Over 50% of 850 company directors surveyed by the Australian Institute of Company Directors in June 2022 said their organisation had no formal cybersecurity risk framework or risk management plan in place. Additionally, 68% of small businesses admit they have no specific cyber insurance in place, and 80% of SMEs know they should be doing more to train their staff in risk management and crisis planning.
Now, cybersecurity is not a new problem and neither is it simply an IT issue. Targeted corporate cyber attacks have been notable problems since the mid-2000s and earlier, and the effects can be felt across large companies and, increasingly, smaller, less-resourced businesses. So why do many Aussie directors and SME operators still fail to properly plan for crises or, at least, design business continuity processes?
I recently consulted several of my crisis management peers (and a recent Deloitte piece) to uncover the main reasons given when companies decline to rehearse and train their staff for crisis management threats and cybersecurity risks.
Here’s a brief recap of the most common reasons companies don’t get crisis ready.
1. Cost
Crisis management training is perceived to be expensive, especially when there’s no understanding of the full, undefended costs of crises on unprepared organisations. Many operators (especially smaller firms) are reluctant to allocate resources for what they mistakenly believe is an unnecessary expense, which they fear may not provide an immediate return on investment. This overlooks how just a little investment today (on a customisable risk management strategy, for example) can avert the worst consequences of crises tomorrow.
2. Overconfidence
3. Other priorities
4. Remote scheduling
5. Publicity fears
‘Ostrich’ directors view crisis rehearsals or simulations as a covert admission of unprofessionalism or weakness. Equally, few organisations are proud to talk up their crisis planning initiatives for fears it might cast them in a bad light if reported by the media. In truth, most stakeholders could feel reassured knowing that any company they dealt with was actively preparing for crises. Yet that’s not a narrative companies are yet happy to talk about, far less talk up.
Patently, the issues, risks and threats that catalyse crises are on the rise. Yet studies suggest that too many business owners are declining to take even rudimentary steps to better equip their companies to get crisis-ready.
Cyber-related attacks have recently infiltrated tech-savvy brands like Latitude, Medibank, Optus, Twitter and WhatsApp. Obviously, then, many lesser-prepared or more poorly resourced smaller companies need to do more crisis planning and risk management assessments, to be fundamentally equipped to mitigate the effects of crises on their operations. While the prospect of getting crisis-drilled can seem costly and scary, the reality is different.
Putting some basic provisions in place can be readily effected by taking a simple crisis audit, customising one of the many free, online template documents or speaking with an expert crisis adviser about issues and risk monitoring.
By taking crisis preparation seriously, any company can equip key employees with actions that enhance business continuity and reputation survival, even after the most acute storms of any crisis have passed over.
Gerry McCusker is the owner and principal adviser at The Drill Crisis Simulator.