With more people working from home in response to the pandemic, a shift to a decentralised hybrid workforce model, 5G network expansion, more connected devices, a growing trend towards Bring Your Own Device (BYOD), greater frequency and sophistication of ransomware attacks and greater dependency on third parties, cyber resilience (not just cyber security) has never been more important.
What does cyber resilience really mean? How is it different to cyber security? What are the essential elements of cyber resilience? At InConsult, we help build more resilient organisations. So in this publication, we take a deep dive into the topic of cyber resilience.
What is cyber resilience?
The US National Institute for Standards in Technology (NIST) defines cyber resilience as “the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that include cyber resources.”
At its core, cyber resilience is the ability to anticipate, prepare for, respond to and recover from cyber attacks or disruptions impacting information technology. It acknowledges that cyber security on its own is not enough. Cyber resilience is built on the premise that disruptions, attacks and incidents are bound to occur and availability should continue even when affected by adverse cyber events. So, while it would be great to prevent them, organisations should take time to plan how they will detect, respond and successfully recover.
Cyber security is a sub-set of cyber resilience that focusses on preventing cyber attacks and incidents. It consists of technologies, processes and measures that are designed to protect systems, networks and data from cyber attacks. It’s proactive and aims to significantly reduce the likelihood and impact of bad things from ever happening in the first place.
Hackers are always looking for the vulnerabilities or weak points to opportunistically pursue. These weaknesses are not always ineffective cyber security, they can be weaknesses in human psychology or simple human errors. In fact, according to Gartner, system misconfigurations accounted for over 75% of breaches. In another study, 40% of breaches occurred due to human error. So it is reasonable to assume that misconfigurations, human errors and disruptions will occur and hackers will eventually gain access to your network, systems and data, and therefore you should always prepare for the worst.
Accepting that a cyber attack will occur does not mean you are giving in to hackers. It does not mean you should be complacent about your cyber security. It simply means you are prepared and ready.
What are the benefits of cyber resilience?
As a result of developing a robust cyber resilience framework, organisations will have in place layers and layers of internal controls, across all information systems, at different levels in an organisation and at different stages of preparedness. Done well, an effective cyber resilience framework delivers many benefits:
- Improves overall cyber risk governance and culture
- Proactively anticipates the types of cyber risks
- Strengthens internal systems, plans and processes to prevent, detect and recover from a cyber attack
- Enhances existing controls through continual review and improvement
- Enhances compliance to regulatory requirements
- Reduces financial costs and productivity losses
- Protects the organisation’s brand and reputation
What are the key elements of cyber resilience?
After an in-depth, literary review of several cyber resilience frameworks and from our own experience working with a range of clients, we have proposed a cyber resilience framework containing 6 essential elements.
No framework will ever be perfect or be suitable to every organisation. However, our cyber resilience framework has a number of subtle differences from the current frameworks we observed such as:
- Governance is the first step and forms the foundations of cyber resilience. Governance exists across all elements of the framework.
- We separate resilience into 2 states – (1) pre incident state and (2) post incident state.
- We include ‘refine’ as a centrepiece of the framework to ensure continuous improvement is considered before and after an incident.
Achieving cyber resilience is unlikely to happen unless there is a formal and proactive governance framework in place that outlines the organisations intent, commitment, practices, plans and responsibilities for achieving cyber resilience. The level of governance will vary depending on the size, complexity and nature of each organisation.
The cyber resilience framework can be stand alone or be part of a broader resilience framework. Whatever you choose, it should be aligned to the overall governance and risk management framework of the organisation. This means documented strategies, principles, policies, rules and procedures are in line with the overall governance framework as well as the organisations IT Strategy.
Cyber resilience must be a primary focus of the board (or governing body) and senior management. They must provide leadership and commitment to help define the organisations culture. It is not something that can be left solely to the Chief Information Officer, security team or incident response team.
Boards should take ownership of cyber resilience oversight and ensure key policies and written directions are reviewed on a periodic basis. The board should also support and participate in key cyber risk management decisions, and receive regular updates on security issues, risks and overall compliance.
Roles and responsibilities within the framework should be well defined. At minimum, roles and responsibilities should be defined across the three lines e.g. the board and committees, senior management, risk management and internal and external audit.
It is important to also identify the key stakeholders within the cyber resilience framework to ensure their needs are addressed. Stakeholders will be internal and external – including vendors, security analysts and threat intelligence agencies.
A process for monitoring, reviewing, exercising and continually improving the resilience framework should also be in place. This can include well-known improvement practices such as PDCA (Plan-Do-Check-Act) or ITIL’s Continual Service Improvement.
Once the base line governance structures are in place, the next step is to anticipate and recognise the range of possible cyber risks, their causes and consequences. This step is about better understanding your organisation’s environment and cyber risk posture.
A formal cyber risk assessment is used to identify, analyse, evaluate, and prioritize risk arising from the operation and use of information systems and network, including key vendors across the supply chain. The risk assessment should:
- Consider the information assets and owners.
- Consider the value of information. If boards and senior management understand the value of their data to those with malicious intent, if they know where that data is, how it is protected, and who has access to it (including external sub-contractors), then they are in a stronger position to implement a cyber resilient business model.
- Identify and prioritise information assets e.g. hardware, software, data and processes.
- Identify the compliance obligations across the legal jurisdictions you operate in.
- Identify cyber risks and sources e.g. unauthorised access, service disruption, human error.
- Identify and evaluate the many layers of controls that currently exist and the effectiveness of their assurance.
- Determine the level of risk that remains after the controls are considered.
- Prioritise risks and develop additional risk treatments as required.
There are many ways to identify cyber risks. Typically, organisations use several methods including:
- Focus groups
- Experience and knowledge
- Scenario analysis
- Incident analysis
- Data analytics
- Penetration test results
- External security experts
- Industry experts
The risk assessment process should follow good practice standards such as ISO 31000 Risk management – Guidelines or The Committee of Sponsoring Organizations of the Treadway Commission (COSO) guides which address how companies can use ERM Frameworks to assess cyber risks.
Identification of the risks is not a one off activity. Since hackers are continually finding new ways of penetrating systems and escaping detection, it is critical that risks and controls are evaluated regularly.
Now that the risks are known, this element is about implementing the right controls (policies, procedures, plans, activities) to either prevent or mitigate the impact of a cyber risk.
What are we protecting? What are we trying to achieve? At this point, lets look at the Cyber Security CIA Triad.
Confidentiality, integrity and availability
The CIA Triad is a security model that aims to help people think about various elements of IT security. It comprises of three elements:
- Confidentiality – the set of rules that restricts access to information to the right people
- Integrity – ensures the information is trustworthy and accurate
- Availability – a guarantee that the information is readily available to authorised people when needed
These elements of the CIA Triad security model are considered the three most important concepts within information security
Types of controls
To protect the organisation, layers, and layers, and layers of rigorous controls are needed. Why? In the event one layer fails, there are other layers that work to reduce the cyber risks. In fact, good cyber security will require a wide range of controls that work in different ways and at different points. Controls will have different characteristics such as:
- Preventative controls e.g. passwords or passphrases
- Detective controls e.g. intrusion detection systems
- Corrective controls e.g. data back up and recovery
- Hard controls e.g. user access logs
- Soft controls e.g. policies, training
Layers of controls
Now that we know the characteristics of internal controls, here are some examples of controls that help protect from cyber risks:
- Information and security policies covering data, computers and devices, emails and internet sites
- Physical and environmental security
- Network and communications security
- Network segmentation and segregation procedures
- Data encryption at rest and in transmission
- Patch management
- Configuration and change management
- Application controls
- User application hardening
- Enforce strong password policy
- Use passphrases instead of passwords to protect highly sensitive data
- Systems security
- Email and web content filtering
- TLS encryption between email servers
- Asset classification and management
- Endpoint security & intrusion detection
- Identity and user access control
- Email spoofing policies (e.g. DMARC)
- Multi-factor authentication
- Review and secure administrative privileges
- Security team competence and regular training
- Redundancy and backup systems of data and applications
- Decommissioning of systems no longer needed
- Crisis management team exercises
- Cyber security staff awareness training
- Conduct of email phishing simulations
- Vendor risk assessment and formal risk management
- Formal incident response and recovery plans
- Cyber liability insurance
The bottom line is, every layer counts and every layer is important.
Final warning! Just because you have layers of controls to protect the organisation does not mean you can stop thinking about cyber risks. Effective cyber resilience requires continuous monitoring, review and investment in upgrading and refining of these protective systems as a normal part of business. An appropriate budget is therefore critical.
4. Detect & Refine
Having effective controls to protect against cyber risks is only part of the solution. Ongoing, active and continual monitoring of the wider network and information systems to detect and escalate issues and potential cyber security incidents quickly is a key element of cyber resilience.
Early warning systems
Organisation-wide continuous monitoring and incident detection systems are implemented to monitor incidents on the organisation’s network and systems using Intrusion Detection Systems and Security Information and Event Management (SIEM) technologies. They are designed to detect and alert management to anomalies including user behaviour and abnormal changes in information across the networks, measured against a baseline reference of ‘normal’ activity.
It is good practice to have automated dynamic analysis of email and web content that blocks suspicious behaviour when identified.
Using information security specialists to attempt to break into an organisation’s networks e.g. penetration testing, engaging ethical ‘white hat’ hackers or ‘red teaming’ also helps to detect weaknesses.
Don’t forget about your vendors! Vendor monitoring tools are becoming increasingly important to detect breaches as they are reported.
Stay up to date with the latest cyber scams and security risks by subscribing to cyber security newsletters and other news sources.
Audit and assurance
Internal Audit can also add value at a technical and non technical level. Some audit departments have strong IT audit and Artificial Intelligence capabilities to interrogate data and security logs. Internal auditors are also excellent at identifying gaps in processes, control design weaknesses and unmanaged risks.
Keep your finger on the pulse
Stay on top of the latest developments in cyber security by joining professional associations, subscribing to newsletters from different sources and following thought leaders on social media.
Exercise your plans
World champion boxer, Mike Tyson once said “everyone has a plan until they get punched in the mouth”. What he was saying is basically – plans are useful until you have to put them into action in the real world. That is why regular exercising of the various response plans is important.
Adaptability is important. Once vulnerabilities have been detected after a penetration test, audit or exercise or after a cyber incident has been resolved, refinements need to be made to better protect the information assets and systems.
If a cyber incident is detected…the time starts ticking instantly. Depending on the type of cyber attack, the sooner you start the response, the less impact the attack is likely to have and the better the chance of a successful recovery.
A prompt response will help an organisation to continue to operate and get back to business as usual as quickly and efficiently as possible after a cyber attack or major disruption.
Incident response plan
In order to respond quickly, a well documented, rehearsed and tested Incident Response Plan is critical. Remember, the worst time to develop a response plan is during an actual incident, so good planning and preparation is good practice.
Other sub-plans may also assist in the response to a cyber incident e.g. Crisis Management Plan, Communication Plan.
The Incident Response Plan should be executed by a capable Incident Response Team with clearly defined roles and responsibilities. The Incident Response Plan should:
- Cover a range of cyber incidents
- List specific activities
- Define roles and responsibilities
- Establish invocation and escalation protocols
- List key contacts
- Outline communication protocols
- Be aligned to the organisation Crisis Plan and Business Continuity Plan
As part of the response, organisations should notify their insurer, anti-virus provider, cyber security experts and/or other cyber security service providers as a means of preventing further spread. Timely reporting also assists them to develop and deliver new solutions to manage and neutralise malicious intrusions in the future.
For some organisations, depending on the size, industry and geographic location, it is mandatory to report information security breaches to stakeholders impacted and/or a regulator.
During the response, it is important to keep an event log, copy of all emails, copy of communications and situation reports in a single folder to help you in the next stage – the lessons learned.
This final phase aims to restore data and services after a cyber attack or disruption to the pre-incident state.
Ideally, the organisation will have a number of pre-existing and pre-tested recovery sub-plans that are clear and thorough to execute an effective response. These recovery sub-plans typically include:
- IT Disaster Recovery Plan
- Elements of the Business Continuity Plan
- Crisis Management Plan
- Communication Plan
Once the recovery is complete, a lessons learned debrief should be scheduled to identify what went well and what can be done differently so that elements of the cyber resilience framework are refined and enhanced.
The lessons learned report should document exactly what happened, what impact it had and what actions you took for future reference and potentially claiming on any cyber insurance policy.
The actions from the lessons learned will be used to further refine your cyber security controls.
Our final thought. Author of the popular 2007 book The Black Swan: The Impact of the Highly Improbable Nassim Nicholas Taleb wrote another book in 2012 called Antifragile: Things That Gain from Disorder. This is a great book about “resilience plus”. The key theme of this book is that unlike fragile systems, which break when put under stress, antifragile systems actually benefit from volatility and shock. Shocks and stressors strengthen antifragile systems by forcing them to build up extra capacity. Antifragile systems don’t bounce back to normal, but better and stronger.
Cyber security is excellent defence, but cyber resilience is a much broader concept. When you’re developing your cyber resilience framework, ask yourself how can you recover faster, stronger and better as an organisation.
Are you cyber resilient and ready?
Information assets are valuable and information technology is at the heart of all successful organisations. As clients and customers grow more and more accustomed to sharing highly sensitive personal information online, effective systems to govern, manage, detect, respond and recover from cyber risks are more important than ever.
It is now widely accepted that it’s no longer a matter of ‘if’ but ‘when’ an organisation will suffer a cyber attack or major disruption. Cyber resilience provides an organisation with an opportunity to look at and manage cyber risks from the top down and across different elements.
How we can help you achieve cyber resilience
Now is the time to move beyond cyber security to cyber resilience. InConsult is committed to helping organisations manage cyber risks and opportunities. We have extensive experience in audit and assurance, risk management, cyber risk management, climate risk, crisis management, business continuity, third party risk assessment, emergency management, disaster management and pandemic planning.
If you would like support in becoming a more cyber resilient organisation, contact us to discuss your needs.