The risk of a business threatening cyber-attack is ever present today. Ransomware locks up data making it hard for businesses to operate. The impact is so bad that an increasing number of companies are paying to getting their data back.
At the same time, Advanced Persistent Threats (APTs) can sit inside a system for months before activating and attacking. The question many struggle with is will a good Disaster Recovery (DR) or Business Continuity (BC) plan get the company back up and running?
In March of this year, the National Institute of Standards and Technology (NIST) issued a draft publication on Cyber Resiliency. One person who knows a lot about the subject is Felicity March, IBM’s Cyber Resilience Specialist for Europe. Enterprise Times went to IBM’s Hursley Park offices to talk to her about what Cyber Resilience means.
March defines Cyber Resilience as: “Improving a company’s capability to maintain its core purpose and integrity in light or after a cyber-attack. What that means is a lot of companies believe that if they pay a lot for cyber security none of the viruses will get through the front door.” The reality is that attacks happen and recovery can be long and painful.
One of the big questions is how is this different from DR or BC? March told us that cyber resiliency is much broader in scope than DR and BC. She hears customers often talk about traditional DR which is more about flooded data centres. When they are hit with a total IT failure, they often haven’t tested their DR or BC plans to see how they cope with a cyber-attack.
One of the biggest problems that March comes across is organisations who do not know who is responsible for reconstruction of IT after a cyber-attack. The problem is compounded when bits of IT are outsourced with no clear guidelines or processes. The solution is to create a DR plan that encompasses the entire IT estate not just specific systems. Organisations also need an approach that ensures any DR environment can be clean from hidden attacks that will reappear.
Change management is part of the solution but the problem is people are not using it as part of their security solution. In addition, as they outsource systems, it is hard to know who is using change management and almost impossible to align different systems. March makes the point that too many outsourcing contracts are designed by lawyers and accountants. This means that the system architects, who could ask these questions, are not involved. It creates a recovery gap.
To hear more of what March had to say listen to the podcast.
Where can I get it?
obtain it, for Android devices from play.google.com/music/podcasts
use the Enterprise Times page on Stitcher
listen to the Enterprise Times channel on Soundcloud
listen to the podcast (below) or download the podcast to your local device and then listen there.