attract more cyber-attacks.

But they don’t have to.

By responding quickly and decisively at the first sign of a data breach, you can limit its impact, preserve trust in your business and keep customers safe.

The consequences of a botched data breach response

For many small and medium-sized businesses, a hack can end their existence: 66 percent of them go out of business after a data breach.

Large companies are more likely to survive, but suffer severe damage. Shortly after Equifax announced a data breach that had compromised the personal information of 143 million Americans (recently updated to 148 million), it quickly shed more than $4 billion in market value as its stock sunk 20 percent. It hasn’t recovered.

The two massive data breaches Yahoo reported in 2016 gave Verizon a $350 million discount when it finally purchased the company in 2017.  When it was revealed that Uber had kept quiet for more than a year about a data breach that affected 57 million people, the public outcry added to the growing reputational damage the company experienced in 2017, trimming its value by about 30 percent.

Throughout 2017 companies large and small suffered data breaches, often with a larger overall impact than necessary. If you want to mitigate the impact of data breaches at your company, and hopefully prevent them, follow these four principles.

  1. Act quickly

A data breach requires an immediate response from every part of your organization. Your IT and business teams will need to locate and close any vulnerabilities in your IT systems or business processes and set in motion your disaster recovery plan if they uncover a data corruption. Your business units may need to invoke their business continuity plans, and you may need to assemble your executive crisis management team.

You can improve the speed and effectiveness of your response with regular testing that will ensure everyone is ready to go and knows what to do as soon as a breach is recognized.

Another advantage is having the results of a Data Protection Impact Assessment (DPIA) at your fingertips. It details all the personal data you collect, process and store, categorized by level of sensitivity, so you’re not scrambling around after a breach.

With a clear sense of who should be taking charge and what exactly should be done, you can better contain the damage caused by the data breach.

  1. Be open and honest

A data breach is never ideal, but if your business suffers one, it’s important you inform anyone who is affected as quickly as possible. This will allow them to implement their own self-protecting measures.

We live in a highly connected world with hyper-extended supply chains. Create a crisis communication plan that sets out in advance who needs to be contacted should a breach occur. That way, you’ll never forget important stakeholders in the heat of the moment.

Failing to inform people in a timely manner can cost you in fines, reputation loss and disgruntled customers.

  1. Figure out what went wrong

After a breach, IT administrators should comb through network traffic archives to look for any abnormal activity. How did the breach occur? Was it a vulnerability that should have been patched? Innocent human error? A process gone wrong?

It’s equally important to review your DPIA to ensure it’s up to date.

If the breach is a criminal matter, make sure you pass on any and all relevant evidence to the police so that those responsible can be brought to justice.

  1. Pre-empt future attacks

Prevention is always better than cure. It’s good business practice to continuously monitor risk, including information risk and ensure the controls are adequate.

Conduct physical and logical penetration testing and check your organization’s susceptibility to social engineering. Ensure you have effective business continuity and back-up solutions in place. Check in on any vendors or partners that have access to your network to review their security practices and level of access. Seek out executive coaching to ensure that your C-suite has the skills, competencies and strategies to lead your organization through the complex, uncertain and unstable environment that is the aftermath of a data breach.

Facing the inevitable

Data breaches are growing more common, not less. How you respond in the aftermath of a data breach says volumes about your organization and how much you value customers.

If you delay disclosures; suffer repeated, preventable breaches; and leave vulnerabilities unfixed, you’ll shed customers and market value.

Quickly take action, however, and be proactive in your notifications of a breach and fixing vulnerabilities, and you’ll contain and weather a data breach better than most businesses.

Share this story
Subscribe to this RSS feed