Guest Contributor: Jorge Rey, CISA, CSIM
In the first year of the pandemic, hackers shattered records for data lost in cyber attacks. And from October 2020 through February 2021, eCrime rose by 124 percent, according to the eCrime Index created by endpoint security company CrowdStrike Holdings.
More sophisticated threats, increased frequency of attacks, the growing remote workforce, and a proliferation of connected devices are just a few reasons the likelihood of your company suffering a data breach is growing.
Organizations must be resilient in the face of attacks and invest in a plan to minimize damage and downtime to recover as quickly as possible. Having good cybersecurity is not enough anymore—companies should invest in cyber resilience.
What is cyber resilience?
Cyber resilience is a part of risk management and should involve the highest C-level executives. But while many companies assume that cyber resilience is addressed by their business continuity plan, they are often mistaken. A business continuity plan is generally too vague or too high-level to address cyber resilience, which requires a fairly high level of specificity.
There are five elements of cyber resilience:
- Assessment of cyber-related risks
- Mitigation of the risks of successful cyber attacks
- Incident response plan
- Business continuity plan
- Business recovery plan
Cyber resilience begins with cyber risk assessment
Many companies have done some work to mitigate the risk of successful cyber attacks, but most don’t fully understand their cyber risks. Even those that do rarely have appropriately detailed recovery plans.
Risk assessments work on the formula of assessing the likelihood of an incident occurring and the impact an incident may have. The impact could be indirect to the business—lost customers, revenue, and reputation—as well as the potential recovery costs.
To understand your organization’s unique cyber risks, you need to identify where your business assets are maintained. This may include computers and devices, servers, data centers, software, and third-party service providers.
It’s also important to identify existing mitigation and response tools, techniques, and strategies. This may include everything from firewalls, server-side ransomware blocks, and physical security to phishing training for employees.
Cyber resilience requires leadership buy-in
Because cyber resilience is ultimately about business risk and operations, it should be driven at the same organizational level as other risk management efforts. Usually, this means the CEO or CFO should be driving risk management, with heavy involvement and monitoring from the board.
The entire management team should be talking about cyber resilience, not just the CIO or CISO. Cyber resilience is strongest when it’s driven by leaders who understand the business’s risk, its culture, and its short- and long-term goals.
Start with the most realistic and relevant threats
You can’t develop cyber resilience against every threat all at once. Most likely, you’ll come up with a list of 20 or so potential threats. A framework such as the Library of Cyber Resilience Metrics may help with this.
You should assess those risks based on your risk appetite. Address high and moderate risks first, and explore risk treatment options to reduce the likelihood or impact if the threat is realized.
To build detailed response and recovery plans, tailor your plan to those cyber risks that are most realistic and relevant to your business, and start there.
Invest in response, continuity, and recovery plans
Many companies already have incident response plans that inform their immediate actions after various types of cyberattacks. But cyber resilience also requires detailed business continuity and recovery plans.
A comprehensive response, continuity, and recovery plan should address:
- How to maintain and deploy redundant databases, servers, application instances, and other assets
- Whether to prioritize internal or customer-facing recovery
- How you will work with third-party providers
- How to restore the company’s reputation after a breach
- How response speed will affect the business
- Whether your insurer will have a role in incident response
- Legal, regulatory and contractual requirements, especially related to breaches of personal, confidential, or sensitive data
Cyber resilience should be part of business planning
Cyber resilience plans cannot be passively maintained. Cyber threats and their likelihoods, potential impacts, and mitigation options are constantly changing. It’s best to go through risk assessment, mitigation, and recovery planning annually.
Cyber resilience should also be part of regular business plans and strategies. For example, if the company launches a new business line, cyber resilience should be considered from the beginning.
An outside professional can help with cyber risk assessment and planning
Few companies have an internal team or leader who can understand both the business risks and the IT risks inherent in cyber attacks. Even for those that do, it may be a challenge to find the time to lead cyber risk assessment and planning efforts. An outside professional or firm can bring cross-functional capabilities and speak the language of both management and IT.
In addition, a qualified cybersecurity consultant will have experience with a wider range of cyber threats and recovery scenarios than your internal team. Outside professionals can also help you align all internal documentation required for response, continuity, and recovery plans. There are many benefits of working with experienced third-party experts.
Increase your company’s ability to bounce back from a cyber attack
A successful cyber attack comes with financial, operational, reputational, and legal risks that can disrupt normal operations—or worse. With the incidence of successful cyber attacks rising in nearly every industry, it’s time to move beyond cybersecurity into cyber resilience.
You can mitigate the impact of a cyberattack by having a solid process for evaluating potential threats and defending against them. This involves comprehensive planning for incident response, business continuity, and business planning. Focus on understanding and planning for a few of the highest-risk scenarios, and invest in minimizing risk and preparing to recover.