The Dangerous Illusion of Cyber Readiness

This article is based on an episode from the Cyber & AI Perspectives podcast. Prefer listening instead? Listen to the audio version below.


Today I’ll speak about disruptive incidents, and the fact that many companies think they are ready for them — but most are not.

Most companies believe they are prepared for a major cyber incident, but without the right resources, realistic recovery strategies, and regular exercises, that confidence may be little more than an illusion.

We’re living in a world where ransomware attacks are becoming a normal thing, but also where outages or data loss can be caused by a software error, a malicious insider, or a loss of power. Not to mention the risks of using AI agents that will act autonomously on company servers and networks.

Most companies these days are not talking about if an incident is going to hit them, but when. And yes — most companies are preparing to react to those incidents. They write incident response plans, business continuity plans, disaster recovery plans, and so on.

Why plans alone are not enough

Now comes the catch: Are those plans enough to restart your operations after you’ve been hit with a large incident? And just to clarify — I’m not talking about smaller incidents, like when one of your computers gets infected, or when your server is down for a couple of minutes. I’m talking about disruptive incidents, where the disruption can last for days, or where a large chunk of your data is missing.

I would argue that in these cases, plans alone are not enough. Let’s see why.

First of all, plans alone cannot replace missing resources. For example, if you do not have redundant IT or communications systems, you won’t be able to recover in a reasonable amount of time. Also, if you didn’t create backups and secure them properly, it will be extremely hard to recreate this data quickly. But this is also true for people — if you don’t have ready replacements for key people in the company, you won’t have the knowledge needed to get everything running again.

And if a company does not have a clear idea of how quickly its processes need to recover, or how much data it can afford to lose, it will be very hard to prepare the right resources. For example, a very different backup system is needed for real-time backup than for backup that is performed every 24 hours.

Second, plans usually contain a series of steps where one person is waiting for another to complete a certain task. Some of these tasks are manual, and some depend on various technologies. Now imagine you have dozens, or even hundreds of people, and dozens or hundreds of systems, where everyone or everything is dependent on someone or something else. What could go wrong?

And third, perhaps the most important point — even the most carefully written plans are not going to survive the chaotic reality of a disruptive incident. In stressful situations, people react irrationally. For example, have you ever been in a car accident? Or perhaps in a fight? If so, then you know that people can do very strange things in such situations.

So ultimately, even if you do have plans, you may not have the resources to execute them, or those plans may simply not be realistic, or your people may not be in the right state of mind to act upon them.

How to build true cyber resilience

What does this mean? It means that many companies are living under the illusion that they are safe, whereas in reality, this type of disruptive incident could cause major business damage — in some cases, even bankruptcy.

So, how can companies become resilient enough to recover from disruptive incidents?

Among other things, they need to define business continuity strategies, including recovery time objectives (RTO) and recovery point objectives (RPO), which will determine what resources are needed and when. They also need to understand the dependencies between people, processes, systems, and suppliers, and align their recovery plans accordingly. And finally, they need to exercise those plans regularly through realistic scenarios involving everyone who would play a role during an incident — including senior management and key suppliers.

The know-how for all of these things already exists in business continuity frameworks like ISO 22301 and others, so I’m not going to go into details about that here — there are lots of resources out there that can help you. And by the way, the concepts of business continuity and resilience have been converging in the last couple of years, so you will see these terms being used interchangeably.

The real goal: Resilience

What I wanted to point out are two things. First, the most dangerous is this thought: “We are ready.” This creates a false sense of readiness and prevents companies from preparing more thoroughly. And second, as mentioned earlier, you cannot avoid incidents, but what you can do is prepare for them. This means that resilience needs to become an integral part of cybersecurity, not something that is left as an afterthought.

These two podcast episodes fit nicely with this topic: Responding to Ransomware Attack [Case Study] | Interview with Yannick Hirt and Cyber Ranges, Attack Simulations & AI: Proving Cyber Readiness | Interview with Lee Rossey.

Advisera Dejan Kosutic

Dejan Kosutic

CEO & Lead Expert for ISO 27001 NIS 2, and DORA Leading expert on cybersecurity & information security and the author of several books, articles, webinars, and courses. As a premier expert, Dejan founded Advisera to help small and medium businesses obtain the resources they need to become compliant with EU regulations and ISO standards. He believes that making complex frameworks easy to understand and simple to use creates a competitive advantage for Advisera's clients, and that AI technology is crucial for achieving this. As an ISO 27001, NIS 2, and DORA expert, Dejan helps companies find the best path to compliance by eliminating overhead and adapting the implementation to their size and industry specifics.
Read more articles by Dejan Kosutic