CYBER RESILIENCE: COMBATING CYBER THREATS WITH CYBER RESILIENCE
Combating Cyber Threats with Cyber Resilience
What is Cyber Resilience?
Cyber resilience is an organization's
ability to prevent, withstand and recover from cybersecurity incidents.
Cyber resilience is a concept that brings business continuity, information systems security and organizational resilience together. The concept describes the ability to continue delivering intended outcomes despite experiencing challenging cyber events, such as cyberattacks, natural disasters or economic slumps. A measured level of information security proficiency and resilience affects how well an organization can continue business operations with little to no downtime.
Why Cyber Resilience is important?
A cyber resilience strategy is vital for business continuity. It can provide benefits beyond increasing an enterprise's security posture and reducing the risk of exposure to its critical infrastructure. Cyber resilience also helps reduce financial loss and reputational damage. Moreover, if an organization receives cyber resilience certification, it can instill trust in its clients and customers. Furthermore, a cyber-resilient company can optimize the value that it creates for its customers, increasing its competitive advantage through effective and efficient operations.
Mitigating financial loss
Financial loss could lead to a loss of confidence from company stakeholders, such as shareholders, investors, employees and customers. According to the 2020 Cyber Resilient Organization Report by IBM Security®, more than 50% of organizations experienced a cybersecurity incident that disrupted information technology (IT) and business processes. Moreover, the average cost of a data breach is USD 4.24 million according to Ponemon's 2021 Cost of a Breach Study.
Gaining customer trust and business
To attract customers and gain their business, some organizations comply with international management standards, such as ISO/IEC 27001 provided by the International Organization for Standardization. ISO/IEC 27001 provides conditions for an information security management system (ISMS) to manage assets security such as employee details, financial information, intellectual property or third-party entrusted information. In the US, companies might seek certification with the Payment Card Industry Data Security Standard (PCI-DSS), a prerequisite for processing payments such as with credit cards.
Increasing competitive advantage
Cyber resilience provides organizations a competitive advantage over companies without it. Enterprises that develop management systems based on best practices, such as Information Technology Infrastructure Library (ITIL), create an effective operation. Similarly, organizations enhance their operational effectiveness by developing management systems for cyber resilience. Consequently, these systems contribute significant value to their customers.
What is effective Cyber Resilience?
Effective cyber resilience must be an enterprise-wide risk-based strategy, a collaborative approach driven from executives to everyone in the organization, partners, supply chain participants and customers. It must proactively manage risks, threats, vulnerabilities and the effects on critical information and supporting assets.
Effective cyber resilience also involves governance, risk management, an understanding of data ownership and incident management. Assessing these characteristics also demands experience and judgment.
Furthermore, an organization must also balance cyber risks against attainable opportunities and competitive advantages. It must consider whether cost-effective prevention is viable and whether it can achieve rapid detection and correction with a good short-term effect on cyber resilience. To do this, an enterprise must find the right balance between three types of controls: preventative, detective and corrective. These controls prevent, detect and correct incidents that threaten an organization's cyber resilience.
How does Cyber Resilience work?
Cyber resilience can be understood through a lifecycle based on the stages of the Information Technology Infrastructure Library (ITIL) service lifecycle: strategy, design, transition, operation and improvement.
Cyber Resilience Strategy
Based on the organization's objectives, strategy work identifies critical assets, such as information, systems and services that matter most to it and its stakeholders. This work also includes identifying vulnerabilities and the risks that they face.
Cyber Resilience Design
Design work selects the management system's appropriate and proportionate controls, procedures and training to prevent harm to critical assets, where practical to do so. The work also identifies who has what authority to decide and act.
Cyber Resilience Transition
Transition work from design to operational use tests controls and refines incident detection to identify when critical assets are under stress from internal, external, intentional or accidental action.
Cyber Resilience Operation
Operational work controls, detects and manages cyber events and incidents, including continual control testing to ensure effectiveness, efficiency and consistency.
Cyber Resilience Evolution
Evolution work continually protects an ever-changing environment. As organizations recover from incidents, they must learn from the experiences, modifying their procedures, training, design and even strategy.
What is a cyberattack?
A cyberattack is any intentional effort to steal, expose, alter, disable, or destroy data, applications, or other assets through unauthorized access to a network, computer system or digital device.
Threat actors start cyberattacks for all sorts of reasons, from petty theft to acts of war. They use various tactics, like malware attacks, social engineering scams, and password theft, to gain unauthorized access to their target systems.
Cyberattacks can disrupt, damage and even destroy businesses. The average cost of a data breach is USD 4.35 million. This price tag includes the costs of discovering and responding to the violation, downtime and lost revenue, and the long-term reputational damage to a business and its brand.
But some cyberattacks can be considerably more costly than others. Ransomware attacks have commanded ransom payments as high as USD 40 million (link resides outside ibm.com). Business email compromise (BEC) scams have commanded ransom payments as high as USD 40 million (link resides outside ibm.com). Business email compromise (BEC) scams have stolen as much as USD 47 million from victims in a single attack (link resides outside ibm.com). Cyberattacks that compromise customers' personally identifiable information (PII) can lead to a loss of customer trust, regulatory fines, and even legal action. By one estimate, cybercrime will cost the world economy USD 10.5 trillion per year by 2025.
Using Cyber Resilience to Combat Cyber attacks
The threat landscape is vast and constantly evolving, and for most security teams, overcoming the difficulties is an uphill battle. As teams' responses evolve, so do the tactics used by cybercriminals—and subsequently, security teams—to mitigate breaches and vulnerabilities. Since blue-team playbooks are only effective for the time in which they are written, teams must remain nimble and constantly shift their approaches. What they knew yesterday may not be good enough for tomorrow.
To stay on top of ever-changing risks, organizations will have to build cyber resilience—especially as the high demand for cybersecurity talent persists and organizations continue to battle alert fatigue. This means that organizations should form strong, forward-looking cyber-resilience strategies to address future risks and stay one step ahead of cybercriminals.
As we kick off a new year, cyber resilience is about to become more important than ever before. Here's why.
Ransomware and Vulnerability-Exploit Risks Will Worsen
Ransomware is one of the most common types of cyberattack—and we can expect to see severe ransomware risks get worse this year. It is expected that total global ransomware damages will exceed $30 billion by 2023, exacerbated by hybrid and remote work, as a wide-scale transition to the cloud for streamlined data sharing and storage will uncover a host of emerging digital threats. Ransomware attacks will also continue to use double extortion—fueled by an organization's willingness to pay what it takes to ensure that essential business functions are restored.
Software supply-chain attacks and other software-vulnerability exploits are also likely to increase in both frequency and severity. In particular, the 2020 SolarWinds attack piqued the interest of cybercriminals intent on replicating the approach in the hopes of vacuuming up sensitive information—including source code and access tokens.
Many more identified Common Vulnerabilities and Exposures (CVEs) had a substantial impact on organizations throughout the past year. Notably, the Spring4Shell vulnerability, which was widely abused by attackers to spread Mirai malware, affected 16% of organizations in the first four days since the vulnerability's discovery. This was especially critical since the exploit was leaked before Spring Framework developers could release patches.
Indeed, cybercriminals are getting quicker, and so are their tactics; once exploit code for a given vulnerability is made public, we often see it used against vulnerable organizations within hours, not days or weeks. Hackers have a tight network; as digital connectivity continues to expand, so will hackers' access to vulnerability insight all over the world. Accordingly, development teams need to shift left and better prioritize security at the very start when they are writing code.
At the same time, cyberattackers' tactics, techniques, and procedures (TTPs) are evolving at such a fast pace that, without regular crisis and skills exercising to complement security teams' traditional by-the-book training methods and certifications, security teams cannot build the cognitive agility and brain-muscle memory needed to react quickly when a cyberthreat occurs. The pace at which new threats emerge will quicken—and defenders will find themselves one step behind.
Get Ready, Get Resilient
As cyber risks evolve at an exponential rate, security leaders must reshape how they think about cybersecurity readiness. Traditional training methods will never stack up to combat today's cybercriminal activity, so organizations must train employees to have the skills and cognitive agility to deal with evolving cyberthreats—even if it's something they haven't faced before in reality. Continuous upskilling through real-life cyber-crisis simulations will help security teams and workforces keep pace with cybercriminals and prepare for future attacks—introducing new, complex, unfamiliar crisis scenarios that mirror the intricacies of real-world attacks.
While it's been traditionally difficult to measure cyber resilience, security teams should ensure that they aren't just checking a box as a means to prove that they're "ready." Instead, they should prove their cyber readiness with concrete data, as they compare their cyber-defense and crisis-management capabilities to industry benchmarks. Gathering and analyzing data on areas in which security teams excel and where gaps lie allows security leaders to make smarter, better, informed, and cost-effective decisions. Demonstrating proven cyber resilience will be essential for security teams to weave into their overall cybersecurity preparation strategies as we enter this new year and face the impending threat landscape.
References:
- "Cyber Resilience: The New Frontier" by MacDonnell Ulsch and Ted G. Lewis.
- "Cyber Resilience: A Review of Critical Concepts" by Tyler Moore and Benjamin Edwards, published in 2017 in the journal "IEEE Access."
- "Building Cyber Resilience: Protecting Critical Services" by the National Cyber Security Centre (NCSC)
- "Cyber Resilience Best Practices" by the Center for Internet Security (CIS)
- "Enhancing Cyber Resilience: A Holistic Approach" by John W. Ratcliff and Michael A. Cusumano, presented at the International Conference on Cyber Resilience in 2020
- "Cyber Resilience: How to Protect Your Business from Cyber Threats" by the Cybersecurity and Infrastructure Security Agency (CISA)
- "Cyber Resilience: A Literature Review" by Stefan Wiener and Stefan Fenz, published in the journal "Computers & Security" in 2019.