Organisations must continuously innovate if they are to grow and compete in today’s digital transformation era. It’s why so many of them are investing in new tools and technologies like AI. The problem is that hackers and saboteurs are innovating too.
We also all know the impact a successful cybersecurity attack can have on a business. The damage to brand reputation, trust, and profitability can take years to repair. It tells us that, more than ever, organisations must be able to quickly identify, protect and respond to new and existing threats.
Cyber-resiliency is incredibly important in both conducting business and navigating the increasingly complex threat landscape. Arguably even more so as the current COVID-19 pandemic means organisations are required to adapt to new ways of working. But what do we mean by cyber-resiliency? And is it the same as business continuity and disaster recovery?
What is cyber-resiliency
Cyber-resiliency is about organisations being equipped to continuously deliver products and services despite potential cyber-related events impacting their normal operations. It means businesses must be able to prepare for, prevent, respond, and successfully recover from an attack or breach. And this needs to be done without disruption or degradation to normal delivery expectations.
It reinforces the need for security to be a core business function, designed to protect resources and implemented to mitigate risk. After all, integrating cybersecurity processes from the outset can significantly strengthen digital transformation projects.
What’s more, it’s important to note that cyber-resiliency is different from business continuity and disaster recovery. Differentiating between the three is something organisations struggle to get right. It’s why we devoted an entire section on cyber-resiliency in our 2020 Global Threat Intelligence Report (GTIR). We explain what it is, how to achieve it, and how to measure its effectiveness.
How to approach cyber-resiliency
A good place to start in achieving cyber-resiliency is understanding what organisations are trying to protect, including key intellectual property, critical assets, data, and core delivery functions.
Organisations must answer the following questions:
- What data and capabilities are the most important for the business?
- What are the systems involved with supporting the data and capabilities?
- How will the organisation and its customers use the data and services provided?
Answering these questions honestly allows organisations to build cyber-resilient capabilities. With this information, it can begin to define a comprehensive security program which includes policies, development controls, processes, technologies, training and more. It can also begin to test and validate plans which may need to be adapted as time goes on.
Cyber-resiliency is about more than individual technologies
However, organisations must acknowledge that effective cyber-resiliency does not simply mean deploying individual technologies to address specific threats. They must also be able to identify vital assets and how current security measures relate to them. It’s about looking at the bigger picture.
Organisations must ensure senior leadership teams are fully supportive of security initiatives. It should invest in the resources required to achieve and maintain a cyber-resilient state. What’s more, they need to be fully confident that the business will continue to function when an attack hits. All of this requires talking about security in a language that leaders understand.
Senior leadership teams will also want to see a return on security investment. So, when building cyber-resiliency capabilities, organisations must also include indicators and assessments that can measure performance against expectations or desired results. Examples include time to respond, breach avoidance, resource efficiency and cyber posture. Cyber-resiliency is also part of the breach planning process, so must be rehearsed again and again. Offensive and defensive security exercises can be a great way of assessing how an adversary would target an organisation, and how well its people, processes, and technologies perform in maintaining its security posture.
Lessons learned, breach simulation and regular testing, serve as a continuous feedback loop in capturing and applying incremental improvements to the cybersecurity program. It will demonstrate the value of the investment and how it supports and aligns with the overall business mission.
Organisations must also understand that cyber threat actors have the advantage of time, robust tools, and the element of surprise. Quite simply, organisations should assume a breach.
Surviving that inevitable cyberattack is often the first time an organisation can be certain it has achieved cyber-resiliency. If an organisation is having to recover from an incident before it can continue working, it is not resilient. Organisations must, therefore, do their best to adopt a cyber-resilient approach and embrace secure-by-design ideologies.
Foundational concepts businesses should consider
There are several foundational concepts that businesses can use to build their cyber-resiliency. These include:
- Develop a cybersecurity strategy and ensure proper leadership and board support. As part of this, use one common language of risk while aligning security with business objectives.
- Bring HR teams into planning. Key people are not always available immediately in the event of an incident, and most plans do not have the details of succession or permissions. People also leave the company. If HR maintains this type of information, businesses can ensure their cyber-resiliency plans, and indeed incident response plans can be enacted without delay.
- Identify and map risks to critical assets. Understand what needs to be protected and how business continuity can be maintained if these assets are inaccessible following a breach.
- Secure the foundation and do not undervalue the foundations of security. Get the basics right first and build additional capabilities upon the strong foundation.
- Design, build, and deploy solutions which are difficult to attack and are ‘secure by design’; security integrated into the solution design from the outset.
- Measure security capabilities and adjust priorities based on insight from reporting, metrics, and validation processes.
- Implement an air-gapped system for storing cyber-resiliency plans so, should a ransomware attack take down the main system, they are still accessible and actionable.
- Regularly test and validate the cyber-resiliency plans, as this will help organisations see what’s working and what not and therefore needs changing.
Finally, organisations should place cyber-resiliency at the top of their priority list – and treat it equally with business continuity and disaster recovery. If organisations are cyber-resilient, they will be able to bounce back from a breach – and carry on innovating, so the hackers don’t lead the race.
NTT Ltd. is a leading global technology services company. We partner with organizations around the world to shape and achieve outcomes through intelligent technology solutions. For us, intelligent means data driven, connected, digital and secure. As a global ICT provider, we employ more than 40,000 people in a diverse and dynamic workplace that spans 57 countries, trading in 73 countries and delivering services in over 200 countries and regions. Together we enable the connected future.
Visit us at hello.global.ntt