To be successful, companies need to embrace a concept of holistic cyber resilience, which improves their chances of resisting threats from both internal and external sources and managing those risks effectively. My own checklist for holistic cyber resilience has 10 elements:
1. Understand risk
Cyber resilience must be a primary focus of boards and senior management. It is not something that can be left solely to the chief information officer. As strategic risk managers, board members need to take personal legal, ethical, and fiduciary responsibility for the company’s exposure to cyber compromise, regularly addressing the risk of cyber failure, and ensuring that cyber resilience is built into all aspects of their business and operating models.
2. Understand consequences
We can all comprehend how a prolonged breakdown of cybersecurity in the telecommunication sector, the banking industry, or an airline could be catastrophic on a national scale. At the small and medium-size business level, cyber disruption could be equally disastrous both for the business and for the customers who had placed their trust in it. For any enterprise, the failure or disruption of operating systems or the compromise of intellectual property, commercially sensitive information, or data held in trust for customers (such as personal and credit card details) will be reflected in the company’s reputation, credibility, and, ultimately, its profitability.
3. Understand systems and data
Accurate assessment of risk and the consequences of failure is facilitated by a clear understanding of a company’s IT systems and the data it holds. If boards and senior management understand the value of their data to those of malicious intent, if they know where that data is, how it is protected, and who has access to it (including external sub-contractors), then they are in a stronger position to implement a cyber resilient business model.
4. Regular cyber hygiene
For example, the Australian Cyber Security Centre has drawn up a list of 35 strategies to enhance cyber resilience. While some are complicated and need the support of technical specialists, just four strategies (regular proprietary patching of software, as well as of operating systems; minimising the number of systems administrators with privileged access; and application white-listing) will help mitigate about 85% of the current panoply of malicious intrusions.
5. Redundancy, backup systems and response plans
There have been enough publicised instances of malicious destruction of data, or denial of access to data (as with ransomware), not to mention human errors causing system failure or data loss, to make it axiomatic that companies build in system redundancy and regular real-time backing up of data and records.
Redundancy and backup systems will be essential to recovery after a successful attack. Boards also need to ensure that their enterprise war-games and regularly exercised response plans can be implemented immediately if an attempted attack is detected. Boards need to be proactive in ensuring these elementary measures are implemented assiduously.
6. Proprietary malware protection systems
There is a growing range of off-the-shelf proprietary anti-malware systems available to the ordinary cyber consumer. Cybersecurity technology companies are developing solutions that have moved beyond the concept of ever-higher digital firewalls, necessary as those are, into exciting new realms of predictive and intuitive digital analysis, providing deeper layers of security. Major consulting companies now promote one-stop-shop cybersecurity management packages tailored to the needs of a particular enterprise.
7. Access professional expertise
Cybersecurity technology is now so complex that few companies can afford the expertise and resources to achieve cyber resilience on a solely in-house basis.
Access to regular, independent, professional advice on cybersecurity is essential, as attack methodologies proliferate in depth and breadth. Increasingly niche cybersecurity providers, in addition to the larger business consulting firms, have the expertise and access to sophisticated protective cyber security systems that will assist boards to support their CIOs with professional advice and customised software solutions. What can never be outsourced, however, is ultimate responsibility for cybersecurity within an enterprise.
8. Continuous investment
The tools of cyber offence are developing so rapidly that the tools of defence are constantly struggling to keep up. For this reason, investment in cybersecurity can never be a one-off activity. Effective cyber resilience requires continuous investment in the upgrading and refining of protective systems as a normal cost of business.
9. The human factor
While the vast majority of cyber attacks emanate from outside the enterprise, human error within the organization, including through a lack of security awareness, is an important contributor to security breaches. Cyber resilience requires the active participation not simply of the company’s systems administrators, but of all staff who access the system and who, as normal human beings, are tempted to click on spam or open unverified email attachments. Without regular staff training and security skills upgrading, company expenditures on the most sophisticated protection systems will be less effective. A strong culture of cybersecurity resilience, including an informed and committed staff, creates an environment where peer behaviour reinforces positive security practices.
In my experience, staff react positively to examples-based cybersecurity training. They lap up the narrative of cybersecurity incidents. They are intrigued by the technology of cyber offence and defence, and they respond well to being included as partners within the enterprise’s cybersecurity effort. Cybersecurity can be professionally rewarding and fun. For some, however, it is more than fun. Another source of cyber attack is the trusted insider a person who uses access to the company IT system either to steal proprietary information or to vent a grievance by disrupting or disabling the system. A combination of strong security controls, including access and usage monitoring, together with sound staff management practices, can help mitigate this threat.
10. Report breaches
While it is up to stock exchanges and governments to set rules for company reporting of significant cybersecurity breaches, it is important that anti-malware service providers and government cybersecurity agencies be informed of the nature and extent of cyber attacks. Timely reporting assists the anti-hackers to develop and deliver new solutions to manage and neutralise malicious intrusions. In this sense, breach reporting is both an act of self-help and an important element of cyber resilience.
Read David Irvine’s full chapter “Cyber Resilience A Whole-of-Enterprise Approach by downloading your copy of the Navigating the Digital Age – The Definitive Cybersecurity for Directors and Officers Australia here.