It is a reality that cyber attacks on organisations lead to business disruptions and in many instances the business disruption is so catastrophic that the organisation fails to recover from the cyber attack.
Organisations are slowly realizing that preventing a cyber attack is inevitable. All organisations will eventually face cyber-attacks. How the organisation overcomes the cyber attack depends on how cyber resilient the organisation is.
Through effective cyber resilient processes, organisations can convert the cyber security crisis into an opportunity.
In this writeup, we explain the key differences between cyber security and cyber resilience and high level actions organisations can undertake to achieve cyber resilience.
|Factors||Cyber Security||Cyber Resilience|
|Definition||Cyber security refers to the processes, procedures and techniques that is used to protect the organisation data and infrastructure.||Cyber resilience refers to the ability of the organisation to respond and recover from a cyber-attack.|
|Operating Model||In most organisations, cyber security is a standalone program run by the IT department.||Cyber resilience is a part of enterprise resilience across all functional and operational areas of an organisation|
|Goal||Cyber security reduces the chances of getting a cyber attack||Cyber resilience reduces the impact of the cyber-attack and enables continuity of business operations|
|Organisation specific||Cyber security controls are usually common and consistent regardless of the type of organisation. E.g., Malware protection, Remote access protection, etc.||Cyber resilience frameworks usually differ for every organisation, based on the industry it operates in and the services it provides to its clients.|
|Major controls||Controls are generally technical in nature: |
• Malware protection
• Asset and access management
• Physical Security
• Secure systems and software development
• Security testing of systems and applications
• Awareness training
• Third party risk management
• Vulnerability protection and patch management
|Controls are generally business focused: |
• Backup and recovery
• Incident response and management
• Business continuity management
• Crisis Communications
• Regulatory & Compliance
|Personnel||Skilled personnel are required for each major technical control to implement and safeguard the organisation. Occasionally, business personnel are required for cyber security||Skilled personnel are required across business units to manage incidents, assess business impacts, develop response strategies and manage communications. All business unit personnel are key stakeholders in the case of cyber resilience|
|Elements required to be effective||Well-defined cyber processes, skills and technologies for all of the above controls||Proactive risk management, effective detection mechanisms, response and recovery frameworks.|
|Key Metrics||• How many high risks in place at the moment?|
• How many critical and high rated vulnerabilities are open?
• How many cyber-attacks successfully prevented from impacting the organisation?
• How many servers, laptops and systems that does not have malware protection?
|• How often the critical data is backed up? How many backup and restore tests are conducted each year?|
• How many simulation incidents have been tested?
• How effective is our Crisis Communications strategy?
• When was it last tested?How quickly did the organisation recover from the last cyber-attack?
• What are the potential business impacts of a cyber-attack?
How to plan for cyber resilience?
For an organisation to become cyber resilient, it must have cyber security policies and procedures to manage cyber risks, defend against cyber threats and ensure business continuity. Below are the recommended step-by-step procedures to plan cyber resilience for an organisation.
- Identity critical resources for business continuity
- Brainstorm with all the business units in the organisation to identify mission-critical functions, processes, systems, applications and other supporting resources.
- Assign priorities to the identified resources
- Conduct Business Impact Analysis (BIA) for the identified resources
- Analyse the impact on each resource and categorise them.
2. Conduct risk assessments
- Identify the risk likelihood for all the resources
- Assign risk ratings according to the enterprise risk management framework
- Analyse the risk profile and risk appetite of the organisation based on current cyber-attack trends
3. Implement cyber security controls
- Based on the impact and likelihood, research and identity cyber security controls to reduce the risk rating
- Develop a cyber security roadmap and implement the controls with planned timeline
4. Develop incident response and Business Continuity Planning (BCP)/IT Disaster Recovery (DR) frameworks
- Brainstorm and develop incident response framework to successfully respond to cyber-attacks. Incident response framework must include,
- Roles and responsibilities
- Incident response phases
- Incident categorisation
- Impact calculation
- Communication plan
- Reporting procedures
- Develop BCP/DR framework in consultation with business unit staff
- Create incident response playbooks for quick response in case of a cyber incident
- Create business continuity plans/playbooks to cater for potential business disruptions resulting from cyber-incidents
5. Train the personnel
- Regularly train the organisation staff on the frameworks, policies and procedures
- Improve their cyber security skills through quizzes and assessments
6. Test the frameworks and update regularly
- Simulate the attacks, incidents, etc and test the ability of the incident response and business continuity processes, procedures, plans and personnel
- Improve the plans based on the results of tests.