The top five reasons companies aren’t ready for a cyber crisis when it hits

Over 50% of 850 company directors surveyed by the Australian Institute of Company Directors in June 2022 said their organisation had no formal cybersecurity risk framework or risk management plan in place. Additionally, 68% of small businesses admit they have no specific cyber insurance in place, and 80% of SMEs know they should be doing more to train their staff in risk management and crisis planning.

Now, cybersecurity is not a new problem and neither is it simply an IT issue. Targeted corporate cyber attacks have been notable problems since the mid-2000s and earlier, and the effects can be felt across large companies and, increasingly, smaller, less-resourced businesses. So why do many Aussie directors and SME operators still fail to properly plan for crises or, at least, design business continuity processes?

I recently consulted several of my crisis management peers (and a recent Deloitte piece) to uncover the main reasons given when companies decline to rehearse and train their staff for crisis management threats and cybersecurity risks.

Here’s a brief recap of the most common reasons companies don’t get crisis ready.

 

1. Cost

Crisis management training is perceived to be expensive, especially when there’s no understanding of the full, undefended costs of crises on unprepared organisations. Many operators (especially smaller firms) are reluctant to allocate resources for what they mistakenly believe is an unnecessary expense, which they fear may not provide an immediate return on investment. This overlooks how just a little investment today (on a customisable risk management strategy, for example) can avert the worst consequences of crises tomorrow.

2. Overconfidence

Some directors and executives simply hope that crises will not happen to their business. Others feel they have good people who could probably manage to handle any negative impacts. However, such cockiness often leads to complacency, the elevation of gambling as a risk-evaluation tool, and a miscalculation of how enduring damage from a crisis can prevent your company from getting back to business as usual.

With many businesses still trying to make up for Covid and other downturn losses, financial and operating performance seems to have become a big focus for business training. Despite knowing risks and cyber threats are rising, productivity-specific or staff-welfare training seems to currently be taking precedence over the development of risk management processes and business continuity plans.

With ‘Working From Home’ becoming an accepted work mode across many industries, organisations seem to struggle to schedule training sessions for their employees, particularly if the workforce is remote or widely dispersed. However, the flexibility afforded to WFH staff actually presents new complications for staff who may need to respond to crises remotely. These new challenges have to be prepared for, practiced, and not ignored.

5. Publicity fears

‘Ostrich’ directors view crisis rehearsals or simulations as a covert admission of unprofessionalism or weakness. Equally, few organisations are proud to talk up their crisis planning initiatives for fears it might cast them in a bad light if reported by the media. In truth, most stakeholders could feel reassured knowing that any company they dealt with was actively preparing for crises. Yet that’s not a narrative companies are yet happy to talk about, far less talk up.

Patently, the issues, risks and threats that catalyse crises are on the rise. Yet studies suggest that too many business owners are declining to take even rudimentary steps to better equip their companies to get crisis-ready.

Cyber-related attacks have recently infiltrated tech-savvy brands like Latitude, Medibank, Optus, Twitter and WhatsApp. Obviously, then, many lesser-prepared or more poorly resourced smaller companies need to do more crisis planning and risk management assessments, to be fundamentally equipped to mitigate the effects of crises on their operations. While the prospect of getting crisis-drilled can seem costly and scary, the reality is different.

Putting some basic provisions in place can be readily effected by taking a simple crisis audit, customising one of the many free, online template documents or speaking with an expert crisis adviser about issues and risk monitoring.

By taking crisis preparation seriously, any company can equip key employees with actions that enhance business continuity and reputation survival, even after the most acute storms of any crisis have passed over.

Gerry McCusker is the owner and principal adviser at The Drill Crisis Simulator.