Cyber resilience is the ability to prepare for, respond to and recover from cyber-attacks.
The term has emerged in recent years because traditional cybersecurity practices are no longer enough to protect organisations from the outbreak of persistent and costly attacks.
According to last year’s “The State of Email Security Report” by Mimecast, 31 percent of organisations experienced data loss due to lack of cyber resilience preparedness.
Cyber resilience helps a business plan and protect against cyber risks, defend against and limit the impact of attacks, and ensure business survival despite an attack.
With today’s businesses depending more and more on technology – especially in the age of pandemic – the risk and impact of cybercrime is perhaps higher than at any time in the past. What’s more, this trend is likely to continue – making cybersecurity as essential as simply having locks on your office doors. With this in mind, let’s take a look at seven steps to building cyber resilience for your business.
Step One: System Hygiene
Practising good system hygiene is one of the most important steps in helping to build cyber resilience. A common analogy that explains the importance of cyber hygiene practices is to liken it to personal hygiene. For many of us, daily hygiene practices such as brushing our teeth and having a shower enable us to keep clean and healthy.
When compared to system hygiene, it really isn’t much different. Such practices are pretty simple and effortless to implement and help to maintain a healthy infrastructure. Just as we’ve been washing our hands religiously to reduce the risk of catching Coronavirus, maintaining systems hygiene is vital to protecting your business from being infiltrated by cybercriminals.
Hygiene practices include using secure networks, installing multi-factor authentication, carrying out daily backups, phishing detection and education, segmenting the network to enable you to isolate and contain malware, keeping systems up-to-date with the latest installations, and protecting user access privileges.
Step Two: Develop a plan
The prospect of a cyber attack happening within organisation is not something anyone would like to dwell on too much. However, one of the most important ways you can prepare for a situation like this is to have a robust incident response plan in place in the likelihood of this happening.
You’ll want to allocate a cross-functional team of senior management to plan for cybersecurity events and consider hypothetical attacks. Each person within this team should be allocated a certain role with clearly identified responsibilities.
An incident response plan should contain specific directions for specific scenarios of attack, avoiding further damages, reducing recovery time and mitigating cybersecurity risk.
At a Cybersecurity event at the Ovo Energy Head Office in Bristol, HdE Co-Founders Dale and Ash were invited to meet the regions senior cyber leads and learn about their approach to breaches and incident management.
During the event, Luke Briscoe, Senior Engineering Manager at Monzo, explained how when dealing with human error-related incidents, human error “shouldn’t be the conclusion”, rather, it should be the starting point.
Brisco suggested that businesses should focus more on asking “how” questions rather than “why” during this stage. Ultimately, this will encourage more people to put their hand up when these type of incidents happen, helping you to understand the processes that led to the problem occurring, and thus enabling you to fix it and avoid similar incidents in the future.
Incident response procedures focus on planning for cyber-attacks and how businesses will recover from them. Without a solid plan in place, your business runs the risk of not detecting attacks or knowing what to do to contain, clean up and prevent attacks when detected.
Step Three: Map out a risk profile
In the context of cybersecurity, “risk” is the likelihood of reputational or financial loss and can be measured from zero, low, medium, to high. The three key factors that feed into a risk vulnerability assessment are:
- What is the threat?
- How vulnerable is the system?
- What is the reputational or financial damage if a occurs
This step requires an organisation to study cyber patterns and attack modes to develop a tailored approach to protecting company assets. This involves risk analysis; looking at the probability of attacks in order to be able to devote time and resources to protect against such attacks.
Step Four: Assess and measure
“You can’t manage what you can’t measure” is a common quote in the world of management, and the same can be applied to building cyber resilience for your business.
During this step you will want to consider the following factors:
- the organisations key assets and the top risks that could affect them
- updated assessments of relevant threats and threat actors
- a consistent and accurate definition of risk appetite for the business as a whole.
The US National Institute for Standards and Technology NIST framework can be used directly to perform a risk assessment by understanding the likelihood and impact of an absence of each of the categories identified by the framework. This will generate an estimate of your risk profile.
Step Five: Migrate risk
By identifying your businesses risk profile, you can efficiently focus on minimising the risk of disruption or slowdowns by investing in certain measures.
You won’t have the budget to mitigate every risk, so this stage is about deciding which scenarios should be prioritised when looking to migrate the risk. This is done by determining the probability of each risk occurring and the impact it will have on the organisation.
For instance, you may wish to look at tailoring employee-related controls by role. Controls to avoid data leakage would apply only to those with access to key assets, ensuring you’re focusing time and resources on the highest priority.
Step Six: Cyber insurance
Despite carrying out all of the above steps and preparing as much as you can in order to build cyber resilience, unfortunately, this will not make you invincible to attacks. Cybercriminals are becoming more and more sophisticated in their ways, finding new methods to gain entry into your organisation’s network.
According to the 2020 UK Cyber Security Breaches Survey, 46% of businesses suffered a cybersecurity breach or attack in the last 12 months. Of these businesses, one in five lost money or data to the breach, while two in five faced business interruption. With this in mind, it’s highly recommended that your business obtains cyber insurance to provide contingent capital and specialised assistance in the event of an attack.
Cyber insurance policies help minimise the financial and business damage of these hacking attempts, covering costs related to data recovery or business disruption. The policies can also protect against non-criminal loss or damage, such as an IT system failure.
Step Seven: Get started
That leaves us with the final step: Getting started. All it takes is a single step! When it comes to a cybersecurity strategy, there is no one-size-fits-all approach. The requirements will differ for each organisation; even those that operate in the same industry.
A resilient and robust cybersecurity programme is one that is tailored to meet the needs of a business. One that is based on realistic risk assessments and backed with a solid and detailed plan.
This blog is based on an infographic by AIG which explains an approach to the development of a cyber resilience strategy.