Building Cyber Resilience Before the Next Attack Occurs

Before the tensions between Russia and Ukraine escalated into full-blown war, cyber activity in both countries surged. As Ukraine was bracing for an invasion, cyberattacks targeted the country’s banks and government agencies, and Russian hackers attempted to bring down the power grid. Russia, in turn, found itself a target of Anonymous, a “hacktivist” collective, which in the first days of the invasion played the Ukrainian national anthem on Russian state TV along with footage from the war.

The surge in cyber activity surrounding the invasion of Ukraine, documented in a Microsoft report, stoked concerns among governments and enterprises fearful of getting caught in the digital crossfire. In 2017, a cyberattack on a Ukrainian tax preparation program led to disabled airports, railways, and banks within Ukraine and spread to a host of global companies, eventually causing more than $10 billion in economic damage).

Lessons and insights from past cyberattacks can help companies prepare and respond more successfully to future threats. A study based on data from VisibleRisk, a joint venture between Moody’s and Team8, suggests that organizations that respond poorly to an attack accumulate losses that are 2.8 times larger than those of firms that show no signs of poor response.1 In contrast, companies that respond successfully to cyberattacks can limit the negative effect on shareholder trust and even use the crisis as an opportunity.

To understand response best practices and how companies can avoid common mistakes, we drew on two sources of insights: We conducted in-depth interviews with CEOs, CFO, CIOs, chief information security officers, and other senior leaders whose companies had previously endured serious cyberattacks (including, in several cases, the 2017 Ukraine ransomware attacks); and we gathered observational data at top cybersecurity training centers that help executives prepare for crises by simulating realistic cyberattacks on their enterprises.

What Doesn’t Work

People never come to work expecting a cyberattack, so when it happens, it feels random and overwhelming. Business leaders are often suddenly confronted by unfamiliar issues for which they have received little formal training. We observed three common mistakes people make that inhibit successful recovery from a cyberattack.

Setting unrealistic deadlines for recovery. One senior leader told us that the worst day after a serious cyberattack is not day one or day two. The worst day comes after two weeks of high uncertainty and little sleep, when the realization dawns that it will take many more weeks to recover. Missing unrealistic deadlines demoralizes the workforce and the engineers involved in remediation. Before rushing to set hard deadlines, leaders must get as much information as possible to help understand the full scale and impact of an attack.

Irrational internalization. Most serious cyberattacks these days have reached a level of sophistication that makes it difficult, if not impossible, for companies to deal with such incidents on their own. One company we studied waited four days before it sought outside help. During those four days, the team made little progress toward finding the root cause of the attack, closing the vulnerability, or recovering and rebuilding systems. Outside support can come from cyberattack incident response specialists, law firms, public relations consultants, government agencies, police, and suppliers. Even competitors have been known to offer resources and office space.

Unnecessary blame. Senior executives in some companies we studied went after their IT department vocally for allowing the attack. The leaders’ wrath encouraged other employees to engage in similar behavior. In one instance, a senior IT administrator quit on the spot and walked out of the building, returning only after an executive chased after him, apologized, and reassured him that his skills were desperately needed. The time to analyze and correct any mistakes in process or behavior comes later, after stability has been restored. In the wake of an attack, any energy not spent on resolving the issues just creates additional pressure and reinforces paralysis.

Three Things Cyber-Resilient Companies Get Right

The precise low-level details of how a company should respond to a cyberattack depends on the nature of the attack and the kind of business affected. But at a higher level, the following elements are at the heart of responding successfully to any attack.

Plan and prepare with edge cases in mind. “There is pretty much nothing you can do to prevent a cyberattack from happening. Therefore, it is all about preparedness for when it happens,” one CIO told us. Unfortunately, our research shows that most enterprises spend most of their time, money, and attention on protecting their IT infrastructure while neglecting other elements of organizational resilience.2

Simply having a plan won’t suffice — companies must ensure that it will be available and executable when needed. We found that some companies had their plans stored in electronic form on a server that was then encrypted by ransomware. Others who stored their plans in printed form still ran into problems because execution relied on company email and telephony systems that had been compromised.

Such problems underscore how critical it is to embed the key elements of any plan into the thinking and behavior of the people who will have to execute it. Both in the training centers we observed and in our fieldwork, we consistently found that executive teams with previous experience in high-stress, dynamic, and uncertain environments tended to outperform their less experienced counterparts.

Leaders with previous cyber crisis experience or teams with backgrounds in the military, emergency services, or aviation generally remained calmer and made sounder decisions amid chaos. They were better able to think clearly, behave innovatively, and adapt quickly to changes in the enterprise and its environment. In contrast, teams with little previous experience tended to rely on routines, hoping in vain that these would be adequate. In building cyber resilience, as in so much of life, experience (which can be gained in crisis simulations) is indeed the best teacher.

Don’t delegate, lead. In our experience, senior executives who have guided their companies through cyberattacks undergo a major change of mindset. In particular, they cast aside any previous belief that the burden of responding to cyberattacks falls mainly on their technology specialists. Instead, they recognize that a successful response is a matter of collective responsibility and organizational leadership.

In fact, cyberattacks commonly leave enterprises with everything but technology. As one CIO put it, “It’s not an IT issue anymore anyway, because IT is almost always down.” In his company, human resources had to keep paying employees without access to employee data. To do so, HR instructed the bank to mirror the previous month’s payments. The supply chain function in another company asked multiple vendors to supply previously shared data. By combining information from across vendors, it was able to construct a data set good enough to continue with inbound and outbound logistics. Such innovative solutions require collaboration within and across organizations — collaboration that top leadership must enable.

The same imperative applies to deciding which business processes and IT systems are most critical and thus need to be prioritized in the recovery. Every business unit and function will likely see its own priorities as essential. One CEO recalled: “We had 1,000 managers around the world screaming and shouting that their application is the most important. Someone had to decide what [would go] first.” That someone must be top management.

Within the IT function, one particularly effective technique we observed is to divide staff members into two teams. One team is responsible for remediation: investigating the root cause of the attack, closing vulnerabilities, and preventing secondary attacks. The other team recovers and rebuilds systems. Both teams work independently, which allows each to focus on the task at hand and nothing extraneous.

This kind of effective coordination across business accelerates decision-making amid crises. It also leads to faster recovery and lowers the cost.

Provide open, consistent communication. When a cyberattack happens, executives face a key decision about what and how much to communicate to shareholders and stakeholders. Admittedly, some exceptional cyberattacks may reach a level of sensitivity or involve vital government entities that make full and transparent communication inappropriate. But those are exceptions.

Our bias is generally in favor of rapid transparency. For one thing, keeping an attack under wraps is hard. In our research, we came across numerous examples of employees tipping off outsiders — in many cases, inadvertently.

In contrast, airing the facts helps shape the narrative around the story and can help protect the company’s reputation. As the CIO of a manufacturing company noted, “If people start seeing you as a loser, incompetent, and slow to act, then you lose key allies and stakeholders, and it can quickly go downhill.”

Transparent communication can also create strategic opportunities. One CEO told us: “The decision to openly communicate with customers, shareholders, and the public was really useful, for two reasons. First, customers truly appreciated this, and we had lots of positive feedback. Second, customers, suppliers, and even some competitors offered to help.”

Sticking to the chosen communication strategy is as important as choosing the approach. Coherence in internal and external communication signals competence. We observed that the least successful teams and organizations lacked cohesion in their communication strategies and oscillated between transparency and secrecy, appearing to have lost control and eventually losing the trust of stakeholders.

As the risk of future cyberattacks continues to rise, the stakes for companies and leaders could not be higher. The core findings from our research — that success or failure in the wake of a cyberattack depends on leadership across an organization, on gaining practical crisis experience in advance, and on consistent communication — provide guidance for senior executives to navigate future threats successfully.