Digital Resilience - Minimizing security risks & ensuring business continuity

As COVID-19 spreads across the globe, impacting our health and wreaking havoc on businesses large and small, it is becoming clear that the world has become much more volatile, uncertain, complex and ambiguous. Compared with previous global shocks, as experienced in the 20th century, today the systems that we rely on to keep businesses, governments and our society in motion are primarily digital and perilously interconnected.

Digital resilience may be thought of as embodying the fast-evolving convergence of:

• cyber security and protection against threats to digital assets
• business continuity planning – companies’ preparedness to maintain critical business functions in the event of a disruption; and
• digital governance, risk and compliance (GRC), which enables companies to keep digital machinery ‘on track’ and aligned with corporate objectives

Treating these areas in silos is no longer appropriate or relevant. The current business environment demands an integrated approach. To thrive and survive, organizations need to recognize their reliance on digital infrastructure to work toward digital resilience at every level, from the C-suite to the front line. The best way to capture all these areas and ensure uniformity of approach is in a digital resilience framework, which acts as an umbrella document. Below are some pointers that may help organizations develop their digital resilience maturity and ensure it evolves with changing needs and requirements.

First, gather information and take stock of your ‘current state’, even if you already think you have visibility of this. This means conducting an internal audit, perhaps with external assistance, of all areas of digital risk. As businesses become more reliant on data, this is very likely to involve a privacy or data protection review, which involves data flow mapping for your entire organization and an assessment of current practices against applicable privacy and data protection laws.

Second, strategize. To use a military analogy, an organization must identify

• its most important assets
• who are the key malicious actors or disasters and
• how these factors are likely to attack (any threat vectors).

This involves a process of prioritization so that expenditure and effort can be focused on the most important areas. This step is also forward-looking. It involves the high-level consideration of possible future directions and anticipating possible future digital risks.

Third, embed digital resilience and knowledge or awareness at every level of the organization. That means conducting privacy and cyber security impact assessments for every new digital project, incorporating digital risk assessments into third-party due diligence for new outsourcing or service provider arrangements, establishing a tailored incident response plan (including a data breach response plan) and business continuity plan, setting up active cyber defenses to stay ahead of malicious actors and monitor systems for irregular behavior and preparing a communications plan for everything that could ‘go wrong’ with your digital infrastructure.

Fourth, train personnel for digital resilience and knowledge or awareness. You might have all the right policies in place but often, for too many organizations, these do not translate into practice. It is sensible to run annual training, drills and simulations to help all staff build ‘muscle memory’ as to how they should contribute to digital resilience day-to-day and respond to incidents, such as data breaches, in line with documented processes and procedures.

Fifth, test your organizational response to disruptions. In previous decades, most organizations understood the need to test organizational responses to physical threats to safety, such as fire or equipment failure, but in the digital age, most organizations neglect putting their digital resilience to the test.

Sixth, gain visibility in supply chain. It is certain that advantages of digital supply chain management include increase in product availability, faster response time and reduction in working capital. Although digital supply chains can mean different things to different organization, we still believe ensuring visibility and control is something that can help you in building resilience. Aim to achieve end-to-end visibility of goods and inventory and use data analytics to predict and simulate flows.

Finally, continually review, revise and adapt. The world is changing at such a pace that best practice, in some areas, changes by the month. This does not mean a wholesale rewrite of your digital resilience framework every quarter. It simply means applying an agile mindset to the way you manage digital resilience. Start with a comprehensive framework that focuses on key strategic risks and constantly make minor adjustments and new iterations.

Macro-environmental threats are stark reminders that digital technology, while a panacea in good times, can be susceptible to failure in the hour of need, especially if the assumptions at the time of its implementation no longer reflect reality. Business executives need to consider what happens in the event of a large-scale disruption and, especially in such uncertain times, how they can build organizations that are digitally resilient.