No cyber security defence is impenetrable. We’ve recently seen breaches on Acer, Microsoft Exchange and SonicWall. A report from Cybint estimates that, on average, there is now a hacker attack every 39 seconds – and the attack vectors are constantly evolving.
In response, organisations around the world are starting to take a new approach to mitigating their cyber risks. A traditional cyber security strategy to try and stop attacks is no longer enough. Instead, organisations must shift from prevention to an ‘assumed breach’ mentality – operating as though a breach has already happened, and ensuring they can recover fast, with minimal damage to operations.
Rather than relying on a protective layer of firewalls, anti-malware solutions and intrusion prevention, businesses increasingly understand the need to build cyber resilience beyond these first lines of defence. In addition to well-established cyber security practices, cyber resilience encompasses incident response, as well as business continuity and disaster recovery (BCDR). Incidents will almost certainly happen, and the focus is on keeping systems up and running during recovery, to speed up restoration, reduce downtime and minimise the overall impact of an attack.
Enterprise architecture: a tool for business recovery?
People, process and technology
By definition, cyber resilience measures an organisation’s strength in preparing for, operating through and recovering from an attack. Only a holistic security programme will assure the resilience of an organisation and that of its customers before, during and after adverse events. Quickly identifying, responding to and recovering from security incidents is key.
To achieve this, cyber resilience must rest on people and processes, as well as a combination of technologies. When assessing their security posture, businesses should look for gaps in their security capabilities from a people, processes and technology perspective, and take steps to address these. For example, if staff lack security know-how, can this be fixed by hiring or developing dedicated security experts? And how can we use training to build enhanced security awareness throughout the organisation?
Processes should be clearly defined to deliver the desired security outcomes and must be repeatable and measurable. For most organisations, pinpointing weaknesses and making improvements to their processes will be an iterative journey, which should be kept under constant review.
Finally, technology solutions must be able to properly support both people and processes. Organisations should evaluate whether they have adopted the right solutions, whether they are using them to their full potential and how technology could be harnessed more effectively. Many cyber resilience issues are in fact not technology based. Cyber resilience hinges primarily on people and processes. Technology investments come second, and they should be made based on the needs of people and processes, not vice versa.
Three pillars for scaling intelligent automation: process, technology, people
How to use security frameworks
Cyber security frameworks can be useful guidelines for achieving security objectives that lead to risk reduction and cyber maturity. Businesses can use specific aspects or combinations of frameworks, such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework or the Centre for Internet Security (CIS) Security Controls, to meet their cyber resilience goals.
The CIS Controls cover a prioritised set of actions to identify and protect organisations and their data from known attack vectors. From this list, the most essential controls to implement include inventories of hardware and software assets, continuous patch management, controlled use of account privileges, secure system configuration baselines and the maintenance, monitoring and analysis of audit logs.
Most of these can be achieved with technology that is already in place, by creating new security processes. The CIS controls also map directly to the NIST framework, which compiles industry standards and best practices into a cohesive format to help organisations better manage their risks. This framework is based on the five key functions required for cyber resilience: identify, protect, detect, respond and recover.
It is not prescriptive; instead, it gives businesses guidance on the outcomes they need to achieve. It is then up to each organisation to define which capabilities they will need to develop to reach these outcomes. These include identifying vulnerabilities and understanding an organisation’s environment in order to manage risks to people, data, assets and systems; limiting and containing impacts resulting from attacks; the timely detection of cyber events; effectively responding to incidents, and finally, recovery capabilities to restore normal, safe operations.
Businesses that establish or strengthen their capabilities in each of these five functional areas will be in a much better position to reduce the potential for bad outcomes.
Unfortunately, there is no silver bullet for how to achieve cyber resilience, as no two organisations are the same. Nevertheless, building cyber resilience should be an essential goal for any business. Most organisations will already have many of the required capabilities in place. Using existing frameworks as a guide, they should be able to identify any gaps in their security posture – and address them by tweaking processes, acquiring specialist know-how and optimising how they use technology.
Cyber resilience is an ongoing business effort and not an overnight endeavour, and it is a journey that requires careful evaluation of an organisation over time. The most important step is to get started.