In 2015, former Cisco CEO John Chambers famously wrote: “There are two types of companies: Those that have been hacked, and those that haven’t yet discovered that they’ve been hacked.” Since then, this statement has only become more accurate. In fact, 2019 was the worst year on record for data breaches as the cost of those breaches soared. A new approach to defending an organization’s data and assets is required. Step forward Cyber Resilience.
Chambers’ point about the inevitability of cyber attack and breach is well made. In today’s digital age, we are faced with a massive proliferation of data, systems, apps, and devices. That’s just internally. We are increasingly creating digital ecosystems to drive agility, collaboration and innovation. It’s been a long time since your organization stopped at the front door or the corporate firewall!
Cyber security has traditionally been focused on the network perimeter but, as attacks become more frequent and sophisticated, the ’they shall not pass’ approach is proving woefully insufficient. Cyber resilience requires a ‘defence in depth’ perspective that encompasses technology, people and processes. The cyber resiliency level of a company will determine not only how well it deals with an attack but how well it continues business during a breach and how quickly it can evolve to be better prepared for the next incident.
So, let’s take a look at how an organization can go about building cyber resilience.
Cyber Resilience definition
In its Cybersecurity Report 2020, Accenture defines Cyber Resilience as “the ability to defend against attacks while continuing to do “business as usual” successfully”.
An organization can adopt a strategy of cyber resilience meaning it can quickly respond to and recover from a cyber attack, keep operating and serving customers throughout, get back on track effectively and learn the lessons so it’s more capable of withstanding future disruption. Unlike Cyber Security resilience stretches beyond your systems and IT infrastructure to ensure key business processes such as accounting, customer service, and order fulfillment continue as close to unaffected as possible during and after a security breach.
From this perspective, cyber resilience is a set of methods, best practices and technologies that mitigate risk within your business processes and workflows in order to protect your organization from your own technology and the people who would try to exploit it. There are different cyber resiliency levels but they must address external threats – such as hackers – as well as internal threats from malicious and negligent employees.
An example of poor internal practice is irregular software patching. It is instructive to note that some of the largest data leaks are the result of misconfigured assets, not cyber attacks.
Total protection for an organization comes through a combination of cyber resilience technologies and cyber resilience services that span risk mitigation and business continuity.
But isn’t cyber resilience just another term for cyber security? No. The two are very different and it’s important that you know why.
What’s the difference between Cyber Resilience vs Cyber Security?
The neatest way we’ve seen to distinguish the difference is: If you want to keep them out, you need cyber security, but resilience is all about what you do when they’re in because you know they will get in.
That, of course, is a wild over-simplification. Some experts suggest that cyber security and resilience, as appears to be implied above, are sequential. First, you have cyber security and then it’s passed on to cyber resilience. It’s more correct to think of cyber security as a part of the wider cyber resilience strategy.
In an article for the World Economic Forum, Daniel Dobrygowski noted: “Security, in contrast to resilience, can be seen as binary. Either something is secure or it isn’t… there is a difference between the access control of cybersecurity and the more strategic, long-term thinking cyber resilience should evoke.”
There is a fundamental weakness at the core of cyber security. The sector has grown up around the need to protect insecure and vulnerable systems and applications. A range of technologies – such as firewalls, spam filters, insider threat detection, DNS filtering, and many more – have been piled on top of the IT infrastructure to build layers of protection.
The inescapable truth is that, no matter how many layers of protection you apply, if the system was vulnerable to begin with, it remains vulnerable.
Unlike traditional approaches to cyber security, resilience services aren’t about putting more security on top of the IT infrastructure. It’s about rethinking how the infrastructure itself is built, managed, and maintained over time. Cyber resilience covers the IT infrastructure, the business processes it underpins and the people those processes support.
That’s not to downplay the importance of cyber security in any way. Far from it. It’s simply to establish that cyber security should be seen in the context of cyber resilience. Your cyber resilience strategy is likely to contain both security and resilience aspects, perhaps based around a cyber security and resilience framework.
Why is Cyber Resilience important?
The cost of data breaches to business can be devastating. Cyber resilience is the understanding that a reliance on cyber security alone isn’t enough to prevent the most severe consequences following an attack.
And, the amount of attacks is rising. In fact, 2019 was the worst year on record for cyber attacks with a Cyber Breaches Report in the UK showing that 60% of medium firms and 61% of large firms have identified a major breach in the past 12 months. The cost of data breaches for large companies can be eye-watering – around $700 million in the case of Equifax. The cost for small and medium businesses can be even worse. Some estimates suggest that as many as 60% of small businesses fold within six months of a cyber attack.
How Cyber Resilience works
The UK’s National Cyber Security Center (NCSC) outlines four key steps involved in cyber resilience – prepare, absorb, recover and adapt. We’re going to add another element to that list – protect. Let’s look at each in turn:
Prevention will always be better than cure, and to prevent cyber attacks and data breaches requires a multi-layered approach to cyber resilience that includes technology, people and processes. Of course you need the latest and best cyber security solutions but successful cyber resilience examples spend as much time and money addressing the people and process elements. For example, putting in place the best security policies and providing training and in-work support to ensure that everyone knows the importance of security and follows cyber reliance best practice during their daily work.
As cyber security solutions evolve so do the sophistication of cyber attacks. Basic security cannot guarantee enterprise protection. An endpoint detection and response (EDR) solution – such as OpenText™ EnCase™ Endpoint Security – provides a far greater degree of protection. EDR solutions use advanced analytics to monitor endpoint and network events – recording the information in a central database where further analysis, detection, investigation, reporting, and alerting take place – as well as continually learning how to better deflect current attacks and anticipate future ones. In addition to EDR tools, an Endpoint Protection Platform – such as OpenText™ WebRoot – delivers an integrated suite of endpoint protection solutions such as antivirus, data encryption, data loss prevention, and intrusion prevention to add more cyber resilience levels to your protection activities.
Defence in depth and diversity of technology are two methods that can be used to reduce the risk of an incident escalating to catastrophic system failure. Another is to eliminate information sprawl within your organization. Organizations can adopt a single platform for their data and content, providing a single source of the truth for all information that is easier to protect. This can be enhanced secure content management and cloud collaboration to ensure that information is protected but still available.
One of the major end goals for cyber resilience is building durability into your organization. Your business processes rely on correct, accurate and timely information so how you capture, store, use, archive and dispose of data becomes a large part of your cyber resilience strategy.
If we accept the ‘when-not-if’ premise of cyber attack then the core of cyber resilience is how well you can recover once your network has been breached. For example, a well-orchestrated ransomware attack can encrypt all your data, forcing you to pay the attackers for its return. In the case of Travelex, it took over two weeks for it to be able to offer a service again – and the company refused to answer whether it had paid the $6 million ransom.
An effective data back-up and recovery strategy is an essential part of cyber resilience. Tools such as OpenText™ Carbonite allow for the automated, granular back-up and recovery of data to a separate network or drive to enable you to quickly restore data that has been seized or wiped.
You should always remember that cyber resilience is more than just your data and systems. Good cyber resilience examples often build cyber resilience built into the organization’s wider business continuity strategies.
Adaptability is a key component of cyber resilience. Because attackers are constantly developing new ways to evade detection and creating new attack plans, it is important that the enterprise-wide infrastructure can adapt and evolve to defend against future threats. Threat intelligence solutions –such as OpenText™ BrightCould – allow you to understand the current threats to your network and data as well as make accurate predictions about likely attacks in the future. However, being adaptable has to go beyond the ability to take reactive steps. Can you design your systems to adapt to a changing threat environment? Can you set in place policies and procedures so that your people are always up-to-date on the security threats they face?
How to create a Cyber Resilience strategy
Cyber resilience has to be viewed as a strategic, enterprise-level initiative. In that way, it doesn’t vary greatly from any other strategy involved in large-scale business change. However, online news outlet TechNative published its top ten tips for building a cyber resilience strategy:
- Align information and cyber security strategy with business digital transformation strategy.
- Adopt a comprehensive cyber risk management attitude.
- Identify the most critical information and assets.
- Find and manage vulnerabilities.
- Reduce cyber risks in projects and production.
- Optimize strategically chosen systems reliability.
- Evolve your security to a prevention-based strategic architecture.
- Pledge to employ the state of the art digital and defence solutions.
- Instruct regularly your teams to empower and strengthen their resilience.
- Scale your success by sharing knowledge and intelligence.
Visit our website to find out more about cyber resilience and other information security solutions from OpenText.