2023 was a big year for cybercrime, with a host of large-scale ransomware attacks on global companies, government agencies, and famous institutions. In November 2023, a new ransomware gang targeted the British Library – whose Chief Executive, Roly Keating, was the subject of a major Financial Times profile in the wake of the cyberattack.
He says in the article, ‘This was a situation we had thought about, we had rehearsed. Every CEO, not just in our sector, thinks about this and in some senses dreads that call’, and concludes, ‘Big as this attack has been, it will take its place as part of a long history of this place and hopefully will result in strengthening this major British institution.’
His last comment about ‘strengthening’ the British Library may be unexpected in reference to a cyberattack, but it reflects our own thinking about navigating the digital world.
What matters is not cybersecurity but cyber resilience. That was the dominant theme to emerge from our research project, conducted in partnership with the global cybersecurity firm ISTARI and published in The CEO Report on Cyber Resilience.
Keating has been unusual in speaking so openly about his experience of a major cyberattack. Most CEOs in his position do not, either because of the emotional impact of such a crisis or because they fear that doing so will cause reputational damage, personally or to their organisations. But the 37 CEOs who spoke to us (anonymously), especially those who had endured a cyberattack, were insistent that learning needed to be shared. As one said:
Whenever I speak to a group of CEOs to share my learnings from the cyberattack, I start by saying “put down your phones for 15 minutes, you’ll want to listen carefully to what I have to tell you”.
Our research includes some dramatic behind-the-scenes stories of what it is like to lead an organisation in this highly charged environment, including raw and unfiltered accounts of what it felt like in the minutes, hours, and days after cybercriminals struck. But we also examine the ‘before’ and ‘after’, revealing the mindset changes and new actions that CEOs can take to anticipate, respond, and adapt to the crisis and emerge stronger than ever.
Five key lessons for CEOs
Remember that your focus is organisational resilience
We know from our original CEO Report in 2015 that cybersecurity is high on the list of CEOs’ top concerns, and fear of a cyberattack is something that keeps them awake at night.
It is understandable, therefore, that organisations respond to this fear by concentrating exclusively on the technologies and processes that are designed to prevent cyberattacks. However, it is important to remember that the remit of CEOs is wider: they are responsible for organisational resilience, including cyber resilience.
In fact, when we started interviewing CEOs on cybersecurity as part of our research, some tended to direct us to talk to their CISO (Chief Information Security Officer). When we shifted the conversation to resilience, however, they were much more comfortable speaking to us.
Cyber resilience includes prevention, but also preparing the organisation so that, when – not if - an attack happens, you are able to respond and lead the business out of the crisis, even to the extent that it is stronger than before.
Embrace the preparedness paradox
The risk of a cyberattack is always high, and no one can be perfectly prepared. In fact, our research suggests that the more prepared CEOs think their organisation is for a serious cyberattack, the less prepared it could be in reality.
CEOs therefore need to develop nuanced conversations around both risk and preparedness. For example, the typical risk heat map that categorises risks as red, amber, or green can be a useful way of gaining an overview of the organisation’s full risk landscape. However, it lacks the flexibility to illustrate progress in mitigating risk. If cyber risk was amber in February, say, you might embark on a risk-mitigation project and make good progress. But cyber risk would nevertheless remain high. There is no way for the heat map to express ‘less amber’, but that does not mean that the money spent on risk-mitigation was wasted.
Risk heatmaps are helpful, but should not be read to achieve a false sense of preparedness. Instead of feeling prepared for a serious cyberattack, CEOs should assume a constant state of under-preparedness.
Lead beyond organisational boundaries
This is the big leadership challenge for CEOs. A skilful deployment of cybersecurity tools means stronger cybersecurity defences against direct attacks; but cybercriminals (or bad-acting nation states) do not just give up when they come up against a well-protected company. They look for a weak link or a soft entrance, and this could well be in your supply chain.
The MOVEit attack from 2023 is a case in point; attackers exploited a vulnerability in the file sharing service MOVEit, affecting hundreds of customers that used their services, including the BBC, British Airways, Boots and Aer Lingus.
In a Saïd Business School event discussing our research, Robert Hannigan, Former Director of Britain’s GCHQ, and Chairman, BlueVoyant International, described this challenge in more detail.
‘It's really tough to get visibility of your supply chain. The average small company in this country and European countries has a thousand plus vendors; some I've dealt with have ten thousand plus; so the scale is a problem, understanding the dependencies … when you try to tier your suppliers, try to decide which are the critical ones for you, typically you do it by spend. You say, here are the 10 biggest spending suppliers, but they're not necessarily where the cyber risk comes in. Who would have heard of the small software company in Ukraine that was the cause of the Not Petya incident that took down Maersk? Nobody had ever heard of this company.’
He continued by pointing out the dynamic nature of the cyber threat: networks are changing all the time, and attackers are looking for vulnerabilities 24 hours a day. It is frustrating for CEOs to spend money protecting the organisation’s networks and then discover that the real problem is where external companies are embedded in those networks or processing data outside them. But unfortunately that is the case.
Remain adaptable and forward-looking
The dynamic nature of the cyber threat makes it impossible to be fully prepared for an attack, however many drills you do. Adaptability is vital, and that involves being forward-looking and alert to any weak signals and emerging trends that might indicate where you might be vulnerable in the future. As Eleanor Murray, Senior Fellow in Management Practice, said during our event: ‘In agile methodology you're always encouraged to do retrospectives; but I argue that in resilience terms it's important to do prospectives and find ways to build into the way the business functions a way of looking forward and anticipating those early weak signals’.
A newly emergent theme of threats relates to the use of generative AI in cybersecurity. Many attackers are using generative AI to gain efficiency in their tactics and procedures, for instance, by using generative AI to identify attractive targets, finding vulnerabilities in their public-facing infrastructure, and by targeting employees to breach the company. The Financial Times reported that some nation states are using generative AI for more sophisticated scams.
Be confident that you can come back stronger
Resilience is about adapting and responding, but, as Roly Keating implied in the quote at the beginning of this piece, cyber resilience activities can provide opportunities for strengthening the organisation – after and before an attack. You can identify existing operational inefficiencies or issues with individuals and teams. In addition, strengthening connections within your ecosystem can surface new opportunities for collaboration and innovation.
The final word of advice comes from one of our anonymous CEOs below:
Share your experience with companies to warn and help them build resilience. And if someone is hit, reach out immediately and offer your experience and IT people. When we were hit, lots of other companies and even our competitors reached out to offer help and send resources. Cybersecurity is certainly one of those areas that is not a competitive space. Today it’s them, tomorrow it could be us and we feel the best way on a topic like this is to realise that we are strongest and most resilient together.