Is your organisation still focused on cybersecurity? That’s not a bad thing. Cyberattacks are on the increase, and vigilance is critical. But if your cyber strategy only extends as far as cybersecurity, it’s incomplete. 2022 and beyond is all about cyber resilience. What’s the difference?

Cybersecurity and cyber resilience are not different names for the same thing. Instead, think of cybersecurity as one component of cyber resilience. Where once organisations might have hoped that a robust cybersecurity programme would protect them from threats, it is now recognised that cyberattacks will happen; however, they are prepared and attentive to the lines of defence. What is more important is the ability to respond to cyber threats, recover from cyber incidents, and your business continues to function. This is cyber resilience, deeply entwined with business resilience.

“Cyber resilience refers to the ability of an organisation to continue to deliver its products and services, with minimal or ideally no interruption, in the event of an adverse cyber incident. It involves much more than just threat detection, end-point protection and general cyber defence, though they are all part of cyber resilience.”

Cybersecurity includes the technologies and measures that protect systems, networks and data from malicious cyber attacks. According to the UK’s National Cyber Security Centre, resilience is a measure of how readily a system can carry on in a changing environment.

A strategic approach

A robust cyber resilience strategy will protect an organisation against cyber risks, reduce the impact and reach (depth and breadth) of cyberattacks when they happen, and ensure business continuity in the course of a cyberattack. It involves risk management and mitigation and the embedding of security awareness into day-to-day operations. “Effective IT governance,” says Engelbrecht, “covers the whole enterprise and includes all the possible combinations of physical and cyber assets and the extended network of business partners, vendors, customers and others. Information technology has become a strategic enabler of organisational activity, so the effective management of both IT and information assets is now a critical strategic concern for boards of directors.”

How cyber resilience benefits your organisation

We work in an increasingly sophisticated technological environment. Over the past year in particular, as the world adjusted to life in a pandemic, many businesses have come to rely heavily on ICT-based tools to enable employees to carry on with their jobs in the face of lockdowns and travel restrictions. Organisations that lack cyber resilience have proven to be exceptionally vulnerable to a range of unfavourable consequences. By contrast, robust cyber resilience helps an organisation to:

• Protect against catastrophic financial loss that can result from a cyberattack
• Meet relevant legal and regulatory requirements: businesses that trade internationally have to comply with regulations in other jurisdictions, not only in South Africa; and some, such as the European GDPR (General Data Protection Regulation), stipulate improved incident response management
• Improve internal processes and procedures
• Protect a company’s brand and reputation, by safeguarding customer trust

A cyber resilience framework

There are several frameworks in circulation that help organisations create a cyber “ecology” that will be resilient. The best known have been produced by the US’s National Institute of Standards and Technology (NIST) and the UK’s National Cyber Security Centre (NCSC). Although one framework has four, and the other has five components, and the terminology varies, the implications for an organisation are the same. For simplicity, the resilient system can be broken down into four phases:

1. Prepare/prevent. Perimeter defence technologies, end-point protection technologies, business application security technologies, security event monitoring, policies, procedures, and staff training come into this phase. NEWORDER’s Corporate Threat Assessment professional service provides actionable intelligence into an organisation’s entire IT ecosystem to ensure that malicious actors will not be able to compromise critical business systems. Vulnerability scanning and skilled pen-testing will identify vulnerabilities and potential exposures against essential systems of business. Engelbrecht says, “Following our Corporate Threat assessment, a detailed, actionable incident response plan must be developed to protect all critical aspects for a business to function in the event of a cyber incident.”
2. The earlier an incident is detected, the less damage it can do. The tools used in this phase are not only high-tech; people have a big part to play. Social engineering relies on the unwitting cooperation of targeted individuals. If all employees are vigilant, and inspired by a positive cybersecurity culture, suspicious activity can be reported promptly. Early detection of an incident will allow a business system to be segregated so that certain features can be reduced while critical functions are retained.
3. Regular skilled penetration testing (“pen-testing”) will identify the insecurities and weaknesses in business systems and applications before an attacker can. NEWORDER’s Pen-Test 2.0 methodology is unique, developed in-house through decades of research and hands-on expertise. Engelbrecht says, “Traditional vulnerability scans and low-key penetration testing might help for the apparent attack vectors, but these types of tests only prevent mass attackers from using automated tools. Our testers – real human beings – apply creativity (out of the box thinking), look at the big picture and consider past experiences and findings that may lead to the detection of issues an automated scan or inexperienced pen-tester won’t find.
4. Respond/recover. This puts into place the plan that was developed in Phase 1 – the incident response plan. Damaged services must be restored. Communication with all stakeholders is vital in this stage. In some instances, it might be required to involve digital forensic investigators and law enforcement. This is where the difference between cybersecurity and cyber resilience really comes into its own. The measures an organisation has taken to ensure business continuity if hit by a cyberattack will enable it to resume business-as-usual quickly, possibly without any serious interruption. It’s also essential in this stage, while the incident is still fresh, to analyse the impact and the organisation’s ability to take action.
5. Adapt/govern. From that analysis and from an examination of the cybersecurity event in its entirety, lessons can be learned about how to respond to future events. Improvements to the security strategy should be planned. Changes may need to be made to detection procedures. Governance processes should be reviewed and adapted as required.

The right resource is essential

Many organisations lack the resource to develop and implement this framework. In addition, there is a shortage of individuals with the requisite cyber and information security skills to function at a leadership level. NEWORDER offers the unique “Chief Information Security Officer-as-a-Service” (CISOaaS). We can provide information security leadership from an appropriate pool of expertise and technical resources. CISOaaS provides security guidance to senior management and can drive an organisation’s cyber and information security programme.

To find out more

“Cyber resilience won’t guarantee you never fall victim to a cyberattack. But it will ensure you recover quickly and minimise the disruption caused by the incident. So it should be part of any organisation’s business strategy.”

NEWORDER can be contacted for a no-obligation discussion regarding your organisation’s cyber resilience reediness.