Building cyber resilience is critical as threats rise

Given the pace of change and scale of threat in the digital world, Steve Durbin, managing director at the Information Security Forum, details how organisations can increase their cyber resilience profile over the next twelve months

It’s becoming an all-too-familiar refrain, but it’s nonetheless true — 2018 was another banner year for cyber crime, data breaches and reputational ruin. We’ve added political drama, such as government shutdowns and manipulated elections, to the usual drumbeat of personally identifiable information (PII) exposures, ransomware attacks and banking malware. Traditional security risks have long since become central business risks. The scope and intricacy of the challenges around sustaining a business and protecting data assets in the digital era have pushed cyber security risk to the top of the executive boardroom agenda.

The threats are growing in every dimension: variety, scale, complexity, country of origin, and type of bad actor — from script kiddies and hacktivists to organised cyber crime rings and foreign intelligence operatives. Then there are the persistent factors like human error, loss and theft of physical devices, malicious insiders, and security skills gaps and shortages. In modern digital ecosystems, proactive risk management and multi-layered defence must be structured and sustained as enterprise-wide efforts.

Guarding high value assets is a vital to cultivating resilience
C-level executives and senior information security and IT practitioners are accountable to report and educate stakeholders about the corporate risks associated with their organisation’s activities in cyberspace. Highly publicised breaches, financial loss and a growing collection of privacy and security regulations have made the hot seats hotter in organisations around the world. The pressure is on to assure stakeholders that the highest value assets — the ones that pose the greatest risk to the company if compromised — are monitored and protected as comprehensively as possible. Assets such as property, plant and equipment are tangible. Digital assets are intangible and represent a distinct type of risk.

The most valuable intangible assets generally fall into one of two buckets: legal, including trade secrets, copyrights and customer lists; and competitive, including company culture, collaboration activities and customer relationships.

Both types are essential drivers of business continuity, market advantage, and shareholder value. It’s common practice to rank the importance of information using a simple classification chart. It’s vital to remember that mission-critical information assets represent only a thin slice of the top layer. Assets may be ‘high’ or ‘critical’ in value but not designated as mission-critical. Ensuring that all intangible assets central to sustaining business operations are identified, assessed, and secured requires a new, more nuanced approach to risk management.

Maturing risk management develops risk resilience
To anticipate, mitigate, and respond to the negative impacts of cyberspace activity, organisations must extend risk management to include risk resilience. As everything from supply chain management to customer engagement shifts to the cloud, operating in cyberspace now has bottom line implications if systems are disrupted. Fortifying governments and enterprises to build up broader ecosystem resilience is imperative — everything is interconnected and interdependent, including risk. Cyber resilience requires balanced approach that protects both organisations and individuals while also enabling open, safe commerce and communications.    

This is an exceedingly difficult balance to strike, as many organisations learned during their GDPR preparations. In order to achieve cyber resilience, risk management should encompass confidentiality, integrity and availability of information. At the same time, resilient organisations recognise and prepare for the unintended business consequences from cyberspace activity, including commercial, financial, and reputational damage.

Making cyber security everyone’s job
Cyber threats are no longer the sole domain of information security. All business units are affected, as are external customers, suppliers, investors, public relations and advertising agencies, and other stakeholders. Senior business leaders, preferably the chief executive or chief operating officer, should take a coordinated, collaborative approach to preparing the organisation for unpredictable events.

Organisations must be agile in order to prevent, detect and respond quickly and effectively, not just to the technical aspects of incidents, but also to the fallout. An incidence response team comprised of areas from across the organisation should be created to develop and test plans, investigations, and follow-up. This team should be equipped and trained to respond quickly to an incident by communicating with all parts of the organisation, notifying individuals who might have been compromised, cooperating with regulators, and diligently monitoring for delayed consequences.

Managing rising complexity
The array and sophistication of cyber security threats will continue to rise significantly over the next decade. Managing cyber risk from cyberspace must extend beyond traditional information security parameters to include employee devices, third-party suppliers, mergers and acquisitions, and the Internet of Things (IoT).

As they prepare to deal with existing threats as well as ones we’ve yet to imagine, there are three main drivers’ businesses must consider:

Internal threats - As technologies bring new benefits to the enterprise, they also increase risk, particularly when security implications are not thoroughly assessed prior to implementation. Periodic reviews of the business impact and risks stemming from supply chain should be conducted. Employee policies and procedures for BYOD programs as well as password logins should be optimised and enforced. Your security team should be involved at the outset in reviewing the security of any new suppliers.

External threats - State-sponsored espionage, widespread ransomware, and attacks on systems used to manage critical infrastructure in the real world (banks, hospitals, utilities, industrial control systems, municipal governments, etc.) are outpacing IT resources, even at the largest and most well-protected organisations. Enterprises would do well to follow government’s unified situational awareness approach with controls in place to monitor, detect and remediate problem areas in real-time. Collaboration and sharing of attack information with trusted law enforcement agencies and business partners will also help to keep external risks in check.

Regulatory threats - In the cloud era, regulatory mandates, data privacy laws, and the push towards greater private/public sector collaboration and disclosure about security preparedness is adding to an already heavy compliance burden. Companies need to use better reporting tools and data governance platforms to streamline workflow and integrate risk management activities. Security and incident response procedures should be in place and tested. Be sure to step up your security assurance requirements for vendors and business partners.

Building a successful cyber resilience program
It’s increasingly clear that traditional risk management isn’t nimble enough to deal with constantly evolving threats over which organisations have varying degrees of control. A comprehensive cyber security program leverages industry standards and best practices to protect systems and detect potential problems, along with processes that provide actionable intelligence on current threats and enable timely response and recovery. Leveraging a resilience-based approach to apply cyber security standards and practices leads to comprehensive and cost-effective risk management that goes well beyond compliance requirements.

Cyber resilience is about ensuring the sustainability and success of an organisation, even when it has been subjected to the almost inevitable attack. By adopting a realistic, broad-based, collaborative approach to cyber security and resilience, government departments, regulators, senior business managers and information security professionals will be better able to understand the true nature of cyber threats and respond expediently.

Tightening the gap between awareness and action
Preparation is the key to resilience. Following is a short list of next steps to consider in the year ahead: focus on the basics; include both people and technology; adopt policies and procedures that engage; prepare for the future; be ready to support new business initiatives; align security with risk management; change your thinking about cyber threats, risk, and resilience; re-assess the risks to your organisation and its assets from the inside out; collaborate and share insight and intelligence; and understand your unique and shared vulnerabilities.

Business leaders readily recognise the enormous benefits of cyberspace — innovation, productivity, and engagement with customers. It is much more difficult to intelligently assess the risks versus the rewards, and then act from that understanding. Leading the enterprise to a position of readiness, resilience, and responsiveness is the most proactive way to secure assets and protect customers, partners, employees, and the bottom line.

Steve Durbin is managing director of the Information Security Forum (ISF). His main areas of focus include strategy, information technology, cyber security and the emerging security threat landscape across both the corporate and personal environments. He has been ranked as one of the top 10 individuals shaping the way that organisations and leaders approach information security careers.