With regards to the COVID-19 pandemic, the good news is that we can see the beginning of the end; the vaccine-driven horizon is bright, and the possibility of getting back to business after the pandemic feels closer than ever.
However, that doesn’t mean it is time to sit back and put our feet up. The UK government’s Cyber Security Breaches Survey 2021 showed nearly two-thirds of medium- and large-sized businesses in the UK suffered a cyber-attack or breach last year. The report showed it was a slight decrease from the 2020 survey, but outlined that was likely down to a reduction in trading activity, making organizations less visible to attackers.
It also revealed fewer businesses were deploying security monitoring tools – down from 40% last year, to 35%.
The figures look even worse stateside, with the Global Year in Breach 2021 report from ID Agent showing over 90% of US businesses experienced a cybersecurity incident last year due to a third party or supply chain fault. Further, things are predicted to only get worse, with more companies opting to continue home working or moving to hybrid work environments.
The term ‘cyber-resilience’ seems more pertinent now than ever as we approach these (hopefully) sunlit uplands of a post-COVID world and therefore need to reassess how to keep our businesses and customers secure.
So what does it mean for you to be cyber-resilient in this new dawn, and what challenges will you face?
Being Cyber-Resilient in 2021
For Katell Thielemann, research vice-president at Gartner, being cyber-resilient means being ready for whatever disruption comes your way.
“Even beyond a global pandemic, social unrest or natural disasters, all organizations should realize that the pace of change has greatly accelerated,” she says. “In the cyber and cyber-physical worlds, that means that organizations need to be ready to resist, absorb, recover and adapt to cyber or cyber-physical disruptions in an ever changing and increasingly complex environment to enable them to deliver objectives, rebound and prosper.”
"Cyber-resiliency not only requires that data and applications be recovered, but also that system, application and data integrity is assured"
Frank Dickson, program vice-president for security and trust at IDC, says cyber-resiliency is about organizations being ready to address both the traditional disasters in IT environments through to cyber-attack recovery.
For him, businesses must have three things to reach that goal: the people, the processes and the technology needed to recover compromised data and/or application services, regardless of the cause.
“Cyber-resiliency not only requires that data and applications be recovered, but also that system, application and data integrity is assured, leveraging known sources of validated uncorrupted data and/or malware/ransomware free applications and systems prior to restoration of data and application services,” he says.
“Recovery responses can be for a single data store or application all the way up to entire systems similar to a disaster recovery response.”
Heidi Shey, principal analyst for security and risk at Forrester, says being cyber-resilient now is not just about such specific technical threats either. It is also about the wider picture – being able to continue to deliver on your organization’s vision and brand promise in the face of cyber-events that disrupt your business.
“This requires an organization to build capabilities to prepare for, respond to and recover from cyber-threats,” she says – and it isn’t just about preparing within your own walls.
“Cyber-resiliency does not just encompass the direct causes of disruption to your business like ransomware or a breach, but also includes disruption to your business from your third-party partners and technology providers,” she adds.
“Attacks on an organization’s technology providers can have a direct impact on the business and provide a path to your sensitive data.”
The Challenges of Achieving Cyber-Resiliency
Now we know what being cyber-resilient in 2021 means, how do businesses achieve it?
Dickson says that in this era of digital transformation, an organization is more likely to need to recover from a cyber-attack than a disaster. “This new risk may have been previously unforeseen or may have complicated the risk profile of well-established business processes,” he adds.
“As a result, enterprises are looking for greater integration between key business support functions and greater data availability to ensure they can withstand any challenges or threats.”
Thielemann says the challenges come from multiple fronts. First off is the cultural aspect – the fact that most organizations “remain comfortable in a hierarchical, ‘command and control’ security compliance type of culture.”
She says while this may be comforting to many CIOs, it does not make for a very flexible, agile and/or adaptive environment that can react to rapidly changing circumstances.
“As attackers will always look for the path of least resistance; this creates weak spots that will be targeted,” says Thielemann. “Cyber-resiliency cannot be achieved unless an organization is culturally ready to strive for it.”
Then there are those processes that Dickson already pointed to. Thielemann says: “Most organizations still view security as an afterthought, something that can be ‘added to’ a product or a service after the fact, or requested from vendors – if it is even considered at all.”
"Cyber-resiliency cannot be achieved unless an organization is culturally ready to strive for it"
To be cyber-resilient, companies have to “design in” these security features and use the right technology, going beyond having a secure perimeter around their internal IT systems. “The world we now live in is a highly mobile, distributed technology world where computing is ubiquitous, and increasingly cyber-physical, with smartphones and ‘smart’ everything else (from buildings to cars) surrounding us in our daily lives, and an increasingly complex supply chain supports it all,” she explains. If you don’t think about these aspects of everyday work at that design stage, it leaves you open to problems.
Again, Thielemann agrees with Dickson that you need the right people who embrace the need for cyber-resiliency – and not just in the technical teams.
“Most organizations still view cybersecurity as the responsibility of the IT security team,” she says. “The new world we live in means that security should be viewed as everyone’s responsibility. Cyber-resiliency cannot be achieved unless everyone in an organization is aware of their roles and responsibilities to make it happen.”
She says communicating that need can also be a key challenge as it needs to be heard and adopted across multiple areas that could impact the organization’s ability to be cyber-resilient.
“First there is communicating to employees about secure practices for handling data and cyber-threats they may face,” she says. “Then to executives and the board to ensure that they understand the risks and cyber-threats that the organization faces – and the potential impact to the business and its customers – so then they can appropriately support and fund efforts to be cyber-resilient. Finally, to customers, ensuring they understand the response to a disruptive cyber-event.”
As you can see from the points shared by all the experts Infosecurity spoke to, there is a lot for an organization to contend with.
For Shey, the main challenge is understanding the scope of what is required. “Cyber-resiliency is not a product that you buy,” she says. “It also requires more than implementation of technology controls and business continuity plans.”
Instead, she says businesses need to take a multi-layered approach of cybersecurity technology and processes, intertwined with robust risk management practices.
Moving Forward
It may sound overwhelming, but these are challenges that a business of any size can overcome if they have the right strategy going forward. Dickson says there are five components to creating a cyber-resilience framework for your organization.
Step one is ‘identify’ – look at your critical asset and process mapping, making sure you know which bits of your infrastructure are the most important, and carry out a risk and readiness assessment on them.
The second step is to ‘protect’ – using that traditional first line of defense security mechanisms we all know and depend on. Step three is ‘detect’ – invest in security analytics and keep watch across your systems.
Step four is about ‘response’ – being ready to tackle those security brakes or failures with the right tools. Finally, step five is about having a ‘recovery plan’ – employing coordinated mechanisms to get everything back on track.
Dickson hammers home the importance of that last step. “Once considered a low-probability event, disaster recovery from cyber-attacks have a high impact and a greater likelihood of occurrence,” adds Dickson.
“The invasiveness of malware is forcing a change in the approach to data backup, which needs to be protected from malware aimed at deleting or corrupting the data. At the same time, the meantime to malware detection can be as much as 200 days, resulting in traditional backup and recovery being insufficient.”
Dickson recommends creating a comprehensive cybersecurity strategy through leveraging frameworks like the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), which can help outline an end-to-end cyber-attack defense continuum.
Also, he says the Center for Internet Security (CIS) controls that are mapped to Cybersecurity Maturity Model Certification offer strategy recommendations. Shey agrees that companies need to build a strategy for cyber-resiliency that they work towards implementing.
She argues it will give a business direction and a purposeful investment of time and resources. “Get a sense of what to prioritize based on a maturity assessment,” she adds.
“For example, you might find that while your incident response processes are robust, they are primarily focused on the technical aspects of response and regulatory obligations, and ignore the customer-facing and employee-facing communications that would help to foster a smoother recovery.”
Thielemann advises that, to move forward as a cyber-resilient organization, it must be a long-term goal across a firm. “It needs to start at the top,” she says. “Committed leadership is a must, and tough financial decisions may be needed – sometimes cyber-resilience will mean investing in redundancies.”
There then must be communication down the ranks to promote a “collaborative, cooperative and creative culture,” fostering a “diverse and empowered workforce.”
Thielemann adds: “Organizations need to operate with dispersed, but interdependent operations, digitally and physically. They must delegate security decision-making to people closest to processes or systems and embrace composable thinking, with composable cyber and cyber-physical architectures that are adaptive, elastic and flexible.”
If a business is ready to coordinate, manage and mitigate organizational risks on a continuous basis, and prepared to rebound, resume and sustain decision making quickly, then Thielemann believes they can go forward as a cyber-resilient firm.
The past year has been tough on businesses and their staff, throwing up challenges that we could not have imagined just a few months before, but the one thing we have all learned coming out of the coronavirus pandemic is that we need to be prepared. This lesson can be transferred to all businesses and, with a plan in place, organizations can make sure they are truly cyber-resilient for any future bumps in the road.