Why is cyber resilience important?
Cyber resilience is important because traditional security measures are no longer enough to ensure adequate information security, data security, and network security. In fact, many CISOs and IT security teams now assume that attackers will eventually gain unauthorised access to their organization.
The truth is adverse cyber events negatively impact the confidentiality, integrity, and availability of organizations every day. These events may be intentional or unintentional (e.g. failed software update) and caused by humans, nature, or a combination thereof.
Today, it's as important to be able to respond to and recover from security breaches as it is to be able to prevent them.
The need for cyber resiliency was well summed up by Lt. Gen. Ted F. Bowlds, former Commander, Electronic Systems Centre, USAF:
“You are going to be attacked; your computers are going to be attacked, and the question is, how do you fight through the attack? How do you maintain your operations?”
What are the four elements of a successful cyber resilience strategy?
The four elements of a successful cyber resilience strategy are:
- Manage and protect: This involves developing the ability to identify, assess, and manage cyber risks associated with network and information systems, including those across your third-party and fourth-party vendors.
- Identify and detect: This involves the use of continuous security monitoring and attack surface management to detect anomalies and potential data breaches and data leaks before any significant damage.
- Respond and recover: This involves implementing adequate incident response planning to ensure business continuity even if you are the victim of a cyber attack.
- Govern and assure: The final element is to ensure that your cyber resilience program is overseen from the top of your organization and part of business as usual.
How does cyber resilience work?
Any cyber resilience strategy, when put in practice, needs to be considered a preventive measure to counteract human error, vulnerabilities in software and hardware, and misconfiguration. Therefore, the goal of cyber resilience is to protect the organization, while understanding that there will likely be insecure parts, no matter how robust security controls are.
The components of any cyber resilience strategy include:
- Threat protection: Cybercriminals advance in lockstep with security controls. What were once state of the art controls are now the bare minimum required to protect an organization. A third-party risk management and attack surface management software bundle, like UpGuard Vendor Risk and UpGuard BreachSight, is one of the best options you can choose to improve your organisation's cyber resiliency. Together, they can help you minimise first, third, and fourth-party risks caused by misconfiguration, data leaks, and data breaches. They'll also help you understand where your most at risk through always up-to-date security ratings.
- Recoverability: After a security incident, your organization must be able to return to regular operations quickly. This generally means you have infrastructure redundancies and data backups across different regions in case a natural disaster or cyberattacks impacts a specific part of the world. It's also recommended that you run tabletop exercises to ensure that everyone knows what their role is in the event of a cyber attack. Read our guide on incident response planning for more information.
- Adaptability: While planning is important, adaptability is paramount. Your organization must be able to evolve and adapt to new tactics that cyber criminals come up with. We recommend investing in continuous security monitoring so your security team can recognise security issues in real-time and immediately take action.
- Durability: Your organisation's durability is its capability to effectively operate after a security breach. With system improvements, configuration management, vulnerability management, and attack surface management, your organisation's cyber resilience will improve.
What are the benefits of cyber resilience?
Cyber resilience strategies provide a range of benefits before, during, and after cyberattacks:
- Enhanced systems security: Cyber resilience doesn't only help with responding to and surviving an attack. It can also help your organization develop strategies to improve IT governance, boost safety and security across critical assets, improve data protection efforts, avoid the impacts of natural disasters, and reduce human error.
- Reduced financial loss: Regardless of how good your security is, the fact is no one is immune to cyberattacks or misconfiguration. The average cost of a data breach is now $3.92 million globally, enough to kill many small to medium size businesses. In addition to financial costs, the reputational impact of data breaches is increasing due to the introduction of general data protection laws and stringent data breach notification requirements.
- Regulatory and legal compliance: For many industries, cyber resilience is a requirement. For example, FISMA defines a framework for managing information security that must be followed by all information systems used or operated by a U.S. federal government agency in the executive or legislative branches and by third-party vendors who work on behalf of a federal agency in those branches. The framework is further defined by the National Institute of Standards and Technology (NIST) who has published standards and guidelines such as FIPS 199 Standards for Security Categorisation of Federal Information and Information Systems, FIPS 200 Minimum Security Requirements for Federal Information and Information Systems and the NIST 800 series.
- Improved work culture and internal processes: Cyber resilience is a team sport. Every employee has a role to play in protecting your organisation's sensitive data and ensuring adequate incident response. When people are empowered to take security seriously, sensitive data and physical assets are at far less risk.
- Reputation protection: Poor cyber resilience can irreversibly damage your organisation's reputation. This is driven by governments establishing general data protection laws, following the leadership of the European Union's GDPR. For example, while the United States does not have a nation-wide equivalent to GDPR, California has CCPA, Florida has FIPA, and New York has the SHIELD Act. All are designed to protect the personally identifiable information of their constituents. Outside of the United States, Brazil has introduced a very similar law to GDPR called LGPD.
- More trust across customer and vendor ecosystem: A lot of emphasis has been placed on vendor risk management and third-party risk management frameworks over the last decade, and rightly so. However, trust is a two-way street. It's essential that your organization has cyber resiliency strategies in place before asking your vendors to. If your organization has an ineffective cyber resiliency, it can damage the reputation of your customers and vendors.
- A better IT team: One of the under-emphasised benefits of cyber resilience is that it improves the daily operations of your IT department. An organization with a hands-on IT team not only improves the ability to respond to threats, but it also helps to ensure day-to-day operations are running smoothly.
How is cybersecurity different from cyber resilience?
The difference between cybersecurity and cyber resilience comes down to their intended outcomes:
- Cybersecurity: Cybersecurity consists of information technologies, processes, and measures designed to protect systems, networks, and sensitive data from cyber crimes. Effective cybersecurity reduces the risk of cyberattacks and protects entities from the deliberate exploitation of systems, networks, and technologies. Read our full post on cybersecurity for more information.
- Cyber resilience: Cyber resilience has a broader scope, encompassing cybersecurity and business resilience. Cyber resilience helps businesses recognise that attackers may have the advantage of innovative tools, zero-days, and the element of surprise. This concept helps businesses prepare, prevent, respond, and successfully recover to their pre-attack business processes and business operations. In short, cyber resilience requires the business to think differently and be more agile when handling attacks.
Is cyber resiliency a replacement for cybersecurity?
No, cyber resiliency works with cybersecurity. Most cyber resiliency techniques assume, leverage, or enhance cybersecurity measures. Cybersecurity and cyber resiliency work best together.
Cyber resiliency has become more popular because it reflects the fact that modern systems are large and complex entities that will always have flaws and weaknesses that may be exploitable. Given resource limitations, achieving an acceptable level of cyber risk requires making trade-offs among cybersecurity measures.
What are the common cyber resiliency threats?
There are four common cyber resiliency threats that a robust cyber resilience strategy will address:
- Cybercrime: Offences that are committed against individuals or groups to intentionally harm the reputation of the victim, cause physical or mental harm, or cause loss to the victim directly or indirectly, using the Internet. Cybercrimes typically threaten a person's, organisation's, or nation's security and financial health. Common cyber crimes include malware infections, phishing, spear phishing, whaling attacks, other forms of social engineering.
- Hacktivism: Hacktivism is the use of computer-based techniques such as hacking as a form of civil disobedience to promote a political agenda or social change. Common hacktivism cybersecurity incidents include denial of service attacks on critical infrastructure and information systems, doxing, website detachments, wormable ransomware, typosquatting, man-in-the-middle attacks, and information leakage.
- Cyber espionage: Cyberspying is the practice of obtaining secrets and information without the permission or knowledge of its owner. Cyber spying can be a form of industrial espionage or be concerned with national secrets. Poor operational security and a lack of cybersecurity awareness training around what information can and can't be shared on social media are common causes for successful cyber espionage attacks. Common targets for cyber espionage include trade secrets, supply chain information, personally identifiable information (PII), protected health information (PHI), and other sensitive information.
- Business continuity management: Business continuity planning is the process of creating systems of prevention and recovery to deal with potential threats to a company. In addition to prevention, the goal is to enable ongoing operations before and during the execution of disaster recovery.
How to improve cyber resiliency
The National Institute of Standards and Technology's Special Publication 800-160 Vol. 2 offers a framework for engineering secure and reliable systems by treating adverse cyber events as resiliency and security issues. In particular, it outlines fourteen techniques that can be used to improve resiliency:
- Adaptive response: Optimise your ability to respond in a timely and appropriate manner.
- Analytic monitoring: Monitor and detect adverse actions and conditions in a timely and actionable manner. See our post on indicators of compromise for more information.
- Coordinated protection: Implement a defense-in-depth strategy, so adversaries have to overcome multiple obstacles.
- Deception: Mislead, confuse, hide critical assets from, or expose covertly tainted assets to, the adversary.
- Diversity: Use heterogeneity to minimise common mode failures, particularly attacks exploiting common vulnerabilities (like those listed on CVE)
- Dynamic positioning: Increase your ability to rapidly recover from a non-adversarial incident (e.g. natural disasters) by distributing and diversifying your network.
- Dynamic representation: Keep representation of your network current. Enhance your understanding of dependencies among cyber and non-cyber resources. Reveal patterns or trends in adversary behaviour.
- Non-persistence: Generate and retain resources as needed or for a limited time. This reduces exposure to corruption, modification, or compromise.
- Privilege restriction: Restrict privileges based on attributes of users and system elements as well as on environmental factors. See our posts on access control and RBAC for more information.
- Realignment: Minimise the connections between mission-critical and noncritical services to reduce the likelihood that a failure of noncritical services will impact mission-critical services.
- Redundancy: Provide multiple protected instances of critical resources.
- Segmentation: Define and separate elements based on criticality and trustworthiness.
- Substantiated integrity: Ascertain whether critical system elements have been corrupted.
- Unpredictability: Make changes randomly and unexpectedly. This increases an adversary's uncertainty regarding the system protections which they may encounter, thus making it harder for them to understand how to circumvent them.