June 18, 2018
Cyber resilience: preparing for the real-life scenario
Cybersecurity stops where the attackers have been successful. If they penetrate the walls of protection (which in targeted attacks is almost always the case), cyber resilience measures need to kick in. In other words, measures which enable business operations to continue running, despite compromised IT systems or data losses. So what precisely is part of cyber resilience?
Before looking at cyber resilience in detail, one important and fundamental observation is needed about classification: cyber resilience is not a substitute for cybersecurity. Instead, the two packages of measures complement each other. But they focus on different things: cybersecurity is tasked to protect systems, networks and data. By definition, however, its effectiveness only extends to the point in time where an attacker can overcome the various protective mechanisms. At that point, cyber resilience comes into play.
Using predefined measures—such as back-ups, emergency communications plans or Business Continuity Management—it ensures that business operations are not interrupted if the worst happens, or can at least be got back up and running again quickly.
To anchor measures in the company that increase resilience, top management first needs to take on board the fact that every company is successfully attacked, sooner or later. As that is a fairly unpleasant fact to acknowledge, many managers and cybersecurity managers still find it hard to accept resilience as a necessary task. In that regard, it can be helpful if those concerned keep sight of the fact that the question as to “And what happens if there is a successful attack?” can be answered with cyber resilience measures.
A basic requirement for successful measures, alongside a management focus, is a suitable budget. To be able to provide the corresponding funding for this, it is worth analysing the current spend on cybersecurity components. It is possible that it includes items that are no longer necessary, following a thorough check on the current, actual risk, or which can be deferred to a later point in time: Distributed Denial of Service attacks, for example, are certainly a problem for many companies. But an organisation only needs protection from them if its business processes would come to a stop under DDoS attacks. If that is not the case, the money planned for that would be better invested in resilience instead.
Many organisations already have concepts for Business Continuity Management (BCM), as mentioned earlier. But these concepts are often only designed for dealing with natural disasters or fires. A cyber-attack affecting large parts of the IT infrastructure, however, calls for quite different defence measures. For example, that could be functioning replacement hardware that is issued to key employees in the event of a ransomware attack. If BCM requires a backup concept, then as part of cyber resilience a check should be made to see whether it is only the relevant (business-critical) data that is being backed up or if there is also data that is not mission critical, and whether this data can be restored in the shortest possible time in the right place. So cyber resilience demands answers to the question of how a wide-area cyber-attack impacts on business operations.
Accordingly, what points need to be borne in mind for a comprehensive cyber resilience concept? One of the recommendations from the US government’s Computer Emergency Response Team (CERT) is to take a close look at the following aspects, and possibly include them in the concept:
Hardware and software assets
Configuration Management and Change Management, to keep the assets functioning
Dealing with vulnerabilities
Dealing with emergencies
Business Continuity Management
Dependency on external third parties (partners, suppliers, etc.)
The subject of cyber resilience, along with other subjects detailed above, were highlighted at Command Control 2018, including in the Integrated Risk Management theme world.