Enterprise cyber resilience is a strategic requirement and a must-have organizational capability. Security and risk management executives must come together to work as a unified team to design, implement and maintain a cyber resilience program to ensure business initiatives become sustainable operations.
What risks to consider
When you look at organizational risks, there are too many to count unfortunately, and they could range from horrific natural disasters to man-made disruptions, equipment failure and operational/human errors. As fast as businesses are growing and expanding, these risks are occurring at an increasing frequency as well and turning into business disruptions that impact the viability of the organization.
The World Economic Forum releases an annual global risk report that has tracked five types of organizational risks:
The Forum has done this now for over ten years and for the first time in the survey’s ten-year outlook, the top five global risks in terms of likelihood are all environmental. They also said that cyber attacks today have the potential to be as destructive as major natural disasters. In the US, 53 percent of CEOs are extremely concerned about the impact of cyberthreats on their growth prospects, according to PwC’s Global CEO Survey.
It’s no secret that every organization globally could come under a sophisticated cyber attack from hostile nation-state actors, criminal or terrorist groups and rogue individuals. Advanced adversaries have the capability to breach our critical systems, often establishing an undetected presence within those networks, and inflict immediate and long-term damage on the economic and/or national security interests. Having a cyber resilient program would certainly help combat this threat.
What cyber resilience encompasses
One way to look at cyber resilience is the degree of adaptiveness and responsiveness to which an organization has to defend itself against a threat or failure of digital business ecosystems. A mature cyber resilient enterprise ensures that restored software and technology infrastructure/services are not only reliable, but also safe and accessible, despite hostile or adverse disruptions of all types to those critical ecosystems.
Cyber resilience covers a superset of technology infrastructure, services and data found in IT, OT, IoT and physical ecosystems. Cyber resilience incorporates not only information-centric organizations such as healthcare, banking, financial services and insurance, but also industries such as manufacturing, utilities and transportation. Cyber resilience is particularly focused on the technological flexibility that uses information.
All organizations regardless of vertical market or size should consider:
- establishing an enterprise cyber resilience program delivery program, including program management, risk identification and management and a governance and accountability framework such as MITRE or NIST SP 800-160 Vol. 2 (keep in mind there is no single authoritative definition for cyber resiliency);
- identifying and documenting the organizational resilience drivers;
- identifying gaps in their organizational resilience program by assessing their current resilience against applicable frameworks; and
- correlating and mapping the components of their organization's digital business initiatives to each organizational cyber resilience layer.
Enterprises from every vertical industry are continuously threatened by security breaches that can have significant consequences when it comes to business operations and success. As we all know, compromised data is an extremely costly issue.
The costs associated with data
According to IBM, in the United States the average cost of a data breach increased from $7.91 million in 2018 to $8.19 million in 2019, which is the highest cost globally when compared to other regions. Globally, the average cost of a data breach has increased to $3.92 million. Still, many organizations do not have the proper incident response teams or resources needed to keep security strategies up to date.
As my colleague Matt Berry explains, sophisticated cyber attackers continue to compromise organizations at an unprecedented rate, forcing security programs to continually evolve to keep pace with the agile nature of advanced attacks. As the responsibility for adequately protecting critical assets becomes a central focus, it's no surprise security operations teams are facing increased scrutiny and a rise in repercussions.
While you are building your cyber resilient organization, let’s not forget the basics. Honestly, when was the last time your company conducted a simple exercise of your incident response plan? As I have said before, a lot of feedback I get is: “we don’t have time, they’re not real or they’re too complicated.” It sounds like the same excuses people make to get out of going to the gym in the morning!
Six basic objectives for tabletop exercises:
- Assess the ability of the organization to detect and properly react to hostile activity during the exercise.
- Assess the organization’s capability to determine operational impacts of cyber-attacks and implement proper recovery procedures for the exercise.
- Understand the implications of losing trust in IT systems and capture the workarounds for such losses.
- Expose and identify weaknesses in the organization’s incident response plan.
- Determine what enhancements or capabilities are needed to protect an information system and provide for operations in a hostile environment.
- Enhance cyber awareness, readiness and coordination.
We don’t ever want to wake up one day and have one of these three scenarios unfold at our organization:
- You are contacted and notified by an anonymous source that some of your critical IP has been stolen and that the attacker will release this fact to the media, which would result in extremely bad press if you do not pay a ransom. The attacker offers up a brief sampling to prove it.
- You receive calls from several dealers through the course of a day that the e-commerce site appears to be unusable. At some point, during the troubleshooting, you receive an anonymous call that you are being attacked by a distributed denial of service and that if you don't pay $ it will continue.
- At 6 a.m., The helpdesk begins to receive multiple complaints from different areas of the company reporting an inability to access your billing system and integrated applications. At 7 a.m., the operations team has confirmed that the database server is online and accessible. They have not been able to verify functionality of the database itself. At 8 a.m., the database team has verified that the necessary services are running on the server, but they cannot read the contents of the ERP database(s). Password reset procedures have been attempted with no success. Then at 9 a.m., an anonymous source emails xyz.com, stating that the database for your financial system has been exported off-site to an undisclosed location.
We understand the importance of cyber resiliency and can bring our expertise to assist in protecting technology and ultimately, the business. Our security consultants provide a formal yet flexible method of evaluating enterprise cyber resiliency maturity based on foundation building blocks across a variety of industry security frameworks.
Utilizing a holistic approach when evaluating an organization’s control and risk mitigation environment, WWT is able to provide a level of detailed analysis that will be used as a roadmap to increase a cyber resiliency program maturity and maximize the use of people, processes and technology for the purpose of reducing risk while increasing efficiencies.