Digital transformation enabled organizations to disrupt their markets, improve productivity and make informed decisions, while reducing costs. The proliferation of emerging technologies, such as multi-cloud platforms, Internet of Things (IoT), containerization, microservices, and big data has given the society the chance to become more connected and economies more prosperous. However, these benefits come at a price. These new technologies present new risks and vulnerabilities, expanding the corporate attack surface. The security of digital systems and information is crucial to every enterprise or organization.
Threats like data breaches or cybersecurity incidents can cause companies severe damages. These attacks may attempt to destroy, expose, or obtain unauthorized access to corporate systems and sensitive data. The confidentiality, integrity and availability of corporate digital assets are at risk.
This alarming increase of cyber-attacks should force companies to be armed to manage such risks.
Focusing on traditional cybersecurity measures and protections seems no longer adequate to protect businesses from the spate of sophisticated attacks.
It is time for a different approach.
It is time for businesses to have cyber resilience.
What is cyber resilience?
Cyber resilience is the ability of an organization to prepare, respond, and recover from cyber-attacks. An organization has cyber resilience if it can defend itself against these attacks, limit the effects of a security incident, and ensure business continuity during and after these attacks.
According to thePresidential Policy Directive 21 (PPD-210), “Critical Infrastructure Protection and Resilience”, signed by former US President Barack Obama in 2013, the word resilience means “the ability to prepare for and adapt to changing conditions and withstand and recover rapidly from disruptions.”
We must be careful not to confuse resilience with recovery. Recovery is to return to a previous healthy state. Instead, resilience is limiting the impact of the security breach, keeping the operation continuous despite the threat, and continuously plan strategies and practices to protect operations once criminals attack.
It is also important to highlight the difference between cyber security and cyber resilience. While cybersecurity’s main goal is to protect corporate digital resources (i.e. systems and data), cyber resilience focuses on making sure the business is delivered. Resilience’s outcome is keeping business goals intact rather than the IT systems.
The four pillars of successful cyber resilience strategy
A successful cyber resilience strategy should be based on the followingfour pillars:
Manage and protect
Develop the ability to identify, assess, and manage risks associated with cyber-enabled systems, including those across the corporate supply chain. In addition, protect the corporate digital assets from cyber-attacks, system failures and unauthorized access.
Identify and detect
Use of continuous monitoring to detect anomalies and potential data breaches and security incidents before they develop and cause significant damage.
Respond and recover
Implement an incident response program to ensure business continuity even in the event of a cyber-attack and get back to business as usual as quickly and efficiently as possible.
Govern and assure
Ensure the cyber resilience program is overseen from the top of your organization and built into business as usual processes. Align the program with wider business goals.
Components of cyber resilience strategy
Cyber resilience aims to secure the whole organization dynamically. It is a preventive measure to counter human error, vulnerabilities in software and hardware, and misconfiguration. The goal of cyber resilience is to protect the organization in a holistic manner, while understanding that there will be insecure parts, no matter how robust security controls are.
To do so, a cyber resilience strategy should comprise of the following components:
The more technology advances, the more sophisticated cyber criminals become. The organization should plan steps to defend itself against all sorts of threats.
In the event of a security incident, the organization must be able to return to regular operations as quick as possible. This means to have infrastructure redundancies and data backups across different locations to cope with any type of emergency, a natural disaster, or a cyber-attack, whenever and wherever this happens. It is also recommended that the organization runs drills to ensure that everyone knows what their role is in the event of a cyber-attack. This will strengthen the overall organization’s cyber resilience.
While planning is important, adaptability is paramount. Organizations must be able to evolve and adapt to new tactics that cyber criminals come up with. It is recommended to invest in continuous monitoring solutions for the security team to recognize security issues in real-time and take immediate action.
An organization’s durability is its capability to effectively operate regular and routine business again after a security breach. An organization can improve its cyber resilience with system improvements, regular reports, and updates.
Why is cyber resilience important?
Cyber resilience is important because traditional security measures are no longer enough to ensure adequate information security, data security, and network security. CISOs and IT security teams are aware that attackers will eventually gain unauthorized access to their organization.
This should not serve as a pessimistic finding, rather as an everyday alarm to be able to respond to and recover from security breaches as well as to prevent them.
The need for cyber resiliency was summed up by Lt. Gen. Ted F. Bowlds, former Commander, Electronic Systems Center, USAF:
You are going to be attacked; your computers are going to be attacked, and the question is, how do you fight through the attack? How do you maintain your operations?
The benefits of cyber resilience
Successful cyber resilience strategies introduce many benefits for all organizations, from small or medium businesses to large corporations.
Enhanced securityCyber resilience does not only help with responding to and surviving an attack. It can also help an organization develop strategies to improve IT governance, foster safety and security across critical assets, improve data protection efforts, avoid the impacts of natural disasters, and reduce human error.
Reduced financial lossRegardless of how good your security is, the fact is no one is immune to cyberattacks or misconfiguration. The averagecost of a data breachhas skyrocketed to $4.77 million globally, enough to make many small to medium size businesses go bankrupt. In addition to financial costs, the reputational impact of data breaches is increasing due to the introduction of GDPR and other data protection and privacy laws in numerous countries and stringent data breach notification requirements.
Regulatory and legal complianceMeeting security requirements imposed on data protection and critical infrastructure regulation is a competitive advantage and a valuable benefit in integrating cyber resilience in an organization. The EU Network and Information Systems (NIS) security directive requires every operator of a critical infrastructure (i.e. finance, healthcare, transportation, water and electric grid, and aviation) “to take appropriate security measures and to notify serious incidents to the relevant national authority.” In addition, the GDPR requires for strict protections to safeguard data privacy and imposes huge fines in case of deviations. Being compliant with regulations places a sense of trust to customers.
Improved security culture Security is everyone’s responsibility. When people are inspired and motivated to take security seriously in their organization, sensitive information and physical assets are at less risk. The organization should foster the security hygiene behavior to reduce human errors that expose sensitive data.
Protect from reputational damage Poor cyber resilience can irreversibly damage your organization’s reputation. Cyber resilience prevents an organization from public scrutiny, fines from regulators, and an abrupt reduction in sales, or worse, loss of business.
Build trust across business ecosystem It is essential to have cyber resilience to maintain trust from suppliers and the customers. Trust takes years to build it, but it can be destroyed in seconds. If an organization has an ineffective approach to cyber resilience, it can potentially experience severe damages, including restitution to suppliers and customers whose confidentiality has been breached.
Improved security team One of the underemphasized benefits of cyber resilience is that it improves the daily operations of security teams. An organization with a hands-on security team not only improves the ability to respond to threats, but it also helps to ensure day-to-day operations are running smoothly.
How ADACOM helps
ADACOM has a well-established approach toinformation resilience, supported by a robust implementation framework. We follow a holistic approach towards protecting all types of sensitive information, in all phases of the information lifecycle throughout all business verticals, regardless of the underlying business and technology ecosystem. Our aim is to maximize the resilience of critical business information and keep information trustworthy even when the organization is under stress.
ADACOM’s information resilience approach has the following differentiation factors:
Holistic approach to digital & information security risk management, including Compliance
Create value by integrating digital and information resilience with business processes
Use of methodologies which could be easily applied
Customized deliverables which could be easily adopted