Cyber threats are indeed very much alive, with crypto ransomware as the number one menace accounting for more than half of cyberattacks in healthcare environments according to ENISA. Only last year, almost three quarters of business worldwide have been affected by a ransomware attack.
While awareness is growing, many still think, "it won’t happen to us." Whether you need to comply to NIS2 or not, the question of how to survive a cyberattack remains critical. Sound protection helps to stay ahead of adversaries. There are three major management topics leadership teams can prepare in advance.
1. Crisis Communications Management
A perfect defense doesn’t exist, so organizations must prepare for when - not if - an attack happens. This starts with setting up a crisis management team, often composed of senior executives. Their role during a cyber crisis is to steer the company and avoid chaos.
NIS2 mandates that organizations develop clear communication and reporting protocols for incidents. This ensures rapid responses and transparency in the event of a cyber crisis. One of the top priorities of the crisis management team is to define clear communication strategies: who speaks to the insurers, authorities, and the media?
2. Business Continuity Management
How will you keep your business running when a cyber crisis occurs? Even if almost half of organizations pay the ransom, the cost of a cyberattack are often minimal. But the financial loss due to halted operations can be significant, as the recovery from a cyber crisis can take months, sometimes up to a year. There’s not so much to lose, but there are a lot of earnings to miss out on.
The importance of continuing the business is immense, and planning this in advance is crucial. Organizations need to know when and how to activate their ‘Plan B’. This involves prioritizing critical operations. In health care environments, for instance, it is not uncommon to suspend medical consultations so that the hospital can focus on emergency care and current patients during a hospital cyberattack.
3. Disaster Recovery Planning
Another crucial aspect is how to restart operations after an attack. These plans ensure organizations can maintain critical operations and quickly recover after a cyberattack or disruption. Regular testing through simulations and exercises is essential to evaluate the effectiveness of these plans. The NIST framework is valuable here, as it emphasizes contingency planning.
NIS2 makes all these preparations mandatory, demanding that affected organizations create and test communication plans with role-play exercises and cyberattack simulations. This includes assessing the security and recovery capabilities of suppliers, especially those that provide critical services. This ensures that a cyber incident affecting a supplier doesn’t lead to prolonged disruptions. In a notable example, three hospitals in London recently lost access to vital medical lab results because of a supplier's cyberattack. This underlines the importance of considering every link in the supply chain.
NIS2 in the Long Run
While implementing NIS2’s 220 measures may seem overwhelming, it brings clarity. The directive outlines five levels of maturity, and organizations in the essential category will need to be CyFun or ISO 27001 certified by 18 April 2027.
Although there’s a lot of work ahead, investing in crisis management and cyber readiness is mandatory. After all, chances for a cyber crisis to occur are real, and the top leadership must be prepared.