Director, Information Security
Get The Exercise Template
Resilience is all about the ability to recover quickly when faced with a challenge. For businesses, resilience is often tied directly to business continuity, where professionals are tasked with ensuring an organization can quickly adjust, adapt, respond, and recover from disruptions and disasters.
Today, with an increasing number of successful cyber breaches (like ransomware attacks) making headlines, resilience is often discussed in terms of cyber resilience. For many organizations, it’s a new and imperative focus for executives and investment in resources, staffing, and tools.
But when you hear the term “cyber resilience,” what does it entail and what does it mean for your operations? And, more importantly, if you’re not doing so already, how do you directly connect your cyber resilience goals with your business continuity program?
First, what is cyber resilience?
In short, cyber resilience is your ability to understand your cyber risks and make plans that anticipate the “what ifs,” if you experience a cyber event, and successfully stop the spread or impact, adapt to your changing environment, and then recover from it, with a return to normal operations as soon as possible.
MITRE, a nonprofit organization that runs federally funded research and development centers, points out that to date, there is not a singular authoritative definition for cyber resilience (yet). Instead, it draws on seven key areas when defining cyber resilience: national security, critical infrastructure, critical infrastructure security and resilience, Department of Defense (DoD) cybersecurity, network engineering, resilience engineering, and Homeland Security. It pulls from all of these resource keywords such as:
That sweeping — but direct — focus should be at the heart of all of your cyber resilience planning.
Cyber resilience may be more critical to organizations than ever before. Why? Because it’s how your organization can anticipate, plan for, mitigate, respond to, and recover from cyber events. As we have mentioned in several other blogs here at Castellan, when it comes to resilience, our approach should no longer be about if we experience a disruption or disaster — but when.
We often anticipate the when in our disaster recovery plans and even in our everyday life. But historically, in the IT / Security organization, we’ve been conditioned to believe 100% prevention is the only acceptable business position.
Yet the when mindset certainly rings true for cyber resilience. We see increasing data that when it comes to cyber events, all industries are moving closer to the when scenario and further away from the if. Acknowledging that breach is likely (whether it be your own IT failure or a third-party provider’s) sets us up to focus on what matters from that point on…how we respond.
Case in point: More than 37 billion records were exposed through cyber breaches in 2020. While the total number of breaches was down from the previous year, the number of record exposures alone was up 141% compared to 2019.
Not only are record exposures increasing, but also the nature of the attacks are changing, too. Ransomware continues to be a growing focus for attackers and in 2020, there was a 100% increase in ransomware attacks compared to the previous year. That’s likely reflected in the number of successful attempts spurred by the sudden influx of teams around the world moving into remote work environments as a result of the coronavirus pandemic.
It’s not surprising then to see more organizations giving cyber resilience increased attention. In one of our recent webinars, we asked participants about their organization’s cyber resilience focus and learned:
Unfortunately, however, just shy of 10% tell us it’s not a priority at all or is only a priority when incidents happen.
As we’re getting more focused on cyber resilience and engaging in more cyber resilience conversations with our customers, we are learning that some struggle to understand the nuances between cyber resilience and cybersecurity. Some organizations mistakenly think that just because they have implemented a cybersecurity program, they can simultaneously check the box for cyber resilience.
There are, however, some key differences between cyber resilience and cybersecurity. Think of cybersecurity as your defense to protect your organization from a cyber event. It’s the way your organization looks for all of its weaknesses and vulnerabilities and makes plans to shore them up to prevent an attack. For example, you might have an antivirus program installed on all of your devices to decrease the chance of infection. That’s a cybersecurity measure.
Cyber resilience is more about the day-to-day how you do business. It’s how you mitigate the impact of an attack on your organization—not just on your core systems and data, but also on all of your operational functions and brand reputation as a whole. You add a cyber resilience component to your business continuity program so that your organization knows what to do if you experience a cyber event, how to stop it, and what you need to quickly adapt, recover, return to business as usual, and prevent a similar event from happening again.
As we’re seeing an increase in both cyber-attack attempts and successful attacks, we’re understanding that even the best, most well thought-out security measures can’t always stop an attack. We cannot approach cyber resilience comfortably with an “it can’t happen to us” mindset. Instead, we must build a culture of resilience throughout our organization, one where cyber resilience is woven into the overall corporate ethos, regardless of disruptive event type or disaster.
As a good rule of thumb, your cyber resilience approach should include these core areas:
Cyber resilience also includes:
Security management and information security management
These are the controls and policies your organization uses to protect your information technology assets, but can also include physical security features, such as card control access and locked server rooms.
Data protection, including backups, restore processes, and Disaster Recovery as a Service (DRaaS)
These are your processes to ensure you have reliable, geographically diverse back-ups for all of your infrastructure and critical data and systems.
These are the steps you take to build a culture of resilience, not just within your organization with your employees, executives, and key stakeholders, but also with your customers and the public at large.
These are the processes you undertake that evaluate the impact of a disaster or disruptive event on your operations. It can also help you identify your critical assets and functions.
You should conduct internal and external penetration tests, also known as pen tests, to determine if your controls are working as designed and to identify gaps or other security issues before a breach.
Stress testing may be helpful in resilience because it can help your organization determine how well your systems and other processes perform under intense loads or pressure.
System hardening and Zero Trust
System hardening includes all of the tools and processes you have in place to decrease weaknesses in your operations including your IT infrastructure, systems, apps, and more. For example, you may choose to establish a Zero Trust policy, which is an approach that eliminates trust from your environment, and instead requires authentication for access.
Incident plan strategy testing and exercising
Incident plan testing and exercising are processes that you can take to ensure that your plans are effective and work as you intended. By routinely exercising and testing your resilience plans, you can identify gaps or areas of deficiencies and fix them before an actual event. These testing and exercise processes can also help you mature your resilience and business continuity programs as your organization evolves. Here’s a tip: As your testing matures, leverage a blended threat scenario in your exercises. For example, global pandemic, remote workforce, and a cyber threat attack.
Your incident management processes should include the gamut of plans, policies, and processes to address incidents as they happen, learn from them, and make plans for improvement and modifications, including attack control, restoration, crisis communications, and more.
Cyber events and other disasters and disruptions don’t just affect your employees and vendors, it can also have a negative impact on your customers and your brand identity. That’s why it’s important to include reputational management in your resilience planning, including how you respond, with pre-approved clear communications during and after an event. Through preparation, when you have a high profile event, headlines can read “Company X restores services only hours after major cyber attack:” instead of “Weeks after cyber-attack Company X has yet to restore all services”.
There are a wide range of benefits about how cyber resilience can help your organization become more resilient as a whole. Cyber resilience empowers your organization with all the tools you need to anticipate, protect, detect, defend, recover, and adapt from an attack.
Not only do these processes help improve your information technology system security, but it can also help you mitigate the financial and reputational damage from an event, and help ensure you’re meeting your RTOs and RPOs for minimal impact on your ability to deliver your core services.
Cyber resilience is also a key component of meeting all of your compliance, legal, and regulatory standards and can help decrease the likelihood of an audit or a non-compliance event that could result in legal action, fines, and penalties.
By building resilience into your organizational culture, you’ll soon find that your entire team understands their individual roles in ensuring your organization is safe and protected, which in turn will help build trust among your customers and the public, helping you scale and grow.
If you haven’t yet built cyber resilience into your business continuity program, now is the time. You can do this even if you’re a small team or have limited resources.
Consider adopting a cyber resilience framework. It can help you establish processes, policies, controls, and more, all while helping you attain the level of resilience you need today and in the future.
Need help understanding what cyber resilience looks like for your organization and how you can work it into your existing business continuity and disaster recovery plans?
Consider working closely with a resilience advisor such as Castellan. We can help you enhance your existing team and processes or help build, manage, and maintain your program for you.
Have questions about cyber resilience? Contact Castellan today. We’ll be happy to show you how we can help.
Get The Exercise Template
Director, Information Security
Get business continuity insights delivered to your inbox.