Cyber risks: stress testing for resilience

  • A cyber risk stress test can identify weak points in business continuity and incident response plans
  • Along with protecting data, bold scenario planning allows the test to consider the impacts of a potential system blackout cyber event
  • Learn why a cyber risk stress test benefits organisations and how they can conduct an effective test by reading this article

Given that cyber exposures are now seen as inevitable, it’s more important than ever for organisations to invest in resilience. The two fundamentals of resilience are to protect profitability through business continuity and incident response planning; allowing organisations to identify how quickly and effectively they can react to any given scenario. That’s what cyber risk stress tests are all about.

What is a cyber risk stress test?

The idea behind a stress test is to determine the critical systems, people and locations needed to continue to serve customers and how best to protect and recover them.

Linda Conrad, Head of Strategic Risk, Zurich Global Corporate, North America adds that “While we always aim to prevent a cyber issue, a cyber risk stress test assumes the worst and considers how a business would respond if an incident has already occurred.

Regardless of the cause, the point is to assume that organisations are not going to be without certain capabilities and resources. The idea behind a stress test is to determine the critical systems, people and locations they need to continue to serve their customers and how best to protect and recover them. This cyber scenario analysis and practice can help provide management with the information it needs to adjust risk profiles and response plans to better protect the enterprise.”

Four reasons why organisations should conduct cyber risk stress tests

  1. The actual cost of recovering from significant organisational disruptions, particularly in supplier networks, is up to 10 times more than what is typically allotted to cover them, according to Conrad. Increased dependence on cyber functions could mean even greater costs as a result.
  2. Cyber attacks are considered a risk of high concern to doing business in several major economies, including economic heavyweights such as Germany, Japan, the U.S. and the U.K., according to the World Economic Forum’s Executive Opinion Survey 2015. If organisations do business internationally they will benefit.
  3. Cyber risks are interconnected. A Business Continuity Institute survey found that more than 55 percent of supply chain disruptions were related to unplanned IT outages.
  4. Organisations have valuable data to protect, even if they don’t realise it. Linda Conrad highlights that “It’s not unusual for businesses that aren’t data-centric to think they have nothing to worry about. Cyber risks can have substantial effects at the operational levels of any business-production, logistics, availability of services and resources. Disruptions at those levels can do real damage to the revenues and reputation of a business.”

Top tips for conducting a cyber risk stress test – Organisations should:

  • Identify a C-Suite sponsor, ensuring that all of the necessary resources are acquired. Organisations will benefit when the sponsor shares test results at the highest levels, including the board.
  • Make time for testing and validation. They will have systems that they are using day to day, but don’t necessarily understand their vulnerabilities.
  • Know their goal and ensure they identify the key people and functions that are critical to their business, prioritising the order in which they are addressed during incident response.
  • Make sure they have engaged with the right people. The main players in a cyber stress test are employees, who have oversight of critical operations and who can affect change.
  • Include some of their major suppliers in a stress test. This can help deepen the customers’ relationships with them and allow them both to gain insights into business continuity plans, and verify how they can work together.
  • Invest time in the testing. A full day or even two days is time well spent creating resilience across their business.
  • Be imaginative when developing scenarios for the test. The scenarios could cover a hacker gaining access to financial functions, human internal error that disrupts delivery of quality services or a systems crash at a primary supplier that halts production due to vital parts not being delivered to the organisation.
  • Ensure that employees know how they will contribute to keeping the organisation running, or getting it back to expected productivity levels using a business continuity plan.

Organisations should expect to find room for improvements in their business continuity and incident response plans as a result of conducting the stress test. The value of the test is what they do with what they’ve learned, strengthening weak points in the plans and improving the ability of employees to execute them. In the end, that is how they proactively increase resilience to cyber risks.