Cyber attacks are inevitable but they should not cause your business to suffer. Having an effective cyber resilient program in place will enable your business to continue even in the middle of a cyber attack. In the past few weeks the news has been awash regarding the security breach at Sony Pictures, which resulted in staff being instructed to use pen and paper to do their work and not to use their computers. All VPNS, remote access, networks, and computer systems within Sony Pictures were offline for over a week while the breach was dealt with. At the same time, the attackers released gigabytes of information belonging to Sony Pictures onto the Internet. This is a prime example of a how a cyber-attack can bring a business to its knees and how not being cyber resilient can aggravate the impact of a cyber-attack.
Cyber resilience is ensuring the business understands the impact of a potential cyber-attack and the steps required for the business to prevent, survive and recover from such an attack. In essence, it is moving cyber security away from a purely technical focused discipline into a more business and risk management point-of-view. This requires the technical security people who would traditionally focus on point solutions to specific technical threats to translate the potential impact of security incidents into terms and language that business and nontechnical people will understand. Most businesses operate on the principle of risk, every business decision involves an element of risk. Sometimes the result of that risk is positive, for example increased sales, or it may be negative such as loss of market share.
Traditionally, technical people look at issues in a very black or white way, it either works or it does not work, it is secure or not secure. Cyber resilience involves a change in mindset whereby you look to identify how secure the business needs to be in order to survive. This is a challenge for both the technical and nontechnical people. For business people, it requires that they get involved in the decision making process regarding cyber security by identifying what the critical assets to the business are and how valuable they are to the business. The risks to those assets then need to be identified and quantified so that measures can be put into place to reduce the levels of risk against those assets to a level that is acceptable to the business. So instead of a checklist approach to security, or an all or nothing approach, decisions are more focused on what the business needs and investment can be best directed to the more appropriate areas.
I often compare cyber resilience to how kings protected their crown jewels in the Middle Ages. The keep at the center of the castle grounds was where the most valuable assets were kept. The keep itself was placed in a very defendable position within the castle walls. Those castle walls were defended in turn by moats, turrets, and drawbridges. Outside the castle walls were where the villagers and farmers lived. In the event of an attack the king would raise the drawbridge leaving those outside open to attack, but these were acceptable losses to protect the crown jewels. Even if the castle walls were breached, the crown jewels would remain protected within the keep. In today’s security landscape businesses need to identify what their crown jewels are and protect them accordingly. Similarly they also need to identify what should remain within the village, or even within the castle walls, and be prepared to lose those in the event of a major cyber-attack.
Effective cyber-resilience requires rigorous and regular risk assessment exercises, particularly as today the business environments, technology, and cyber-threats change so quickly. These risk assessments should be supported by good security policies outlining what the required security controls are to manage the risks identified. An effective incident response plan is also a critical element of cyber resilience, this plan should cover various types of attacks and how the organization should react to them. As with all plans, regular testing is essential to ensure the plan works and that the business survives in the heat of a real attack. To be fully resilient an organization should integrate their incident response plan with their Business Continuity Plans (BCP) so that in the event of a major security breach the business can continue to operate in BCP mode while dealing with the breach.
Having good cyber resilience in place won’t prevent a security breach from happening, but good cyber resilience will prevent the business from stopping should a security breach occur.