Beyond the Buzz: Building Cyber Resilience
Resilience is everywhere these days, in analyst reports, marketing materials, and board tables. While resilience is easy to talk about as one of the latest industry buzz words, implementing true cyber resilience is a complex but worthwhile endeavor that could save your organization millions should a cyberattack occur.
It’s estimated that cybercriminals can penetrate 93 percent of company networks. There’s a ransomware attack every 11 seconds. Former Federal Bureau of Investigation (FBI) director Robert S. Mueller III, who during his tenure created the FBI Cyber Division, was known for saying, “I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.”
Beyond traditional business continuity and business recovery plans, cyber resilience is a shift in mind-set, culture, and approach where you assume that operations will be interrupted at some point. This shift in mind-set from reacting to threats as they occur to assuming that a breach is only a matter of time helps you look at cyber-risk management in a new, vested light.
When I speak with boards about cyber resilience, I talk about implementing resilient measures and practices across people, processes, and technology. By and large, I find that many organizations tend to focus on the technology investments they’ve made to shore up defenses, and far less on people and processes, leaving ample vulnerabilities that could prove hazardous down the line. If you find this to be the case within companies you oversee, below are a few tips boards should consider discussing with management to ramp up the “people” and “process” parts of the cyber-resilience equation.
Innocent mistakes and simple negligence make up 60 percent of insider incidents, costing the average organization $4.6 million each year, according to the 2020 Cost of Insider Threats Global Report.
Cybersecurity is more about people behind keyboards than it is about technology. Threat actors, especially nation-state actors, prey upon innocent and well-intentioned employees. During my time at the FBI, I worked cases where threat actors used an employee’s social media accounts to groom them from an unwitting accomplice into a knowing coconspirator. People are the first line of defense, but still the weakest link.
To boost people resilience, boards should ensure management takes the following actions:
Implement a cyber culture. Make cybersecurity training mandatory for all employees from the C-suite and boardroom to the mailroom on an annual basis. Aligning training with Cybersecurity Awareness Month in October is a timely reminder.
Build relationships and clarify roles. Identify the most critical systems, applications, and data you need to keep operations going. From there, identify roles and responsibilities. While this may sound obvious, when I served as chief information officer (CIO) for the FBI, I found documenting this helped me ensure that the right people were in the right roles, and that I had the right relationships and buy-in across the organization, which was crucial to keeping our systems secure.
Stay current on cybersecurity trends. Threat actors are rapidly innovating and sharing information in real time, so we must constantly be shoring up our defenses and resilience so we can weather any storm. It’s also important to include updates from your CIO or chief information security officer in board agendas to keep dialogue open about cyber readiness, new threats, and potential vulnerabilities.
As mentioned above, identifying mission-critical assets and mapping the process to protect them enables rapid recovery to a secure state when an attack inevitably happens. If you’re early in your cybersecurity journey, consider working with a partner who can deliver an incident readiness assessment that:
simulates adversary tactics, techniques, and procedures in your environment,
evaluates your strategies already in place, and
can help identity gaps and suggest next steps.
Boards should discuss the following areas of focus with management:
Critical data protection. Identify assets and systems that are essential to continued business operations and that must be protected in the event of a cyberattack. Map interdependencies within your environment so your teams understand how to pivot and recover when crucial operations are interrupted. For more cyber-advanced organizations, consider implementing a vaulted, data-isolated backup solution that further prevents data corruption and loss.
Cyber resilience framework. Create a framework that integrates backup solutions and enhanced security controls with the right governance and procedures to secure your business-critical systems. For more cyber-advanced organizations, establish workflows that can securely move business-critical data into an isolated environment.
Recovery playbook. Create and maintain accurate recovery steps in a playbook to ensure resilience processes are identified, documented, and tested. For more cyber-advanced organizations, develop response plans that accelerate recovery for each stream, and consider doing live recovery exercises as well as cyber recovery tabletops to continuously test and improve response procedures.
Cyber resilience is really about people, including culture and relationships, and process. Because people are still the weakest link in the cyberattack chain, creating an environment with your employees where they feel informed, included, and empowered to learn and reduce cyber risk is crucial. Using a process to understand your mission-critical assets is imperative, and developing the right relationships with sales, marketing, legal, communications, executives, and other stakeholders will make the road to recovery faster and less painful.
Building resilience into the enterprise is no small task—but once it is implemented, it significantly reduces organizational risk and helps ensure that your business can keep doing what it does best.
James Turgal is the vice president of cyber risk, strategy, and board relations at Optiv.