Building Cyber Resilience in Businesses
The inability to adequately respond to and manage cyber-attacks are often costly for organisations, leading to loss of consumer trust, diminished reputation, and economic losses due to theft of intellectual property or fines for the loss of confidential information, to name a few. With cyber-attacks becoming frequent, finding the perfect solution to respond to an unplanned attack is what every CISO and organisation endeavours towards.
However, cyber-attacks are getting more sophisticated and covert. It would be complacent to rely solely on the skillsets of in-house cyber professionals to prevent and mitigate the next wave of cyber-attacks. Organisations need to understand that a proactive approach is required to integrate business decisions with prevention and mitigation strategies for cyber risks so that they can adapt and recover quickly from cyber incidents, thus achieving cyber resilience.
In my previous article, “Increasing Cyber Resiliency in Businesses”1, I discussed how businesses could adopt layered security or defence-in-depth to protect their data and assets. This article will explore how management plays a crucial role in building cyber resilience in organisations.
1. Collaboration between top l
For many organisations, getting support from key decision-makers to recognise the importance of cyber security has always been a critical challenge. The impact of a successful cyber-attack on an organisation is often exacerbated if organisations focus on implementing sound business and operational decisions without managing potential cyber security risks. This calls for business- and security-focused leaders to collaborate closely to prevent any coordination gaps from occurring.
Security-focused leaders should understand business operations while interacting with business-focused leaders. Vice versa, business-focused leaders, apart from their involvement with the different business units, should also involve security-focused leaders in their decision-making process so that cyber security solutions are not an afterthought in the organisation.
2. Accept OR prevent?
Apart from a close partnership between business-focused and security-focused leaders, there needs to be a change in the mindset of the management for organisations to establish resilience, that is, to assume breach.
As advised by former director of the CIA and National Security Agency Retired Gen. Michael Hayden, "Fundamentally, if somebody wants to get in, they're getting in. Alright, good. Accept that.”2
We are not saying that management should take a pessimistic view and allow their organisation to sit there and wait like sitting ducks. Instead, with the understanding that breaches can and will occur, leaders can mandate a whole-of-organisation approach to maintain cyber hygiene and increase cyber resiliency through layered security or defence-in-depth1. These can be further complemented with other proactive measures such as continuous monitoring for vulnerabilities and performing threat hunting on an organisation’s network and systems.
Although taking on an “assume breach” mentality does not prevent organisations from being attacked, it puts them in a better position to pre-empt future attacks and respond swiftly to avert a major cyber crisis.
3,. Perfection through simulation and practice.
The ability of an organisation to respond to a cyber crisis effectively does not happen by chance. Management plays a key role in building a positive culture of cyber security awareness and providing sufficient resources, such as training employees, in supporting incident response (IR) and management strategies.
With the increasing stealth and sophistication of cyber-attacks, organisations should sensitise all employees to signs of attempted or actual security breaches and reinforce the appropriate responses through training. In addition, drills can be carried out to facilitate employees’ familiarisation with their role in the IR protocol.
Functional or full-scale exercises, such as tabletop exercises, can also be carried out, and good practice calls for management’s involvement. These tabletop exercises should be made as realistic as possible to validate incident response plans and assess employees' readiness in a simulated operational environment. Tabletop exercises should also be reviewed from time to time to ensure that objectives are being met and opportunities for improvement are being identified.
Note that a properly designed and carefully conducted tabletop exercise will not be able to replicate a true cyber crisis. Still, it will allow the participants to assess their ability to respond to a crisis and identify potential outcomes and their strengths and weaknesses in their incident response plan.
Technology and changing work models have given rise to the ubiquitous use of mobile and Internet of Things (IoT) devices to access work resources and conduct business transactions. As organisations continue to develop their new work ecosystems, they need to recognise those devices with differing levels of non-enterprise grade security form part of the new corporate perimeter. This added variability not only provides opportunities for adversaries but also calls for a greater need for organisations to increase their cyber resiliency. Management support and leadership play a key part in ensuring the success of this endeavour.