Despite prior warnings that infectious disease pandemics presented a high-impact threat, Covid-19 seemed to catch governments and companies off guard. For disaster recovery and business continuity expert Databarracks, a global cyberattack – such as on a major cloud provider – has the potential to impact organisations in a similar way. Better preparation for such an event is therefore vital.

Peter Groucutt, managing director at Databarracks, said: “In November, AWS experienced an outage affecting a number of companies using its services, including Adobe, Roku and Glassdoor. The disruption lasted several hours, bringing to light not only our reliance on cloud, but also the risks to businesses when these services are no longer available.

“For context, Infectious disease pandemics have been in the top ten of the World Economic Forum’s highest-impact risks since 2018. They have also appeared as one of the likeliest threats in the UK’s National Risk Register, and in regional Community Risk Registers. Despite this, prior to Covid-19, the majority of organisations didn’t have a plan for how to respond to a pandemic (66% according to our Data Health Check). The reason we have Risk Registers is to identify the most significant threats to your organisation – so you can plan and prepare for them. From a Business Continuity point of view, Covid-19 is a wake-up call to revisit those lists to see if anything else is being neglected.

“A global cyberattack – like one affecting a major cloud provider – could have a similar impact. This pandemic has shown the greatest continuity challenge is when everyone is impacted at once. These crises affect not only your own operations but your customers and entire supply chain all at the same time.” Groucutt continued: “We’ve not yet seen a successful cyberattack on a major cloud provider, but it is inevitable: the recent attack on SolarWinds is an example of how far-reaching an attack can be. The cloud computing market is an oligopoly owned by a few key players, namely AWS, Microsoft and Google. These services are very well defended, but they’re also a target, and if they do get hit, the knock-on effect for all the companies hosted on them will be severe and long-lasting. If the breach is severe enough, the impact could affect businesses around the world – like a WannaCry but without the killswitch. So how do we take the lessons from the pandemic and apply them to preparations for a major cyberattack?

“Firstly, diversify your supply chain. Make sure you’re not dependent on a single geographic area: a state-level attack could severely impact a single country, so having an alternate supply increases your resilience. At a minimum, be able to run your IT from multiple Availability Zones, Regions or consider going further and using a separate cloud provider as a backup.

“More significantly, think about whether you could cope without IT for an extended period. This is something businesses that have suffered ransomware attacks have learned. Could your organisation operate without IT for a month? What if the cyberattack in question affected a large number of businesses, or your customers and suppliers lost their IT too?

“Technology has made businesses much more efficient by automating manual tasks. However, this has also meant we’ve lost a lot of the manual processes we used to revert to. We need to put some of these back in place in response to this threat. Manual alternatives – such as helping customers place orders when your website is down – will always be less efficient and more expensive, but they can keep you operating.” Groucutt concluded: “Business continuity and risk professionals can take one positive from 2020: when they speak now, the organisation will listen. Let’s learn the lessons of the pandemic and make companies more resilient.”