Cyber resilience isn’t something you can buy. It’s not as simple as finding off-the-shelf tools to plug into your organisation. Rather, you must tailor your approach to your needs, assessing the way any one solution affects the whole.
That may sound daunting, but when cyber resilience is done right, your cyber security and incident response strategy will seem straightforward. You’ll have a clear understanding of what each control does, how it fits into your organisation and why it’s worth the cost of investment.
What is cyber resilience?
Cyber resilience is the ability to prepare for, respond to and recover from cyber attacks. It helps organisations protect themselves from cyber risks, defend against and limit the severity of attacks, and ensure that business operations continue to function.
Getting the most out of cyber resilience
Most organisations have some set of processes that resembles cyber resilience, even if they don’t call it that. A cyber security strategy alongside an incident response strategy or a BCMS (business continuity management system) is essentially cyber resilience, although it won’t be as effective as a dedicated resilience strategy.
But even organisations with a cyber resilience strategy probably aren’t getting the most out of it, because the idea is relatively new and often misunderstood.
We attempt to put that right in this blog, explaining three ways to improve your approach to cyber resilience.
You should be familiar with risk assessments, which are used in many business functions to identify and prioritise organisational threats. Cyber resilience risk assessments cover everything associated with cyber security – i.e. the way you mitigate risks, meet regulatory requirements and deal with incidents that can’t be prevented.
The best way to do that, says F-Secure Principal Consultant Marko Buuri, is to encourage organisation-wide communication. Different departments have their own understanding of the way risks can occur and the damage they can cause, so a diverse team will give you a comprehensive understanding of your organisation’s vulnerabilities.
Buuri also urges organisations to be as granular as possible when identifying risks. It’s not helpful to list ‘hacking’ as a risk, for example, because that could include anything from phishing scams to exploited databases. Those two risks are caused by different vulnerabilities and affect organisations in different ways.
This specificity is necessary to ‘build a story’. Not everyone on your team will be a cyber security expert, so it’s helpful to explain exactly what happens when a risk materialises.
You won’t have the budget to mitigate every risk, so this stage is about deciding which scenarios should be prioritised. This is done by determining the probability of each risk occurring and the impact it will have. However, this often leads to problems, according to Buuri, because organisations are too vague when determining ‘impact’.
For Buuri, ‘impact’ should be a monetary value. That means determining the cost of each stage of the risk management process:
- Containing the damage
- Returning to business as usual
- Communicating the incident with regulatory bodies and those affected
- The aftermath (customer churn and regulatory action)
As with identifying risks, it’s important to be as specific as possible. You should work out which departments are responsible for each process and determine out exactly what they must do, how many people it would take and how long it would last.
You should take those costs and factor in the probability of it occurring, much as you would do with a risk score, in which you multiply an impact score by a likelihood score.
The result will be a comparative scale of the costs of each risk. But remember, you shouldn’t be looking at risks (and their costs) in isolation at this stage, because there will be a significant overlap in the controls that can mitigate the damage or likelihood of an incident and therefore reduce the cost.
This is where you look for solutions. Standards such as ISO 27001 and ISO 22301 provide a framework of activities that you must perform to achieve compliance and support your cyber resilience strategy, and they can be leveraged to help you meet regulatory requirements, such as the GDPR (General Data Protection Regulation) and the NIS (Network and Information Systems) Regulations 2018.
But beyond the essential activities suggested by your risk assessment, you should ask yourself whether a control will save you money. In other words, does it reduce the cost (either by mitigating impact or probability) of one or more risks by more than it costs to implement?
For example, staff awareness training is a requirement of almost all security frameworks because it helps reduce the likelihood of a variety of risks. But you might predict that the effects will be even bigger if you invest more into staff awareness. Your aim is to find the ideal point between the cost of investment and the reduction in risk.
You can also look for additional solutions that can make the effects even greater. For example, you might consider appointing a DPO (data protection officer) even if you aren’t required to under the GDPR, because they will lead your training exercises, advise staff on data processing activities and act as a contact for the supervisory authority in the event of a security incident or investigation.
Alternatively, you might find that it’s more cost-effective to invest in a cyber resilience insurance policy. This can’t replace the controls mandated by best practice or regulatory requirements, but it’s often a helpful way of dealing with potentially catastrophic risks that would otherwise require you to maintain complex processes and have access to emergency systems.
Preparation is the key to survival
You can learn more about cyber resilience by downloading our new guide: Managing Cyber Risk – Transform your security with cyber resilience.
This guide explains the four key components of effective cyber resilience, outlining specific activities that can be implemented to meet your requirements and develop your programme’s maturity.
It also shows you which activities are necessary to meet the requirements of various laws and best practices, including the GDPR, PCI DSS (Payment Card Industry Data Security Standard), Cyber Essentials, ISO 27001 and ISO 22301.
To further understand where your organisation is on the cyber resilience scale, take our brief self-assessment. The survey consists of 26 short questions against which to rank your maturity. Get started now >>