Many organisations now realise the importance of cyber resilience as they see the ramifications a single incident may have on their reputation and financial performance. Yet only a few companies take the initiative to develop and nurture their defence capabilities. In this piece, CTRL discusses the notion of cyber resilience and presents common misconceptions that are of hinderance to one’s cyber resilient journey.
Cyber Resilience is Beyond Information Security.
The idea of cyber resilience stems from how an organisation can withstand cyber events. The more cyber-resilient an organisation is, the better its digitally networked systems can react before, during and after a cyber incident. Therein, cyber resilience is related to how an organisation sees threats and vulnerabilities, the defences that it may have developed, and the resources it mobilises to mitigate a security failure after its occurrence.
Regardless of sectors and industries, leaders should prioritise cyber resilience to avoid the catastrophic failure threatened by creative and aggressive cybercriminals. Why? Because cyber resilience is vital to our economic and societal resilience.
Through the first half of 2021, we have seen giants around the world fall victim to cyberattacks. Hospitals such as the Waikato DHB, broadcast stations like Channel 9, and critical infrastructures such as the Colonial Pipelines were brought to complete operational halts as a result of cyber breaches. Should any of these breaches happen again, those in need of basic commodities, healthcare services and access to news and information could be seriously affected.
So, what is in the way of an organisation’s pursuit of cyber resilience?
Not Thinking Ahead.
“It is no longer an issue of if, but when.”
When it comes to cybersecurity, a lot of organisations tend to be reactive and only act after the fact. But by the time any action is taken, it is often too late where the damage is already done. Therefore, building cyber resilience requires an abundance of planning and thinking ahead of time. The only way to reduce damages from cyber incidents is to be prepared. So that the organisation may handle vulnerabilities and risk exposures well.
“It is an IT problem.”
Undoubtedly, cyber threats are threats to the IT system. However, the issues from outstanding cyber risks do not just affect the technology department. Repercussions following a cybersecurity breach can cause detriments, should proprietary data, confidential information, or account credential leak in the public. Oftentimes, the victim organisation is subjected to financial and reputational losses, as well as legislative obligations. As such, it is pivotal that cybersecurity is seen as a business issue and is accounted for in the wider business risk register.
“It’s not my responsibility.”
Despite the best efforts from organisations to improve security posture, employees who are not disciplined about cybersecurity will yield attackers an entry point into an organisation. For instance, clicking links from a malicious email, not verifying the identity before transferring funds, or even accessing sensitive work documents on personal devices.
Alarmingly, research suggests that 90% of the cyber data breaches in 2019 were caused by human error. It only goes to show how people are often shadowed by their naivety. Where in fact, individuals must maintain good cyber hygiene – as they are the first and last line of defence for any organisation.
Alike a jigsaw puzzle, cybersecurity is an organisational-wide effort. Everyone plays an interconnected role and is responsible for the entirety of the organisation.
“Incident Response Plan, what’s that?”
An incident response plan is self-explanatory. It is a plan that outlines what to do in the event of a cyber incident. It is to outline who to contact, who to firefight with, and what information should be shared with the public. Nonetheless, simply having a cyber incident response does not equate to cyber resilience.
A designated lead must be made responsible for the plan, just as you would for any other business area. This should be accompanied by regular meetings where the incident response plans are tested collectively and thoroughly. These practice runs also help ensure that the planned responses remain time-relevant and effective to the latest techniques deployed by cybercriminals.
Incorporating Cyber Resilience into Business Strategy is Imperative.
These misconceptions may be trivial. However, they can stop leaders and individuals alike from promoting and implementing an organisational-wide cyber resilience strategy.
Building cyber resilience requires everyone in a company, organisation, or government to recognise the importance of avoiding and mitigating risks.
CTRL is entrusted by many Australian and international organisations as a companion on their cybersecurity journeys. Talk to our consultants today to see how we can help your organisation in the pursuit of cyber resilience.