Organizational resilience is key to good business. Sometimes confused with enterprise resilience, we use the former term instead because it applies to a business or agency of any size. Let’s take a look at how to improve employees’ cybersecurity posture by providing practical ideas they can add to their everyday habits. The result: cyber resilience and keeping your data safer.

This series will guide you in your journey through organizational resilience. First, we need to look at the human factor. In particular, that means human vulnerabilities, social engineering and threat actors.

But, up front, remember the difference between ‘organizational’ and ‘enterprise’ resilience. The cyber resilience framework that will come out of this series will be applicable to an organization of any size. The ‘what’ is the same, no matter how big, small or complex the organization is. The ‘how’ is different, due to scale. Together, the concepts in this series provide a loose framework that works for everybody. Even a single person can improve their personal safety by employing these ideas into their everyday habits.

Next question to answer: what is going to get covered in the series? A lot of issues: business continuity, crisis management, disaster recovery, training and testing, governance, privacy, security-by-design, cyber hygiene, the data life cycle, supply chains and third parties, and now, the human element.

If you can assess, design, test and build an organizational resilience program well, your incident response posture will be in a good position to manage a cyber attack. And if you are really good, you may reach that nirvana state of antifragility. What’s that? Well, if cyber resilience means you can bend while others break, antifragility is the ability to get stronger because of the bend.

The Human Factor: Beginning, Middle and End of Every Issue

Imagine for a moment the security setup of a dream: incident response tools are in place, endpoint detection and response tools are doing their thing and SIEM and SOAR platforms and more are humming along like a graceful yet complex Hungarian Rhapsody No. 2.

Can you still fall victim to a breach?

Yes. Just look at what happens to Tom the Cat’s rendition of Franz Liszt’s piano masterpiece when Jerry gets in the way during the classic short cartoon “The Cat Concerto.”

Remember: no matter how much faith you put in tech, the human factor will always find a way to circumvent it. At the same time, because of the human factor, threat actors will always exploit any psychological in-road they can find. Cyber resilience has to take this into account.

And these actors are getting better than ever at doing that. Therein is the cat and mouse game that will never be solved, but only ever be managed. This is the essence of any human error or social engineering challenge.

How Attacks Against the Mind Yield Results

Ransomware attacks are not going anywhere any time soon. Malicious actors see them as a great return on investment. From a technical standpoint, they are more difficult to address. New methods, such as double encryption, seek to complicate matters. In other words, if you do happen to get past one wall, there’s another one waiting for you.

But why are ransomware attacks so effective? It’s the human factor: they exploit emotions. And malicious actors exploit emotions before and after an incident. Can’t get malicious hardware on the system from the outside? Simple; compromise a person on the inside and hand them a loaded USB key.  There’s your human factor example from before an incident. Have compromising information after the incident? That can motivate the victim to pay.

The Weak Link

Clearly ransomware, or any malicious breach that holds data hostage, cannot be addressed in a technical vacuum. Cyber resilience isn’t only about tools. Again, let’s go back to the dream security system: imagine your data has now been stolen or taken for ransom, but you have all the backups in place. Your recovery points and times are so awesome, a breach would feel more of a blip than a boom for you, right? That’s a pretty good position to be in!

Well, not exactly. It depends on the data in question. What is its value? Having a backup may not be good enough. In fact, you are no longer in a position to pay to get your data back. Instead, you’re in a position to pay so your data does not go further into the wild. That’s where knowing why the threat actor is attacking comes into play.

Can you really afford having your intellectual property or bid information hit the streets? The calculus now changes.

Remember, threat actors are also running a business, even if you think their business practices aren’t ethical. Some people are in it for the money, others for change and others just to unleash havoc. Motivation – both your own and the attacker’s – plays perhaps the most important role. Only you can control your own motivations. You can only do your best to gain insight into the attacker’s motivations. (This is a case where outside help makes a difference; others may have more knowledge of what makes these threat actors tick).

Cyber Resilience Needs to Respond to Modern Attacks

The days of poorly written emails trying to entice you to click a link or send bank account numbers to some exiled royal promising you riches are gone. Okay, this tactic still exists, but it’s amateur hour stuff now. If serious threat actors are employing this tactic, it is probably for giggles at this point.

Nowadays, attacks are more advanced. Tools and tactics once reserved for the state are now being sold for commercial gain. And there is just so much personal data out there right now.

These two factors threaten cyber resilience and allow the threat actor a lot of access into a person’s habits, lifestyle and yes, their motivations. Nowadays, you can find more about a person’s financial and health history than ever before. Sometimes it’s just out in the wild, such as social media posts, causing potentially unwanted leaks of personal information. Other times, businesses collect it and sell it. In some cases, the records are out there because of a previous breach. And, of course, nation-states are gobbling it up, seeing ways how to use it. One at a time, these pieces of information may have little value. But what if you collate them? You now have an excellent view into how to exploit someone.

So now think about this: if powerful tools are available on the market and threat actors are exploiting emotions, is there a limit to what they can do? The landscape appears scary, but you can manage it if if you don’t have blinders on.

Human Factor Cyber Resilience Comes From Within

There is a reason this series started with the human factor: it is the hardest one to solve. Frankly, there is no solution to it. There’s certainly not a technical one. There are only ways to manage it. To do that, you need to dig deep and understand what people want, specifically your motivations and those of the attacker. Therefore, a good organizational resilience program will:

  • Promote good security-minded behavior
  • Be on the lookout for compromise
  • Formalize means and methods to understand, early on, the motivations of actors you might face. (That might mean hiring outside help.)

From here, your organizational resilience journey can begin.

More from Intelligence & Analytics

BlackCat (ALPHV) Ransomware Levels Up for Stealth, Speed and Exfiltration

9 min read - This blog was made possible through contributions from Kat Metrick, Kevin Henson, Agnes Ramos-Beauchamp, Thanassis Diogos, Diego Matos Martins and Joseph Spero. BlackCat ransomware, which was among the top ransomware families observed by IBM Security X-Force in 2022, according to the 2023 X-Force Threat Intelligence Index, continues to wreak havoc across organizations globally this year. BlackCat (a.k.a. ALPHV) ransomware affiliates' more recent attacks include targeting organizations in the healthcare, government, education, manufacturing and hospitality sectors. Reportedly, several of these incidents resulted…

9 min read

Despite Tech Layoffs, Cybersecurity Positions are Hiring

4 min read - It’s easy to read today’s headlines and think that now isn’t the best time to look for a job in the tech industry. However, that’s not necessarily true. When you read deeper into the stories and numbers, cybersecurity positions are still very much in demand. Cybersecurity professionals are landing jobs every day, and IT professionals from other roles may be able to transfer their skills into cybersecurity relatively easily. As cybersecurity continues to remain a top business priority, organizations will…

4 min read

79% of Cyber Pros Make Decisions Without Threat Intelligence

4 min read - In a recent report, 79% of security pros say they make decisions without adversary insights “at least the majority of the time.” Why aren’t companies effectively leveraging threat intelligence? And does the C-Suite know this is going on? It’s not unusual for attackers to stay concealed within an organization’s computer systems for extended periods of time. And if their methods and behavioral patterns are unfamiliar, they can cause significant harm before the security team even realizes a breach has occurred.…

4 min read

Why People Skills Matter as Much as Industry Experience

4 min read - As the project manager at a large tech company, I always went to Jim when I needed help. While others on my team had more technical expertise, Jim was easy to work with. He explained technical concepts in a way anyone could understand and patiently answered my seemingly endless questions. We spent many hours collaborating and brainstorming ideas about product features as well as new processes for the team. But Jim was especially valuable when I needed help with other…

4 min read