The attack surface is constantly expanding due to remote work trends, sophisticated cyber-criminal groups, and human vulnerability.
It is no wonder that cyber incidents have ranked first among global companies’ concerns in the Allianz Risk Barometer’s 2022 annual report.
The ability to continue operations following a cyber intrusion is critical to customer trust, business revenue, brand reputation, and regulatory compliance. But only a few companies have developed cyber resiliency (CR). Many are still vulnerable to the potentially grave consequences of cyberattacks (See Figure 1).
Figure 1: Without effective cyber resilience, the bigger the incident scope, and the longer it takes to recover, the result is catastrophic impact for enterprises
Lay the groundwork
When aiming for cyber resiliency, begin by creating a focused unit.
The leader of the focused unit, also known as the CR champion, should have both IT and business experience and the full support of the senior leadership.
Organizational silos, where detailed knowledge needed to improve resiliency of a specific business function resides only within that function, can prove to be roadblocks (see Figure 2). Ideally, their insight and active support should be incorporated into a cyber resiliency program that the CR champion orchestrates.
Figure 2: Cyber functions that tie together with cyber resilience
Spread awareness of all digital resources.
The enterprise should prepare an inventory of its IT and business networks and, if applicable, operational technology and industrial control systems (OT/ICS) and data repositories. For many organizations, the trend toward cloud migration means digital assets stored off-premises or in a hybrid environment should be included in the inventory. With the help of business and IT process owners, the CR team should map the digital roles and activities that keep the organization functioning. Similarly, enterprises should survey cyber links to suppliers and vendors, estimate associated risks, and formally acknowledge hazards.
Once these are defined, enterprises can then prioritize protecting key assets and monitoring high-value resources and significant system weaknesses. They should adopt a zero-trust security framework to protect networks, implement stringent identity and access management controls, and secure virtual private networks (VPNs) and encryption. Networks should be segmented to keep malicious intruders from moving laterally, and enterprises should establish clear demarcations between IT and OT connectivity and control systems. All data and systems should also be backed up offline.
In anticipation of an attack, cyber resilient enterprises should establish partnerships to forestall becoming a victim and, if needed, facilitate response-and-recovery. Sharing cyber threat intelligence and cooperating on security issues with both private sector peers and public sector agencies will not prevent every attack but will contribute to collective defense and enhance mutual resilience.
Implement a unified approach to manage cyber risk and integrate cyber and business strategy, focusing on business enablement.
This approach includes updating governance documents, such as business impact analyses, technology management strategies, and business continuity procedures. CR team members should lead IT teams and business lines in a collaborative review of realistic expectations and refinement on cyber incident response and true recovery point and time objectives, maximum tolerable downtime, maximum impact tolerance, and alternative action plans. (see Figure 3).
Figure 3: Timeline of cyber incident recovery
While the CR team leads the cyber resilience effort, ensure the program goals are integrated throughout the organization.
Business units and IT teams should be responsible for creating and/or updating their respective cyber resilience governance documents. As enterprises embark on their journey to cyber resiliency, they can go through this checklist to ensure they have a robust plan in place:
Identify a CR champion.
Heighten awareness of all digital resources.
Document and understand dependencies on third parties, suppliers, and vendors.
Prioritize all assets across digital, physical, and vendor-managed inventories.
Increase network segmentation and develop a data vault.
Double identity and access management (IAM) efforts, emphasizing role-based access management (RBAM) for critical systems.
Partner with government agencies for increased awareness of threats and threat vectors.
Partner with industry-recognized leaders to guide efficient implementation of CR processes.
Respond and recover
Be armed with a target operating model for cyber crisis situations, including arrangements to restart systems temporarily disabled by an attack.
Enterprises must regularly test playbooks for continuity and crisis management in the event of a cyberattack. In case of a breach, there will be pre-designed communication scripts and an established approval process for releasing information to the public. Ideally, these internal plans would be shared confidentially with relevant government agencies.
For enterprises in critical infrastructure industries such as communications, it is advisable to establish an offline data archive to back up and store the proverbial ‘crown jewels’. A third-party service provider can support this resiliency measure. External, industry-led organizations, such as sector-based information sharing and analysis centers (ISACs), can provide general standards to promote data protection and recovery. Organizations utilizing digitally air-gapped data vaults should regularly test recovery procedures to be prepared in case of a catastrophic cyber event.
Finally, given the widespread occurrence of attacks and their potential for considerable damage, cyber resilience warrants undivided support from the organization’s most senior leaders. Board members and senior management should receive regular updates on the enterprise’s cyber resilience posture to help them maintain awareness, enable resource prioritization, and facilitate risk mitigation. Their support is foundational to organization-wide recognition of the critical value of cyber resilience efforts.