By Karla Gahan, Associate and Head of Resilience Services at Barnett Waddingham
Here are three key lessons organisations can learn from recent events to ensure they are better prepared to respond effectively and protect their people, operations and reputation.
1. Prioritise communication – internally and externally
No matter how robust your risk controls are, communication is often the area most open to criticism during a crisis. It’s also one of the quickest ways to damage – or preserve – your reputation.
"Even if your risks are regularly reviewed and managed within appetite, the reality of an incident, particularly a cyber attack, is never what you imagine it will be. Both from a tangible physical level (what you have access to, the processes you can perform) and behaviourally (the stress of incident response)."
In the event of a cyber attack, being clear, consistent and timely in your messaging is critical. Think about:
Who you need to communicate with – including employees, customers, suppliers and regulators.
What you want to say – keeping messages simple, factual and empathetic.
How you will communicate – especially if traditional systems like email or internal messaging are unavailable.
Consider proactive planning for crisis communications, including scenario rehearsals and media training for key spokespeople. This not only improves response capability but also builds trust with stakeholders during turbulent times.
2. Test your plans – don’t just trust the paper version
A beautifully written incident response plan is worthless if it can’t be executed under real-world conditions. Organisations must go beyond the document and stress-test their processes under realistic scenarios.
Ask yourself:
How will your teams coordinate if internal systems are down?
Are emergency contact systems up to date and regularly tested?
Have response teams practised under pressure, without perfect information?
Testing is also about people. Crisis response is exhausting – physically and mentally. It can mean sleepless nights, difficult decisions, and scrutiny from all directions. Make sure support is in place for those on the front line, and ensure that those expected to perform unfamiliar tasks, such as manual pricing or cash handling, are given opportunities to rehearse and build confidence.
Importantly, don’t limit simulations to senior leadership. The entire organisation benefits from a wider understanding of how a response might unfold.
3. Keep plans dynamic and reflective of real experience
Crisis management and business continuity plans must evolve. Real-life events – whether within your own organisation or others – provide valuable lessons.
Use them to ask:
Are our current plans fit for purpose?
Have we accounted for the roles of all stakeholders, including suppliers?
Are there gaps between our strategic intent and operational reality?
Review your plans regularly, update them based on actual incidents, and tailor them to reflect the unique needs and structure of your organisation. This isn’t a tick-box exercise – it’s about building genuine resilience.
Final thoughts
The recent cyber incidents are a timely reminder of the importance of preparation, communication and agility in the face of disruption. Whether you're a high-street retailer or a financial services firm, the principles are the same.
Prepare thoroughly, test realistically, and be ready to adapt – cyber threats may be inevitable, but chaos doesn’t have to be.
|
