The pandemic has paved the way for fresh opportunities in cybercrime, and a surge in ransomware and mobile attacks in 2022 is expected. In 2021, cybercriminals focused on abusing the colossal shift to hybrid work and targeting organizations’ supply chains and networks to cause maximum disruption. While these criminals continue to use the pandemic as a bargaining chip to exploit organizations further, they will also find new opportunities to attack via deep fakes, cryptocurrency, and mobile wallets.
By now, most businesses recognize that they have to invest significant amounts of resources in cybersecurity. Cybersecurity Ventures expects the need for protection against cybercrime will propel global spending on cybersecurity services and products to nearly $1.75 trillion between 2021 and 2025. However, no company has the resources to fix all cyber issues, and not all issues are equally important.
This raises a question of not only whether investing in cybersecurity is enough to keep these criminals at bay, but also about the road to returning to business as usual. Below, we’ll talk about how building cyberresilience, an important aspect of cybersecurity, sets out to answer these questions.
Cybersecurity is not a strategy, but a culture
While there are many frameworks and best practice guides to equip cybersecurity leaders with the tools and knowledge needed to manage cyberrisk, business leaders, especially in small and medium-sized enterprises (SMEs) and developing industries, often struggle to understand the cybersecurity narrative and their responsibilities. On top of this, even after implementing all the correct security measures, some organizations still fall prey to cyberattacks. Organizations have to accept that there is always a risk that their network defenses can be breached.
Inadequate cybersecurity is not always due to lack of awareness; it is also due to lack of understanding. By identifying activities that are important to a business and understanding how attacks could disrupt them, organizations can start the process of risk mitigation.
With the hybrid work culture here to stay, it’s important to ensure employees are cyberconscious even when their devices aren’t being monitored. Organizations need to develop cyberconscious workplaces where every employee is aware of cyberrisks and their role in protecting the business. Such a culture will strengthen existing security measures, cultivate stronger team collaboration, and save money and resources spent on recovering from an attack.
Key factors to build cyberresilience within the organization
As professor David Denyer says, “organizational resilience is the ability of an organization to anticipate, prepare for, respond and adapt to incremental change and sudden disruptions in order to survive and prosper.” The organizations that show resilience and do well during a crisis take precautionary measures so that they are not overwhelmed and will maintain high performance even when a crisis occurs.
In 2019, British Airways was fined nearly $26 million by the Information Commissioner’s Office for violating the GDPR by failing to take the required measures to protect itself from a cyberattack, which resulted in a data breach affecting 400,000 customers.
For SMEs struggling to protect themselves with limited cybersecurity resources, a cyberattack could leave permanent damage with devastating consequences. The example of what happened to British Airways is not just to highlight the serious disruption, reputational damage, and huge fines imposed on enterprises, but also to show why organizations need to include cyberresilience as a part of their cybersecurity culture.
Cyberresilience may sound ambiguous, but it is less about technological developments and more about how people react in the aftermath of an attack. While a cybersecurity strategy attempts to prevent attacks, a cyberresilient strategy aims to soften the impact of an attack by focusing on the key elements mentioned below.
-
Evaluate employees’ cybersecurity awareness.
Make cybersecurity easily understandable to employees and educate them on how a few behavior changes can protect the entire team.
-
Set clear, simple goals.
An organization’s strategy should state “what cybersecurity stands for,” “why it’s essential for employees to be a part of it,” and “how their behavioral changes can affect the organization’s security.”
-
A top-down approach is the first step.
Adapting to this strategy is more of a mindset change than a plan to be executed on a whim, starting with C-suite leaders. Leaders should demonstrate strong cybersecurity etiquette and foster an environment where employees feel it is everyone’s responsibility. Leaders should understand risks specific to their organization and industry to create apt policies for employees.
-
Identify, protect, detect, respond, and recover.
Strategizing cyberresilience requires keeping critical resources in mind, deciding the first response in the event of an attack, keeping a constant eye out for suspicious activities, and ensuring a detailed incident response plan. A major aspect is ensuring business functions and affected resources are restored as quickly as possible and business returns to normal.
-
Nurture your relationships.
Create partnerships with peers, competitors, and public entities; observe how your team hires and educates them.
Forging a safety net for the expected impact cannot be defined in a checklist. Instead, keeping these primary principles in mind can help you build a cyberresilient strategy.
Cybersecurity is more effective when the organization is cyberresilient
Employees are not only the weakest links in the cybersecurity chain but also the major catalyst when adopting a security-first mindset. The aim of cyberresilience is clear: to ensure operational and business continuity with minimal impact. But the reality can be harder to pin down because there is currently no good way to measure cyberresilience.
Leaders need to have a certain level of confidence in the organization’s ability to respond to an attack; maintain customers’ trust; absorb the financial, legal, and brand impact; and get back to business. Cyberresilience is not about comparing with other organizations’ strategies and isn’t a set-it-and-forget-it approach. This framework should scale for the industry by focusing on the people, processes, and technology required to ensure entire value chains are resilient.
The NIST Cybersecurity Framework for improving critical infrastructure was launched in 2014 after the president issued an executive order to address rising cyberrisks. It called for a public-private partnership to create bold changes necessary to protect hybrid cloud infrastructures. This framework also aims to help organizations develop new, scalable cybersecurity strategies including cyberresilience, in which everyone shares the responsibility of keeping business and customer information secure.
Do you think cyberresilience will become a part of your business model?