Cyber Resilience

  • Nov 23, 2021, 5:18:01 PM
  • 696 Times
Cyber resilience is the ability of an organisation to operate its business and accomplish objectives, regardless of any adversaries.

According to a ‘Global State of Cybersecurity in Small and Medium-Sized Enterprises (SMEs)’ study by the Ponemon Institute, more than 70% of SMEs have faced a cyber-attack. This means that despite the significant investments in cybersecurity, breaches are difficult to eradicate as cyber attackers are evolving along with technological advancements.

Cyber resilience is the ability of an organisation to operate its business and accomplish objectives, regardless of any adversaries. Cyber resilience is the process of understanding weaknesses and preparing for any type of adverse conditions which could include cyber-attacks or data breaches.

The COVID-19 pandemic is a good example of an adversary which has forced most of the workforce into remote work, yet allowing them to perform their business operations. Another example can be a data breach. If your organisation has been prepared through developing business continuity and incident management planning, you should be cyber resilient in  the face of incidents.
In a nutshell, cyber resilience is the ability of an organisation to stay operational through:

  • Preparing for any type of adversary
  • Adapting to overcome cyber threats
  • Withstanding a crisis and recovering from it
  • Learning from previous experience and improving theorganisational cyber resilience

How to develop Cyber Resilient Strategies

1- Alignment to Business Strategy

A business strategy provides insights into the business processes and assets to sustain the organisation and the extent of vulnerability to cyber disruptions that will be faced by these processes and assets. Therefore, a cyber resilience strategy must cover the entire life cycle of the product and help business operations including people, suppliers, and capital.

2- Risk-based approach

Risk management is a fundamental step for a reliable cyber resilience program. A holistic cyber risk management approach should be adopted by which the enterprise strategy and cyber risk exposures are addressed to make a cyber resilient organisation in the ever-changing market environment.

In fact, aligning cyber resilience risk management to the business risk environment of the company is a key factor to make an organisation resilient. To ensure continuity in directing, tracking, and assessing the mitigation of cyber risks within the entire enterprise, one should incorporate the cyber risk governance within the current organizational governance structure.

3-Response and Recovery

Through a robust strategy and risk management, the required processes and systems should be developed by which any suspicious activity should be handled, once identified. This could be addressed through developing business continuity plans, disaster recover plans, and incident management plans through which your organisation will be cyber resilient in  the face of adversity.

Developing a cyber resilience organisation

To evaluate and build a cyber resilient organisation, there are several frameworks available such as Cyber Resilience Review (CRR), Symantec, and NIST SP 800-160. Based on your organisational needs, you can adopt various frameworks, but we recommend four following steps for this journey:

1. Developing a customised framework: This step is crucial to begin the journey of becoming cyber-resilient. For any cyber resilience program, a structure will help to determine priorities and objectives by which you can build a prioritised, scalable, and cost-effective path to being cyber-resilient.

2. Risk Analysis:  Cyber resiliency is all about operational sustainability. Identifying cybersecurity threats is another key step towards creating a robust cyber resilience program. This will help you better understand how the organisation would be impacted by a cyber-attack by creating a list of where your operations rely on technology.

3. Resource Evaluation: Analyse company resources after performing a risk evaluation to determine whether there are places where a managed service provider or more automation might be used by your company. Make sure you take a census of both the human and technical capital within the business.

4. Detection and Protection: A plan to defend from any adversary based on the most sensitive procedures and properties in your company and how they might be impacted by an attack is the final step.