Building Cyber Resilience

Executives seem to display confidence in the robustness of their security initiatives according to a PWC survey, however the reality is:

  • The average losses per incident are up 23% year-over-year
  • The number of organisations reporting losses of more than $10 million per incident is up 75% from just two years ago
  • The number of security incidents detected is rising significantly year-over-year

No organisation is safe from an attack. What’s changed is that companies and governments must face the reality that it’s not if they’ll get hacked, but when.

Developing cyber resilience is the only way to build effective defences to protect your organisation from the inevitable cyber attack.

What does it mean to be cyber resilient?

Cyber Resilience encompasses information security defences and prevention, but goes beyond that, incorporating response planning and business continuity practices that will equip you to be prepared during a crisis, often brought on by a cyber attack.

Where do you start?

1.       As a guideline: Use frameworks and standards

Internationally recognised standards provide a proven framework for building cyber resilience.  By combining the commonly accepted standards for cyber security, ISO 27001 and business continuity, ISO 22301, organisations are able to follow a comprehensive approach to being resilient to cyber attacks. The IT Governance cyber resilience standards pack provides the resources for this.

–          Cyber resilience core standards kit

–          Cyber resilience incident response kit

  • Other reading:

–          Cyber Security Culture

2.       Conduct a risk assessment

Regular vulnerability assessments and penetration tests are a good measure of assessing the  robustness of your networks, systems and applications.  These tests require a trained eye and instinctive judgment in order to provide the best advice regarding the test outcomes.  IT Governance’s  penetration testing service includes detailed advice and reporting that indicate where your vulnerabilities or threats lie, why they should be addressed and also recommends actions to take to rectify these.

Conduct a risk assessment of your information assets that will identify weaknesses in assets related to people, processes or technology. To help you do this easier and faster, the vsRisk cyber security risk assessment tool will speed up the process by up to 70 %.

  • Other reading:

–          Information Security Risk Assessments Tool

3.       Implement controls

There are a wide range of security controls that can help fortify your defences. These can range from implementing a sound information security management system (ISMS) (we recommend following ISO 27001) that incorporates policies and procedures for managing your risks, conducting training and awareness programmes and encryption technologies to mention a few.   Some organisations prefer to elicit the advice of consultants to develop a roadmap of recommended procedures that need to be undertaken. Either way, appointing a champion to take responsibility for managing this process is essential.

  • Other reading and encryption resources:

–          Simple Steps to Data Encryption

–          Cryptography Information Security Guide

–          Alert Endpoint Encrypt

–          Symantec Whole Disk Encryption

–          Boldon James Classifier

4.       Prioritisation of business processes

By taking a cyber resilient approach, you are moving from a position of ensuring that you have applied the necessary security controls to one where you are establishing what your most important business assets are and then ensuring that your security, response and recovery measures are adequate in protecting those critical assets in the event of an attack.

5.       Testing and incident response planning

By following the principles of Business Continuity Management using ISO 22301, it is essential to conduct an incident response plan and conduct simulations, followed by regular testing to validate whether your programmes are effective. By comprehensively testing your Recovery Time Objective (RTO) capabilities you will be able to have an indication of how soon your critical processes can be brought back to full capacity, in order to maintain the ‘business as usual’ status quo.

  • Other reading and resources:

–          The Computer Incident Response Planning Handbook

–          Hacker Techniques, Tools and Incident Handling

For further information and other resources, visit our cyber resilience training and cyber resilience publishing  pages.  Alternatively, contact one of our consultants who can provide you with a cyber resilience health check or arrange a bespoke solution for building resilience in your organisation.