Business continuity rarely makes the business press. Business-as-usual sounds uninspiring when everyone wants to plan for growth, or at least to do new things and work in better ways. And the last year has shown that many businesses can be incredibly resilient – functioning at a high level without offices. But the move online and to working from home brings new challenges. Unfortunately the aim of simply continuing to operate seldom attracts attention. ‘Ownership’ of business continuity in an organisation does not a look like a career opportunity.
Dealing with the new risk from digital is not just a matter of changing practice and spending lots on security. Cyber risks need a national response to build defence capability across an economy including all its public services, and smaller businesses. Setting the right strategy now could not only safeguard employment and essential services, but build a framework for long-term digital inclusion throughout Scotland.
For the very largest firms and the financial sector, there are strong competitive and regulatory pressures for best practice in cybersecurity. There is global momentum behind the drive to make financial firms resilient. But that leaves the majority of the economy – including small and medium sized firms and the public sector – more exposed to business interruption and cyber crime.
The recent cyber attacks on major US firms may seem remote, but this year has brought a wake-up call closer to home. In May, Ireland’s health service buckled under a focused assault on its systems. The vulnerabilities were already known, but progress on security improvement had been delayed by higher priorities during the pandemic. The results of the attack have been serious, in both financial and human terms, but how many organisations can say they are safe? And, are senior managements and company boards in Scotland well prepared to handle the aftermath of business interruption? The challenge brought by maintaining continuing organisational operation via technology needs new skills and training.
The UK’s financial regulator has highlighted that implementing full operational resilience and recovering well is a big step above most existing management processes, often labelled as disaster recovery. The term business continuity applied to cyber attacks does not perhaps fully highlight the existential threat – some may never recover. The consequences of this go beyond individual firms. Jobs and services that are vital to the economy could suddenly stop, with business-as-usual taking weeks or months to re-establish. The challenge is for national preparedness.
This is the approach taken by Estonia. With a much smaller population than Scotland, it has shown leadership with an innovative approach to cybersecurity. This begins with education and building in a digital mindset from an early age, embedding throughout the future working population a keen sense of the risks and opportunities of technology. It is effectively a life-long education in information technology that demystifies and ensures that a digital future comes with broad confidence and access. Estonia aims to be a sustainable digital society. The policy is not just about digital inclusion, but recognising that cyber crime is an attack on society as much as individual firms.
Estonia’s full commitment to harness the potential of technology whilst addressing the twin challenges of inclusion and cyber risk is likely to be a model for others. All nations in future will need strong technological resilience. Early commitment to this may even offer competitive advantage in a world that has accelerated its move online over the past year. Scotland has some winning businesses in the digital space, but much would be gained from spreading this knowledge widely across the economy and society.
For firms and key public services, practice will change. Resilience must be implemented by design, rather than added as an afterthought. It would be a mistake to think this is just a job for information technology experts; the risks and need for change pervade every part of daily life. The range of devices connected to the internet is rapidly expanding; each a point of potential weakness. Every device, remote working employee, online customer interaction and data exchange with partner organisations is a possible threat. Key government organisations and parts of the public sector can be protected, but the challenge will be in semi-governmental organisations like hospitals and schools.
Many organisations may not fully recognise the complexity of the task. It sounds reassuring to have data back-ups or disaster recovery sites, but it is only in the midst of an attack that the nature of the threat is clear. Is a back-up really clean? The concept of a golden back-up, untainted by an attack, is a problem itself. Attacks begin undetected weeks or even over a year ahead of discovery. The first task is often identifying first entry amidst the daily noise and finding out what, if anything, can be trusted. Then the response moves on to communication with regulators, customers and data-sharing partners. Even finding the right language to describe severity and impact can be problematic. Many disaster recovery plans fall short in the face of the type of cyber attacks being seen today, particularly where organisations have changed their mode of operation since the start of the pandemic.
At a national level, the short-term need is to train more information technology experts. Scottish universities such as Abertay are helping to meet the steadily rising demand for quality cybersecurity specialists. But there may still not be enough to go round. In the bidding war for talent, the financial sector often wins, making it harder for medium-sized and smaller enterprises and much of the public sector to attract and retain the experience they need. The challenge is a strategic one at the national level; an opportunity for political input and co-ordinated procurement.
This year’s pledge on laptops and tablets for Scotland’s schools, combined with more support for teacher training and internet infrastructure, is a good starting point. But it must be joined up to a strategic approach to digital inclusion and resilience across the economy. Official encouragement to businesses and other organisations to step up their digital defences could be a key underpinning for inclusive economic growth. Even though the threat is currently hidden, there is an opportunity for leadership; a call to action on the next steps for the digital economy. We should not wait till it hits the headlines. Scotland has an opportunity to follow Estonia’s lead and prepare fully for a digital future across the economy and society.
Colin McLean is managing director of SVM Asset Management