The 'elephant in the room' question

The organisations I have spoken to over the last few weeks say that things have gone fairly well. Depending on the type of business, many staff are successfully working from home and now organisations are planning the socially-distanced return to work. Almost all acknowledge that this is in no small part due to a huge personal and organisational effort to change working practices, reorganise operations and reconfigure systems.

We’ve been told a few horror stories - like the global investment bank discussing an IPO on Zoom when the call was interrupted by another (uninvolved) bank! I suspect that it took a while before the compliance person’s blood pressure returned to normal.

Over the last few days I’ve been asking my contacts “Is your organisation more resilient now than it was mid-January?”. Many admit that their sense is that they are less resilient now, as operations are running with reduced staffing, less controls and with IT services operating at breaking point. 

The answers are unsurprising - most resilience / risk / crisis / business continuity professionals are not the sort of people to sit back and relax. So, is now the time to ask ourselves the ‘elephant in the room’ question - “What if we have a cyber attack right now?”

The recently announced EasyJet hack in the UK was discovered back in January, before operations were affected by COVID-19, so we can’t learn much from that incident. But we can all paint that difficult scenario in our own organisations fairly easily: a cyber attack is suspected; IT ‘pull up the drawbridge’ by taking down critical applications, perhaps including access to email; countless challenges emerge, not just critical business activities but also informing clients and customers. And a fast-moving crisis situation needs to run over a conference bridge.

It’s time to face up to that elephant by gaming such a scenario and rehearsing our response to such an incident.