A cornerstone of cyber resilience is preparedness: the ability to pivot at short notice, sometimes quite creatively, when a threat takes hold in your systems.

Resilience means service continuity, disaster recovery and the ability to shift quickly to alternative processes that protect your stakeholders from an incident, says Radhika Modha, Director, Security Governance, Risk and Compliance at Alvarez & Marsal. “Trust takes years to build, but can be lost in an instant. If something happens to your customers or other third parties as a result of an attack on your systems, will they remain loyal, or go elsewhere?”

Prolonged disruption

In Modha’s assessment, the dangers of not getting resilience right are existential. Accountants should be aware of the cashflow implications of cyber attacks and how they might impact business continuity.

“If your systems are down for any length of time, will you be able to keep operating? And then there are the wider economic effects. Other businesses in your ecosystem rely on you to stay functional - if you can’t move forward after an attack, you could end up unintentionally disrupting those operations too.”

We’ve recently seen the economic effects of a cyber attack become severe enough to warrant state intervention. In late September, the government announced that it would underwrite a £1.5bn loan guarantee to help Jaguar Land Rover recover from the devastating attack the previous month. It is now estimated to be the costliest cyber attack in history.

From a customer perspective, Modha points out a cyber incident with lingering after effects runs against consumers’ expectations. Even with M&S, where a lot of customer goodwill and trust had built up over the years,  patience started to wear thin as incident recovery dragged on. “Prolonged disruption throws up critical questions. Can you keep your people in jobs? Are you able to retain the expertise you need to actually get through this? And will you continue to exist in the same way?”

Bespoke approach

A recovery plan is an essential contingency for any organisation. And when it comes to creating one, Modha recommends the following best practices.

1. Ensure it is aligned with the nature of your business. An off-the-shelf or template-based resilience or business continuity plan (BCP) will do your company few favours in the long run. “The requirements for a manufacturer will be very different to those of a service-oriented business, which revolves more around people,” Modha says. “So, having a clear grasp of what resilience actually means to your specific business is key.”

2. Understand the criticality of your assets. “Think holistically about all of the different tools and systems that make your business work, and the impacts you would experience if each were unavailable,” Modha says. “Asking why one element matters more than another will help you prioritise your safeguards.”

3. Make your risk management approach practical and actionable. “Again, this shouldn’t come from a generic framework,” Modha says. “It needs to be tailored to your business. As someone who works in compliance and risk, I often see that auditors will check whether you have a risk register and process in place – but they won’t necessarily assess whether it equips you to take tangible action in specific scenarios.”

Above all, you must make it as easy as possible for the employees tasked with implementing the recovery plan to put it into action. “I’ve seen lots of BCPs that are very detailed, which is great,” Modha says. “But alongside that, you need a one-pager setting out the crucial points. For example, what needs to happen in the first half-hour, hour and two hours after an attack? Who do you contact? What information will they need? And how do you manage communications to avoid spreading panic?”

Simulating hacks

To evaluate the strength of a resilience plan, Modha recommends testing staff preparedness through education and simulation. Tabletop exercises are a great introduction, she explains.

“Having seen a number of people go through tabletops, the reaction from inexperienced employees tends to be, ‘Wow, I never realised that implementing a recovery plan involves so much.’ What previously felt quite abstract becomes real. The exercise demystifies the process and puts it in a real-world context. You can assess what works, what doesn’t – and how ready your people are to put the measures into action.”

Modha stresses that tabletops should not be restricted to senior management teams, but tailored to the full range of organisational departments, to ensure their staff are clear about the roles they must play during an attack. The National Cyber Security Centre offers free ‘exercise in a box’ resources to help you get started.

Alongside tabletop exercises, Modha recommends two further ways to test and understand cyber readiness. While not focused solely and directly on business continuity, these methods use ethical hacking techniques to uncover weaknesses and assess how well systems and teams respond to unexpected events.

1. Penetration testing, or ‘pentesting’. A controlled exercise in which security specialists attempt to exploit vulnerabilities in your systems, networks or applications. The aim is to uncover weaknesses before malicious actors have a chance to, providing a clear view of where defences need strengthening.

2. Red teaming. By contrast to pentesting’s specific scope, red teaming is a more comprehensive, goal driven exercise that mimics the techniques of real attackers. While pentesting focuses on identifying technical flaws, red teaming tests how effectively an organisation can detect, respond and recover from a realistic, targeted cyber incident.

Insights gathered from pentesting or red team exercises can then feed directly into staff training.

“When you train staff on cyber resilience, think about how to remind employees of the important points without inducing fatigue or fear,” Modha says. “Tailor training so it’s useful and brings home the reality that, even if your organisation hasn’t suffered a cyber incident for several years, it could still happen at any time.”