Cyber resilience: Thinking beyond cyber security in the ‘next normal’
By Chaminda Vithanage
After the COVID-19 pandemic hit the world, many organizations changed how they do their business. Today, with remote working becoming the new normal, people can work anywhere in the world by connecting to a plethora of devices and networks. This has led numerous types of cyber-attacks to resurface – from phishing, and ransomware to malware, posing significant risks for businesses, individuals, governments, and economies.
However, organizations have not adequately put in robust strategies to secure their businesses and data. Many of them often go for a traditional defensive cybersecurity approach that focuses on safeguarding the confidentiality and integrity of data. But, threat surfaces are now more extensive than before, and cybercriminals know this. According to Business Insider[1], cybercrime has increased by 600% in 2020 alone. This proves that all the traditional defenses companies have implemented proving inadequate in the face of more sophisticated attacks that grow day by day.
In such a context, every organization must have cyber resilience in addition to cyber security.
“In September 2021, we wanted to raise our employees’ awareness of phishing emails. So, we sent a note seemingly from the HR team with a link to update their vaccination details and log in to provide their credentials. There were some obvious clues like the domain being 99xx and a few typos. It was quite a concern for us when unconsciously, many took the bait and clicked the link. We had two employees who were observant and took the initiative to raise the alert to our IT team.”
What is cyber resilience?
Cyber security is defending your business against cyber threats. Still, cyber resilience pertains to a broader scope of things, taking things a step further as far as cyber security is concerned. As per UpGuard[2], cyber resilience is concerned with maintaining effective operations while preparing for, responding to, and recovering from cyber incidents. This includes detecting and mitigating any cyber threat, patching up vulnerabilities, creating awareness, and educating employees about cyber security. However, a company should be doing these things continuously rather than sticking to an annual plan or something similar.
Additionally, embedding cyber resilience in every element of a business is critical. This includes wrapping resilience into every organization’s process, business unit, and system. Building resilience in every part of a business will ensure that a threat will be tracked and necessary mitigation steps being taken and managed on time without disrupting a company’s brand, finance, and customer trust commitments.
No proper cyber resilience framework
Cyber resilience aims to ensure operational and business continuity with insignificant impact. However, there is no proper mechanism to measure cyber resilience. But, in any organization, the leaders need to have faith in their capacity to react to a cyber-attack and uphold customers’ trust. As of now, we do not have a cyber resilience framework that is being widely accepted by the industry.
On the other hand, the industry has different maturity models that help businesses measure cyber security, supply chain, digital transformation, etc. But to measure cyber resilience, there is no maturity model. What does one look like? This is not just about the capability to reply and recover; it is how rapidly we salvage and what we prioritize.
I believe it should not be another self-assessment method or a list that checks certain boxes. A mature cyber resilience mechanism needs to be flexible, compliant, and uninterruptedly refining. As someone who has been in the industry for 02 decades, I believe the industry should develop a framework that assists an organization and its higher management in understanding the significance of cyber resilience and how it will be accomplished.
Measuring cyber resilience
Most importantly, the framework needs to define a methodology and outlook toward bringing cyber resilience. For example, is your company arranging any spontaneous acts of resilience? Do you develop cyber risk mitigation plans as a practice, or do you only do it when there is an audit? There is always a multi-faceted tactic to resilience, and it should synchronously answer to threats while helping to achieve business goals.
How would you measure cyber resilience? It might involve a few steps:
- The organization needs to identify its most critical data and capabilities.
- It needs to figure out how well the systems are integrated to understand how vulnerable the business is to attacks. How the company hires and develops the skills of its employees is also vital, and building partnerships with industry players and competitors, and public institutions is also essential.
- Most importantly, the approach of the business needs to change so that you are securing your company and enabling the company through security.
- Measuring customer trust and transparency should be considered an important step.
Different businesses might face various threats and risks, and there will be no one-size-fits-all approach to cyber resilience. However, the points I have put down above would facilitate a practical process toward cyber resilience. It will help organizations rally all stakeholders around a common goal, monitor investment decisions, and bring forth the practice of constant development. Most of all, cyber resilience should provide leadership with the confidence that when the worst happens, an organization can still deliver on its commitments.
In conclusion
The world has changed since the pandemic. It is no longer enough to secure your organizational systems merely. C-suite executives need to rethink what they will do when they are attacked. Remote work will be here to stay for some time, but cyberattacks are also becoming more frequent and sophisticated. In such a context, whether you are in the public or private sector, cyber resilience will be non-negotiable.
(The writer is Senior Director – Process & Compliance at 99x)
[1] https://www.businessinsider.com/top-un-official-warned-of-cybercrime-spike-during-pandemic-2020-5