In January, the World Economic Forum (WEF) again included cyberattacks as one of the top 10 most likely and significant risks to society in 2020. Less than two months later, ways of working underwent a drastic change due to the global pandemic.
With so many employees working remotely and many business functions now in the cloud, organizations are rethinking their cybersecurity posture. As new ways of work are coupled with a growing prevalence of malware and ransomware, cyber resilience has become top of mind in boardrooms around the world.
What Is Cyber Resilience?
A quick search yields a variety of definitions for cyber resilience. Simply stated, cyber resilience is an organization’s ability to withstand adverse cyber events. A traditional cybersecurity program plans for the protection against cyberthreats and enhances the ability to detect and respond to those threats. Cyber resilience takes this traditional approach a step further by acknowledging that the organization must keep operating in a secure manner when faced with a variety of threats — including, but not limited to, cyberattacks.
Why Cyber Resilience and Why Now?
A 2019 Ponemon Institute study of 3,655 organizations found that 77 percent do not have incident response (IR) plans applied consistently across their organizations. Furthermore, 57 percent of respondents stated they experienced a significant disruption to their IT or business due to a cybersecurity breach. According to a Forbes Insights global survey report, only 42 percent of global executives reported being confident that their organization could recover from a major cyber event without impacting their business.
With so many organizations at risk of experiencing a cyber event and less than half believing they can withstand a major cyber event, what can organizations do?
Improving Cyber Resilience
The first step to improving cyber resilience is to build awareness across the organization’s leadership that cybersecurity is not just a technical or IT problem — it’s a business problem. Organizations with a higher degree of cyber resilience experience less business impact due to cyber events.
Forbes identified that 60 percent of security IR teams and business continuity teams do not work closely together or have established relationships in many organizations. Business continuity teams are charged with identifying threats that can materially impact the organization’s ability to operate. Cyberthreats are so prevalent that our business continuity processes must now include them. Likewise, security teams who are planning response activities for cyberattacks must also understand the business impact of those attacks.
Plan for the Inevitable
As any organization that has experienced a ransomware attack knows, a cyberattack can significantly impact or destroy a business’ ability to operate. Business continuity planning scenarios must include plans for withstanding a cyberattack. Traditional business continuity planning scenarios such as Workplace Unavailability, Workforce Unavailability or Regional Disasters can all be precipitated by a cyberthreat, driving the need for joint planning between business continuity and cybersecurity teams.
The National Institute of Standards and Technology (NIST) recommends testing response plans as part of both disaster recovery and IR planning activities. Including cyberthreats as part of business continuity exercise scenarios, as well as including the cybersecurity team as part of the exercise itself, will help the organization be better prepared for both business continuity and disaster recovery in the event of a real-world event. Likewise, cybersecurity teams will find higher quality testing by including both business stakeholders and business continuity team members as part of their incident response testing.
Rapid response during any type of crisis — cyber or real-world — generally means less potential impact to the organization. One of the main reasons to plan and test for any type of disaster is to improve the speed and quality of the response effort. In some circles this is known as reducing your OODA Loop, where you Observe, Orient, Decide and Act during a crisis. When teams plan and test together, their OODA loops will be shorter and tighter, leading to more effective and timely response activities.
While organizations increasingly depend on technology to support their businesses, they can no longer afford to treat cybersecurity as a technical issue — it’s a critical facet of their business continuity, and a shift in focus to cyber resilience is required for success. Organizations need a new paradigm, one that is driven by a growing partnership between business stakeholders, business continuity teams and cybersecurity teams, to withstand cyberattacks and continue to operate as they modernize their businesses and embrace new ways of working.
Deputy Chief Information Security Officer (CISO), IBM Security
With 24 years in the Information Security field, Beth Dunphy is the Deputy Chief Information Security Officer (CISO) for the IBM Security business unit. She ...