What Is Cyber Resilience? And what are the strategies and capabilities needed to achieve cyber resilience today?

How do you define cyber resilience?

Why have companies finally gotten religion on resilience? COVID is part of the reason, but it’s not the entire story. The cyber threat also explains why businesses must be proactive in setting proactive resilience agendas.

How bad is the cyber threat to resilience?

The perceived threat is acute. According to Accenture, 68 per cent of business leaders feel their cybersecurity risks are increasingⁱ. Fifty-four per cent of companies, though, say their IT departments aren’t sophisticated enough to handle advanced cyberattacksⁱⁱ.

And so, properly addressing the risk requires teams to get serious about cyber resilience. So, what is cyber resilience, then?

Well, according to the National Institute of Standards and Technology, cyber resilience is the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resourcesⁱⁱⁱ. 

A set of capabilities, cyber resiliency enables companies to pursue those business objectives dependent on cyber resources in a contested cyber environment^iv. 

Why is cyber resilience so important?

It’s the reality of a contested cyber environment that underscores the importance of cyber resilience.

Indeed, business leaders don’t just perceive cyber risk as increasing. Cyber risk is actually increasing.

 According to most metrics, it’s increasing like never before.

How do we know?

According to RiskBased Security, data breaches exposed a staggering 22 billion records in 2021^v . And by Q32022, data breaches were rising by 70 per cent around the globe^vi. 

Add to that, associated costs of cyber incidents keep increasing, too, ballooning over 20 per cent per year, according to the World Economic Forum^vii.

As it stands, the average global cost of a data breach to businesses reached $4.35 million in 2022^viii. 

The key benefits of cyber resiliency

The benefits of cyber resiliency, therefore, aren’t hard to perceive. For one, cyber resiliency saves money. Cyber resiliency acts like a good insurance policy – if a single breach can set you back millions, why not invest in the right digital tools and strategies to better anticipate adverse attacks?

Cyber resiliency also ensures compliance. Potential costs associated with data breaches have been increasing due to stiffer regulatory penalties. 

Indeed, state, national, and supranational entities have all been generating more regulations with serious financial penalties attached. In certain jurisdictions, companies who’ve been breached and don’t report stand to lose percentages of their revenue (More below).

Cyber resiliency also protects reputations. Not only regulators but customers and partners look askance at companies who’ve been breached. They consider cyber resiliency a must-have and see companies who’ve been breached as lacking the requisite resiliency to make themselves worthy of partnership.

Penalties stiffen for ineffective response to cyber incidents 

Indeed, over the last decades, governments and sectoral regulators have sought to shore up the digital privacy of their citizens and consumers. Legislative schemes like the General Data Protection Regulation (GDPR) in the European Union, the Privacy Act in Australia, and the California Consumer Privacy Act have all been attempts to enhance privacy rights and consumer protections. 

Each of the schemes impose steep fines for records breached, ranging from USD 7500 per record in California to up to 10 per cent of a breaching entity’s annual national turnover in Australia. 

But the GDPR, which has the greatest footprint, also places a timely notification window on breached entities to reveal publicly that they’ve been breached. Per Article 33 of the GDPR, notification of a personal data breach must be made to the Supervisory Authority. 

Challenges to cyber resilience

Given the benefits, why do business leaders, when surveyed, suggest they don’t have the requisite capabilities to become cyber resilient? Part of the reason is because achieving cyber resilience is difficult. 

For instance, simply ensuring that systems and personnel can detect, understand, and, most importantly, respond to cyber incidents involves creating and deploying structured methodologies to efficiently handle cyber security incidents, breaches, and threats. That’s not easy. 

Adding public notification requirements on top of that makes it even harder.

Nor is compliance the only challenge to cyber resilience. Here are a few others: 

• Too many cyber incidents. The sharp rise in cyber incidents means that individual organizations, especially those in so-called critical infrastructure sectors, are dealing with more cyber incidents than ever. 

Alert fatigue is real. Add to that, not all alerts will be the big one. The rapid acceleration in alerts, therefore, might compromise the ability of an organization to respond effectively to a serious breach.

• Cyber incident response plans (IRPs) are too generic. Guidance on how to respond to cyber incidents is prolific. Government agencies like the Cybersecurity and Infrastructure Security Agency (CISA) and National Institute of Standards and Technology (NIST) all publish their own expert advice. 

Organizations are free to make use of that guidance. But simply copying and pasting those plans wholesale, which many organizations do, isn’t the best idea. Indeed, it could be part of the problem.

Why? By their very nature, one-size-fits-all IRPs aren’t tailored to the needs and specificities of individual companies. Generic plans can’t account for differences in culture, environment, response, personnel, and business objectives. 

• Plans go untested. The rubber really hits the road for these generic IRPs during a cyber incident. A big reason is that generic plans are less likely to be tested before a real-world crisis, where regular testing would expose flaws in assumptions.

Unfortunately, customized plans aren’t tested as much as they should be, either. Which means many haven’t been updated to account for the transition to remote working, where key personnel are geographically dispersed, unable to review logs, detect attacks, respond to and recover from incidents as they might have formerly.

• Information doesn’t get to the right people at the right time. These arrangements also pose grave communication and collaboration challenges for effective cyber incident response. 

It’s not hard to see why. Providing intelligence, coordination, and response that is accurate, timely, and effective requires the coordination of numerous processes, systems, and operators.

This can be difficult. Requests might require novel approaches, integration of disparate data sources, including contributing information systems, and a wide variety of outputs. 

What happens then is data pertinent to the incident isn’t made available to decision makers, whether in Incident Response or in the C-suite. When it is made available, information is strewn across hundreds of emails – often duplicative, making it well-nigh impossible for decision makers to task effectively throughout the lifecycle of a cyber incident based on a cohesive picture of what’s happening.

What are the strategies to increase cyber resilience?

What then can be done to overcome these challenges and establish cyber resilience? For starters, companies will have to build up their cyber security capability so that it’s commensurate to the security vulnerabilities they face. 

How to go about it will necessarily vary by company. But all companies should be looking to minimize the likelihood and impact of information security incidents on the confidentiality, integrity, and/or availability of information assets, including information assets managed by related parties or third parties. 

Common-sense strategies to pursue to help increase cyber resilience include:

• Clearly defining the information security-related roles and responsibilities
• Maintaining an information security capability commensurate with the size and extent of threats to your information assets, and which enables the continued sound operation of the entity
• Implementing controls to protect information assets commensurate with the criticality and sensitivity of those information assets
• Undertaking systematic testing and assurance regarding the effectiveness of those controls

Besides those, best-practice guidance includes:

Digital technology to help build cyber resilience

Of course, strategies must be implemented expeditiously to help secure cyber resilience. And to that end, we recommend finding a flexible, configurable, digital solution that helps plan and manage information, operations, and communications.

Such a solution would capture and consume information from multiple sources, including reports, logs, communications, forms, assets, and maps, providing a real-time common operating picture of the task or operation at hand. 

Leveraging powerful, yet easy-to-set-up workflows, the user-friendly solution would control and automate management processes and standard operating procedures, keeping the right stakeholders informed across multiple communications mediums. 

Analytics and reporting tools would ensure that decisionmakers have the correct information in the best available format, when they need it. The solution would also track tasks to ensure that the right actions are taken and followed through, helping you to assign, manage, and track resources. 

More specifically, the system would provide a case management framework that orchestrates information flows throughout the organization, providing consistency where multiple systems, sources, and processes are employed, as well as enabling the secure exchange of information and coordination of resources across multiple stakeholders, who themselves might have varying security constraints.

On top of those information and strategic incident management capabilities to help maintain cyber resilience, specialist intelligence application benefits would include:

• Reinforce intelligence tasking and response with an auditable record of changes.
• Powerful workflow builder to automate review, approval, escalations, and interactions across the organization and externally.
• Ability to relate assets, events, contacts to provide a complete picture of requests, incidents, and tasks, including mapping for geospatial information, timelines for understanding changes and progressions in context, as well as alerts to automatically flag issues for further attention.
• Configurable dashboards that provide an executive view of progress, emerging issues, and crises.
• Support for scalable processes to handle routine or commodity threats through to Advanced Persistent Threats (APT).
• Support for intelligence gathering for entities of interest including evidence gathering and multi-party coordination.
• Configurable security model to accommodate low privilege users, such as third-party IT staff to log threats and incidents or receive reports without gaining access to more sensitive information.
• Asset inventory and logging to highlight prioritized assets or other high impact items.

Finally, resilience has zoomed up the corporate agenda. But given the increasing cyber threat, there can be no business resilience without cyber resilience. Add to that, the challenges to cyber resilience are as acute as they are numerous.

Luckily, they’re also surmountable. What will it take? 

As this guide has argued, business leaders will have to get serious about pursuing best-practice guidance with attention to their risk profile. Digital technology such as Noggin’s integrated security management platform must be part of the solution, as well. These platforms will help teams proactively managing all aspects of their security operations from anywhere, on any device, with the ability to collect information from across the organization public to deploy resources effectively and efficiently. 

Sources

^i. Rachelle Blair-Frasier, Security Magazine: 68% of organizations face cyber risks due to skills shortage. Available at https://www.securitymagazine.com/articles/99126-68-oforganizations-face-cyber-risks-due to-skills-shortage

^ii. Sophos: Ransomware Recovery Cost Reaches Nearly $2 Million, More Than Doubling in a Year, Sophos Survey Shows. Available at https://www.sophos.com/en-us/press/ press-releases/2021/04/ransomware-recovery-cost-reaches-nearly-dollar-2-million-more-than-doubling-in-a-year

^iii. Computer Security Resource Center, National Institute of Standards and Technology. Available at https://csrc.nist.gov/glossary/term/cyber_ resiliency#:~:text=Definition(s)%3A,are%20enabled%20by%20cyber%20resources. 

^iv. Ibid. 

^v. Security Magazine: Over 22 billion records exposed in 2021. Available at https://www.securitymagazine.com/articles/97046-over-22-billion-records-exposed-in-2021. 

^vi. Alessandro Mascellino, Infosecurity Magazine: Data Breaches Rise By 70% Globally in Q3 2022. Available at https://www.infosecurity-magazine.com/news/data-breachesrise-by-70-q3-2022/. 

^vii. Anna Sarnek, World Economic Forum: Data breaches are increasing at a rapid speed. Here’s what can be done. Available at https://www.weforum.org/agenda/2023/03/ data-breaches-are-increasing-at-a-rapid-speed-here-s-what-to-do-about-it//.

^viii. Ibid.