December 12, 2014 By Brian Honan 3 min read

Cyber attacks are inevitable but they should not cause your business to suffer. Having an effective cyber resilient program in place will enable your business to continue even in the middle of a cyber attack. In the past few weeks the news has been awash regarding the security breach at Sony Pictures, which resulted in staff being instructed to use pen and paper to do their work and not to use their computers. All VPNS, remote access, networks, and computer systems within Sony Pictures were offline for over a week while the breach was dealt with. At the same time, the attackers released gigabytes of information belonging to Sony Pictures onto the Internet. This is a prime example of a how a cyber-attack can bring a business to its knees and how not being cyber resilient can aggravate the impact of a cyber-attack.

Cyber resilience is ensuring the business understands the impact of a potential cyber-attack and the steps required for the business to prevent, survive and recover from such an attack. In essence, it is moving cyber security away from a purely technical focused discipline into a more business and risk management point-of-view. This requires the technical security people who would traditionally focus on point solutions to specific technical threats to translate the potential impact of security incidents into terms and language that business and nontechnical people will understand. Most businesses operate on the principle of risk, every business decision involves an element of risk. Sometimes the result of that risk is positive, for example increased sales, or it may be negative such as loss of market share.

Traditionally, technical people look at issues in a very black or white way, it either works or it does not work, it is secure or not secure. Cyber resilience involves a change in mindset whereby you look to identify how secure the business needs to be in order to survive. This is a challenge for both the technical and nontechnical people. For business people, it requires that they get involved in the decision making process regarding cyber security by identifying what the critical assets to the business are and how valuable they are to the business. The risks to those assets then need to be identified and quantified so that measures can be put into place to reduce the levels of risk against those assets to a level that is acceptable to the business. So instead of a checklist approach to security, or an all or nothing approach, decisions are more focused on what the business needs and investment can be best directed to the more appropriate areas.

I often compare cyber resilience to how kings protected their crown jewels in the Middle Ages. The keep at the center of the castle grounds was where the most valuable assets were kept. The keep itself was placed in a very defendable position within the castle walls. Those castle walls were defended in turn by moats, turrets, and drawbridges. Outside the castle walls were where the villagers and farmers lived. In the event of an attack the king would raise the drawbridge leaving those outside open to attack, but these were acceptable losses to protect the crown jewels. Even if the castle walls were breached, the crown jewels would remain protected within the keep. In today’s security landscape businesses need to identify what their crown jewels are and protect them accordingly. Similarly they also need to identify what should remain within the village, or even within the castle walls, and be prepared to lose those in the event of a major cyber-attack.

Effective cyber-resilience requires rigorous and regular risk assessment exercises, particularly as today the business environments, technology, and cyber-threats change so quickly. These risk assessments should be supported by good security policies outlining what the required security controls are to manage the risks identified. An effective incident response plan is also a critical element of cyber resilience, this plan should cover various types of attacks and how the organization should react to them. As with all plans, regular testing is essential to ensure the plan works and that the business survives in the heat of a real attack. To be fully resilient an organization should integrate their incident response plan with their Business Continuity Plans (BCP) so that in the event of a major security breach the business can continue to operate in BCP mode while dealing with the breach.

Having good cyber resilience in place won’t prevent a security breach from happening, but good cyber resilience will prevent the business from stopping should a security breach occur.

More from Incident Response

Why federal agencies need a mission-centered cyber response

4 min read - Cybersecurity continues to be a top focus for government agencies with new cybersecurity requirements. Threats in recent years have crossed from the digital world to the physical and even involved critical infrastructure, such as the cyberattack on SolarWinds and the Colonial Pipeline ransomware attack. According to the IBM Cost of a Data Breach 2023 Report, a breach in the public sector, which includes government agencies, is up to $2.6 million from $2.07 million in 2022. Government agencies need to move…

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

What cybersecurity pros can learn from first responders

4 min read - Though they may initially seem very different, there are some compelling similarities between cybersecurity professionals and traditional first responders like police and EMTs. After all, in a world where a cyberattack on critical infrastructure could cause untold damage and harm, cyber responders must be ready for anything. But are they actually prepared? Compared to the readiness of traditional first responders, how do cybersecurity professionals in incident response stand up? Let’s dig deeper into whether the same sense of urgency exists…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today