Now is the Time to be Cyber Resilient
In this blog
Enterprise cyber resilience is a strategic requirement and a must-have organizational capability. Security and risk management executives must come together to work as a unified team to design, implement and maintain a cyber resilience program to ensure business initiatives become sustainable operations.
When you look at organizational risks, there are too many to count, unfortunately, and they could range from horrific natural disasters to man-made disruptions, equipment failure and operational/human errors. As fast as businesses are growing and expanding, so are these risks that can result in business disruptions that impact the viability of the organization.
According to the World Economic Forum Global Risk Report 2022: For the next five years, respondents again signal societal and environmental risks as the most concerning. However, over a 10-year horizon, the health of the planet dominates concerns: environmental risks are perceived to be the five most critical long-term threats to the world as well as the most potentially damaging to people and planet, with "climate action failure," "extreme weather," and "biodiversity loss" ranking as the top three most severe risks. Respondents also signaled "debt crises" and "geo-economic confrontations" as among the most severe risks over the next 10 years. Technological risks—such as "digital inequality" and "cybersecurity failure"—are other critical short- and medium-term threats to the world according to GRPS respondents, but these fall back in the rankings towards the long term and none appear among the most potentially severe, signaling a possible blind spot in risk perceptions.
It's no secret that every organization globally could come under a sophisticated cyber attack from hostile nation-state actors, criminal or terrorist groups and rogue individuals. Advanced adversaries have the capability to breach our critical systems, often establishing an undetected presence within those networks, and inflict immediate and long-term damage on the economic and/or national security interests. Having a cyber resilient program would certainly help combat this threat.
One way to look at cyber resilience is the degree of adaptiveness and responsiveness to which an organization has to defend itself against a threat or failure of digital business ecosystems. A mature cyber resilient enterprise ensures that restored software and technology infrastructure/services are not only reliable, but also safe and accessible, despite hostile or adverse disruptions of all types to those critical ecosystems.
Cyber resilience covers a superset of technology infrastructure, services and data found in IT, OT, IoT and physical ecosystems. Cyber resilience incorporates, not only information-centric organizations such as healthcare, banking, financial services and insurance, but also industries such as manufacturing, utilities and transportation. Cyber resilience is particularly focused on the technological flexibility that uses information.
All organizations regardless of vertical market or size should consider:
- establishing an enterprise cyber resilience program delivery program, including program management, risk identification and management and a governance and accountability framework, such as MITRE or SP 800-160 Vol. 2 Rev. 1 (keep in mind there is no single authoritative definition for cyber resiliency);
- identifying and documenting the organizational resilience drivers;
- identifying gaps in their organizational resilience program by assessing their current resilience against applicable frameworks; and
- correlating and mapping the components of their organization's digital business initiatives to each organizational cyber resilience layer.
Enterprises from every vertical industry are continuously threatened by security breaches that can have significant consequences when it comes to business operations and success. As we all know, compromised data is an extremely costly issue.
Data breach costs rose from $3.86 million to $4.24 million, the highest average total cost in the history of this report. It shows that costs were significantly lower for some organizations with a more mature security posture, but were higher for organizations that lagged in areas such as security AI and automation, zero trust and cloud security. Still, many organizations do not have the proper incident response teams or resources needed to keep security strategies up to date.
As my colleague, Matt Berry explains, sophisticated cyber attackers continue to compromise organizations at an unprecedented rate, forcing security programs to continually evolve to keep pace with the agile nature of advanced attacks. As the responsibility for adequately protecting critical assets becomes a central focus it's no surprise security operations teams are facing increased scrutiny and a rise in repercussions.
As you are building your cyber resilient organization it's important not to lose sight of the basics. Be honest, when was the last time your company conducted a simple exercise of your incident response plan? As I have said before, a lot of feedback I get sounds like this: "we don't have time," "they're not realistic," or "they're too complicated." Kind of sounds like the same excuses people make to avoid they gym! And speaking of exercise…
Six basic objectives for tabletop exercises for cyber resilience:
- Assess the ability of the organization to detect and properly react to hostile activity during the exercise.
- Assess the organization's capability to determine operational impacts of cyber-attacks and implement proper recovery procedures for the exercise.
- Understand the implications of losing trust in IT systems and capture the workarounds for such losses.
- Expose and identify weaknesses in the organization's incident response plan.
- Determine what enhancements or capabilities are needed to protect an information system and provide for operations in a hostile environment.
- Enhance cyber awareness, readiness and coordination.
The goal is to avoid having to deal with one of these all-too-realistic, nightmarish scenarios:
- You are contacted and notified by an anonymous source that some of your critical IP has been stolen and that the attacker will release this fact to the media, which would result in extremely bad press if you do not pay a ransom. The attacker offers up a brief sampling to prove it.
- You receive calls from several dealers through the course of a day that the e-commerce site appears to be unusable. At some point, during the troubleshooting, you receive an anonymous call that you are being attacked by a distributed denial of service and that if you don't pay $ it will continue.
- At 6 a.m., the helpdesk begins to receive multiple complaints from different areas of the company reporting an inability to access your billing system and integrated applications. At 7 a.m., the operations team has confirmed that the database server is online and accessible. They have not been able to verify functionality of the database itself. At 8 a.m., the database team has verified that the necessary services are running on the server, but they cannot read the contents of the ERP database(s). Password reset procedures have been attempted with no success. Then at 9 a.m., an anonymous source emails xyz.com, stating that the database for your financial system has been exported off-site to an undisclosed location.
We understand the importance of cyber resiliency and can bring our expertise to assist in protecting technology and ultimately, your business. Our security consultants provide a formal yet flexible method of evaluating enterprise cyber resiliency maturity based on foundational building blocks across a variety of industry security frameworks.
Utilizing a holistic approach when evaluating an organization's control and risk mitigation environment, WWT is able to provide a level of detailed analysis that will be used as a roadmap to increase a cyber resiliency program maturity and maximize the use of people, processes and technology for the purpose of reducing risk while increasing efficiencies.
And as always, if you need any guidance, we're here to point you in the right direction. Let us know how we can help.