Why cyber resilience should be a priority for every business - and how to get there

Waves crash on the lighthouse of "La Isla del Mouro" in the port town of Santander in Spain, January 17, 2018.

Is your business built to withstand the storms ahead? Image: REUTERS / Eloy Alonso

Nalneesh Gaur
Principal, Pharmaceutical and Life Sciences Cybersecurity, Privacy & Forensics Leader, PwC US
Chris Morris
Principal, PwC Cybersecurity and Privacy, PwC
Our Impact
What's the World Economic Forum doing to accelerate action on Cybersecurity?
The Big Picture
Explore and monitor how Cybersecurity is affecting economies, industries and global issues
A hand holding a looking glass by a lake
Crowdsource Innovation
Get involved with our crowdsourced digital platform to deliver impact at scale
Stay up to date:


  • Cyberattacks today are potentially as destructive as major natural disasters.
  • Too often, businesses find themselves reacting to - rather than preparing for - attacks.
  • Here are five steps firms can take towards building stronger cyber resilience.

Hurricane Katrina, the Category 5 hurricane that struck Florida and Louisiana in 2005, was the most destructive natural disaster in US history. According to the National Hurricane Center, the storm wrought a staggering $125 billion in damage.

Compare this figure with the potential losses from a large-scale, global cyberattack: experts predict this could cost an estimated $120 billion.

The “NotPetya” ransomware attack, for example, has cost businesses a total of $10 billion and counting, according to White House estimates. The price continues to rise two years after the incident, as insurance claims are litigated.

Have you read?

As with natural disasters, the damage and scope of cyberattacks is increasing. “Threat actors” are craftier and more insidious than ever before, striking without warning and — unlike many natural disasters — leaving their victims little or no time to prepare for the attack or minimize its impact.

The scale and severity of cyber disasters in recent years has captured the attention of business leaders around the world. Cyberattacks are among the top 10 risks, in terms of likelihood and severity of impact, in the World Economic Forum's latest Global Risks Report. In the US, 53% of CEOs are extremely concerned about the impact of cyberthreats on their growth prospects, according to PwC’s Global CEO Survey.

Many organizations have increased investment in their prevention, detection, and response capabilities. Yet they too often find themselves in recovery mode after an attack— and if ransomware is the culprit, wishing they had planned ahead and implemented better recovery options.

Why cyber disasters matter

Natural disasters occur within a discrete area. Cyber disasters, on the other hand, can wreak havoc globally. Malware might spread from a single device to infiltrate entire networks, infecting thousands of business systems.

As a current example, cybercriminals are exploiting the spread of the coronavirus to lure victims with malicious attachments purported to contain a health update or a cure.

Threat actors may target core systems with ransomware, encrypting the data so it can’t be accessed. Victims must pay the ransom or restore their systems using backups. If those backups are connected to the main systems, however, the attackers may lock them, too, leaving no recourse but to pay.

Ransomware is simple and cheap to inflict, but much more difficult and costly to remedy. Businesses must pay far more for prevention, detection and recovery from a ransomware attack — millions of dollars, in some cases. Costs may include:

● Lost customers

● Business disruption

● Fines

● Legal

● Public relations

● Breached client records

● Direct financial loss

● Notification

● Credit card reissues, identity repair, and credit monitoring

● Remediation


How is the Forum tackling global cybersecurity challenges?

The path to resiliency

How much downtime can your business withstand? If a cyberattack disrupts your business, you need to be back online within your “maximum tolerable downtime", according to new Federal Financial Institutions Examination Council (FFIEC) guidelines. To do so, you must think first about digital resilience as you develop a well-tested and repeatable response and recovery strategy.

There are five components to building cyber resilience in your organization:

1. Know your assets.

A retail customer expects seamless service when they interact with a company: shopping, ordering, billing, fulfilment and customer service. The same holds true in technology, healthcare and professional services.

To fulfil these expectations, business systems are highly interconnected. The downside, however, is that one outage could affect many systems. Knowing what’s connected to what and which functions are critical is essential. Leading businesses use automated processes to maintain a current inventory of all the systems that feed their own, to know which systems or assets to isolate if a disruption occurs. More than half of the “high resilience quotient (RQ)” respondents to PwC’s Digital Trust Insights survey — those that scored high on resilience — said they have automated their inventory and mapping processes.

Cyberattacks are predicted to have the same impact and likelihood as natural disasters
Cyberattacks are predicted to have the same impact and likelihood as natural disasters Image: World Economic Forum Global Risks Report 2020

2. Know your supply chain.

In the Fourth Industrial Revolution, businesses grow by forging alliances and supply chain relationships. The global supply chain is highly interdependent. Monitoring your third parties is essential to understanding and responding to the risks suppliers might pose.

3. Practice good hygiene.

Cyber hygiene helps maintain system health and improve online security. Practices include systems patching, using secure computers, and phishing detection and education. Global hygiene trends include:

i. Segmenting the network. To prevent malware or viruses from spreading, divide your network into segments so you can isolate and contain malware. Also, know your perimeter so you can control network traffic.

ii. Keeping systems up-to-date. Update your systems periodically with security patches.

iii. Protecting privileges. Certain privileged users have unfettered access to system resources. Protect these user accounts and their access.

4. Plan your recovery.

How much disruption can your organization withstand without crippling its ability to serve its customers? A short recovery time could be expensive, but a longer one might mean a prolonged outage — which is not good for business.

Your company’s best recourse is to design or procure backup and recovery solutions that a) allow you to maintain versions of backups, b) let you access them quickly and c) are impervious to malware that deletes or corrupts backups. Test drive your disaster recovery plan, and do it every time your environment changes, or quarterly.

High-RQ organizations know how much disruption they can withstand and have plans to recover within their limits. About two-thirds of high-RQ respondents to PwC’s survey have set impact tolerances for critical business services.

5. Conduct disaster drills.

A hypothetical disaster drill (also known as a tabletop simulation) helps you rehearse and perfect your organization’s response to a cyber disaster. An effective disaster drill should be realistic, interactive and moderately stressful for participants. Drills should give employees a better idea of their roles and responsibilities in a cyber disaster, and greater confidence in their ability to react. Using realistic scenarios that are less likely will reveal response gaps. Addressing those gaps will improve the response to, and recovery from, a real disaster.

Resilience is worth the effort

Achieving digital resilience entails applying equal vigilance to you and your third parties’ critical business systems. It starts with instilling “resilience by design” into the blueprinting process to ensure that those systems are built for resilience.

Resilience also entails using good cyber hygiene day-to-day. Cyber hygiene isn’t enough, however, to protect your organization against the disruptions that cyberattacks can cause. A well tested and repeatable response-and-recovery strategy can help enable your business remains up and running with minimal interruptions.

Don't miss any update on this topic

Create a free account and access your personalized content collection with our latest publications and analyses.

Sign up for free

License and Republishing

World Economic Forum articles may be republished in accordance with the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International Public License, and in accordance with our Terms of Use.

The views expressed in this article are those of the author alone and not the World Economic Forum.

Related topics:
CybersecurityStakeholder Capitalism
World Economic Forum logo
Global Agenda

The Agenda Weekly

A weekly update of the most important issues driving the global agenda

Subscribe today

You can unsubscribe at any time using the link in our emails. For more details, review our privacy policy.

Tinder Swindler: How 'romance fraud' became a multi-billion dollar cybercrime

Robin Pomeroy and Sophia Akram

May 24, 2024

About Us



Partners & Members

  • Join Us

Language Editions

Privacy Policy & Terms of Service

© 2024 World Economic Forum