Introduction – Cybersecurity resilience
Organisational cyber security resilience is crucial for companies to thrive in a world with sustained adverse cyber security events. Companies continue to face sustained headwinds of cyber security attacks as various threat actor groups, namely nation states and cyber criminals, have made it business as usual and automated the sniffing for weaknesses and vulnerabilities in technologies and digital services. Furthermore, the leak of hacking tools by leading government international agencies and improved open-source offensive hacking tools have significantly reduced the barriers to entry for cyber security threat actors. This reduced barrier to entry for cybersecurity attacks has made it increasingly easy for threat actors to target companies successfully. According to the Cyber Security Breaches Survey, within the last twelve months, four in ten UK businesses identified a cyber security attack [1], explaining the frequent disclosures of cyber security events these days. Some prevalent adverse cyber security events include ransomware attacks, phishing attacks, supply chain attacks and denial of service attacks [2]. These adverse cyber security events have devastated businesses, halting the delivery of essential services to customers and consumers while damaging the organisation’s reputation and causing severe financial losses. These adverse cyber security events have led 82% of UK boards and senior management to rate cyber security very high’ or ‘fairly high priority, and 50% of businesses update the board on cyber security matters at least quarterly [1]. Hence, cyber security resilience is now necessary for companies with a working product or service, proven return on investment, evidence of sales and stakeholder funding. So, let’s define cybersecurity resilience.
What is cybersecurity resilience?
The UK government’s cyber security strategy (GCSC) defines cyber security resilience as the ability of an organisation to maintain the delivery of its essential functions and services and ensure the protection of its data despite adverse cyber security events [4]. Cyber security resilience is when an organisation not only protects its essential functions and services but can detect cyber security events and respond to and recover the essential functions and services when necessary. Cyber security resilience is a balanced position of measured defensive and offensive controls. The dimensions of cyber security resilience are effectively managing cyber security risk, protecting against cyber security threats, detecting cyber security events, and minimising the impact of cyber security incidents [4]. These dimensions are credible as they align with other industry best practices, including the National Cyber Security Centre Cyber Assessment Framework (NCSC CAF) [5] and the National Institute of Standards and Technology (NIST) [6]. Companies must mitigate the risk of adverse cyber security events on essential technologies and digital services by implementing adequate and measured cyber security controls. The full suite of security controls would include preventive, detective, corrective and deterrent controls. The timely implementation of these robust controls is how companies can thrive in a world with sustained adverse cyber security events.
Dimensions of cybersecurity resilience
Organisations need to ensure cyber security resilience in sustained cyber security events by being able to:
- Manage cybersecurity risk: A robust risk management strategy is now a must to achieve cybersecurity resilience. An organisation’s risk management strategy should include the underpinning framework, policy, defined ownership and accountability and a cascade of the risk appetite statement to products and services. The risk appetite/ risk appetite statement becomes the bedrock of developing the security governance documents, including capability/technology-specific policy, standards patterns, and other artefacts. The risk appetite statements reinforce the acceptable level of cyber security risk that the company is willing to tolerate and the approach to mitigate any additional cyber security risk above the risk appetite.
- Protect against cyber security threats: Organisations should defend against cyber security threats by implementing measured and appropriate risk-based controls to mitigate cyber security threats. Control objectives must be identified and understood before implementing vendor products and solutions to ensure they reduce risk in organisation technologies and digital services. Examples of cyber security control frameworks organisations can leverage include ISO 27002, CIS Controls and NIST Cybersecurity Framework (CSF). Organisations should apply these controls based on their unique context and in line with their risk appetite.
- Detect cyber security events: Organisations need to detect cyber security events using a reactive and proactive approach. A reactive approach ensures the appropriate telemetry of events flows into a Security information and event management (SIEM) for real-time automated security response, enhanced visibility, and security engineers to progress threat identification. A proactive approach complements the reactive approach by actively hunting for threats the organisation may face, ongoing reconnaissance attacks and failed cyber security attacks.
- Minimise the impact of cyber security incidents: Using the “Assumed Breach” mindset, organisations should assume a compromise or breach of the organisation’s systems and data is likely or has already occurred. Instead of relying solely on preventive and detective measures, the organisation should strengthen their security incident response capability. It will enable organisations to contain cyber security attacks as fast as possible using a robust security incident management process and lesson learn feedback loops.
Challenges to achieving cyber security resilience
The journey to achieving cyber security resilience will always be distinctive for all organisations due to niche threat actors, bespoke security capabilities and unique risk appetite. Some of the challenges to note and be aware of before and during the journey include:
- Cybersecurity resilience is often a moving target due to the rapidly evolving threat landscape. The rapidly evolving threat landscape implies that companies must continually evolve their security capabilities to achieve cybersecurity resilience. Hence cybersecurity resilience is not a destination but a continuous state, and the litmus test is what happens before, during and after a cybersecurity attack.
- The technology landscape of most organisations is complex, with many components that must work together seamlessly. Understanding their technology estate ( i.e. new and obsolete) creates an immense challenge in understanding their vulnerabilities and weaknesses to secure company technologies and digital services.
- Cybersecurity resilience requires significant resources, including both financial and human resources. Many companies, particularly small and medium organisations, may need more resources to invest in appropriate and robust cybersecurity.