Recent attacks on Acer, Microsoft Exchange and SonicWall have proven that no organization’s cybersecurity defenses are impenetrable. Cyber-criminals are constantly refining their tactics, and the number of attempted breaches continues to rise. According to a report from Cybint, there is now, on average, a hacker attack every 39 seconds.
As a result, businesses need to find new approaches to mitigating cyber risks. Recognizing that traditional prevention strategies don’t work on their own, organizations are increasingly pivoting to an ‘assume breach’ mentality. This means operating as though an attacker is already in the network and focusing on building cyber resilience: the ability to recover rapidly and with minimal damage.
Beyond their first lines of defense — made up of traditional security technologies and established security practices — organizations need to invest in strong incident response, as well as business continuity and disaster recovery (BCDR) capabilities. Because cyber incidents will happen, the emphasis is no longer on prevention but on keeping the business running while systems are being restored. Fast recovery can reduce downtime and minimize the fallout from an attack, so quickly identifying and responding to security breaches is key.
Cyber Resilience Rests on Three Capabilities
A holistic cyber resilience program must encompass people and processes as well as technology. Organizations should proactively identify and address weaknesses in their security posture in all three areas. For example, if staff lack know-how and awareness, can this gap be filled with training or by hiring a security specialist? Security processes must be clearly defined, repeatable and measurable and should be kept under constant review, as making improvements is usually an iterative journey.
When assessing security technologies, organizations should consider whether the solutions they have implemented provide the right capabilities, whether they are using these solutions to their full potential — and whether the technology supports staff and processes in the most effective way. Because cyber resilience depends primarily on people and processes, technology investments should be made based on the needs of people and processes, not vice versa.
Frameworks Provide Useful Guidance
Organizations can use specific aspects or combinations of cyber security frameworks, such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework or the Center for Internet Security (CIS) Security Controls, to define their cyber resilience goals.
The CIS Controls provide a prioritized list of actions for identifying and protecting businesses from known attack vectors. Fundamental controls include inventories of hardware and software, patch management, use of account privileges, secure system configuration as well as maintenance, monitoring and analysis of audit logs. Most of these can be achieved with technology that is already in place. The CIS controls map to the NIST framework, which compiles industry standards and best practices.
This framework is based on five key functions required for cyber resilience: identify, protect, detect, respond and recover. It gives organizations useful guidance on the outcomes they need to achieve: being able to identify vulnerabilities and understand risks to people, data, assets and systems; the ability to limit impacts from cyber events; the timely detection of attacks; effective incident response and last but not least, recovery to normal, safe operations.
The frameworks are not prescriptive, so it is up to each organization to define which areas it needs to strengthen to achieve better cyber resilience. An initial audit will help pinpoint any gaps in an organization’s security posture, and often these can be addressed by reviewing processes, improving or acquiring specialist knowledge and optimizing the use of existing technology solutions. Most businesses will already have some of the required capabilities in place and can build on these, using the existing frameworks as a guide. True cyber resilience requires an ongoing business effort. This is not a one-off project but a long-haul journey.