As businesses face more cyberattacks than ever before, more and more leaders are finding the need to enact proper proactive protections through cybersecurity or cyber-resiliency plans.
Cyber resilience is the ability to anticipate, withstand, recover from, and adapt to the adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources. Cyber resiliency is intended to enable and protect missions or business objectives across all ecosystems that depend on cyber resources (i.e. technology, people, processes, data, etc.) to be achieved in a contested (attack/data loss/compromised, etc.) cyber environment.
Due to enhanced sophistication of these attacks, the sooner businesses can create a cyber-resilience plan, the sooner they will be protected from harm. Cyber risks and attacks impact every organization, every day, internally and externally and across the supply chain and ecosystem. Those attacks or contested environments encompass anything from crashing a single PC or infecting a cell phone, to interrupting a network to shutting down life support systems. If businesses do not have a process and program in place to assess, measure, report and keep pace with those cyber and other risks, organizations are left vulnerable to data loss and the potential for catastrophic damage and client loss, as well as the subsequent potential for regulatory sanctions.
Here are four key elements necessary for businesses creating a proper cyber-resiliency program.
Develop a documented plan
A proper cyber-resiliency plan must be based on a business’ environment, the data sets used, legal and regulatory requirements, appetite for risk avoidance, repetitive historical assessments of cyber-control operating effectiveness, and the ability to look forward to the ever-changing cyber risks that must be integrated into the plan.
Conduct regular technical-maintenance testing
Once the plan has been developed and finalized, it’s important to repeat the identified steps as often as needed — but never less than annually — to assess the program. Technically testing the business’ environment and its people is required through real-life scenarios. Use cross-functional teams in the business and document findings from the tests to learn if a program is strong enough to withstand an attack.
Implement safety controls
Adding controls like muti-factor authentication, advanced malware protections, intelligent protection tools, vulnerability scans, internal and external penetration and hacking tests, business-email phishing, and testing text messaging user access, are all key controls vital to assessing your cyber-resiliency program.
Evaluate and readjust plans as necessary
After testing, it’s vital to evaluate and reassess. Cyber risks and attacks are ever-changing, making it imperative to be agile. Never forget this is a journey and that an effective plan must adjust as often as needed to advance protections against the changes in the ever-evolving cyber ecosystem.
Ultimately cyber-resiliency programs must be unique to individual businesses. At the core, these steps will help protect businesses from a cyberattack, and the best way to start building cyber resiliency is to start now.
Finding experts, both internally and externally, is a great first step. Experts, such as a chief information security officer (CISO), are necessary to provide demonstrable and certifiable experience to guide businesses to an effective and operational plan. If businesses cannot find or afford a CISO, contract with a virtual CISO (vCISO). A vCISO with real experience will be your best guide and provide the ins-and-outs of the requirements necessary to protect the business, and will have their hands in various scenarios, clients, and verticals, which adds to its ongoing expertise and knowledgebase.
The bad guys are changing their tactics rapidly. Cybercrime as a service is booming, ransomware attacks are increasing, users are getting more savvy on how to circumvent controls, exception lists are growing, and the data sets are getting more complex with the ever-expanding ecosystems in which organizations are involved. If you have not started, there is an urgent need to get started on your business’ cyber-resiliency plan, today.
Carl Cadregari is an executive VP in the FoxPointe Solutions Information Risk Management Division of The Bonadio Group. He has more than 28 years of experience providing actionable technology, cybersecurity, and data-governance architecture, controls auditing. and general cybersecurity planning.
Author’s disclaimer: The summary information presented in this article should not be considered legal advice or counsel and does not create an attorney-client relationship between the author and the reader. If readers of this have legal questions, it is recommended they consult with their attorney.