Organisations are facing new and unpredictable cyber threats, which can appear overnight and are difficult to prevent. According to PwC’s 11th Annual Global Information Security Survey, the number of security incidents detected climbed by 25% from 2012 to 2013 and the average losses per incidents by 23% over the same period.
Technical security controls, such as firewall and intrusion prevention systems, are not agile enough to mitigate the impact of these incidents. So if cyber attacks are becoming increasingly inevitable, how can an organisation build resilience against them?
The Information Security Forum defines cyber resilience as "the organisation’s capability to withstand negative impacts due to unknown, unpredictable, uncertain and unexpected threats from activities in cyberspace".
Cyber resilience must therefore focus on the most important business assets and processes, and ensure the organisation’s defence, response and recovery measures are ready for moments of crisis.
Building resilience includes four major activities:
1. Identify critical assets and outline the cyber resilience plan
The organisation needs to identify, in case of a cyber attack, the consequences it can live with and those that would be terminal. Once identified, it can then define priorities and the desired level of response agility and adaptability in the event an attack is successful.
2. Identify existing capabilities
The organisation should evaluate existing capabilities in its information security function, business continuity activities and partnerships with suppliers. The organisation may already contain security policies, detection and protection systems, recovery capabilities and access to threat information that can contribute to building resilience.
3. Define the future needs and deploy new controls
The organisation needs to assemble a vision for resilience that aligns with business’s technological maturity and online commercial strategy.
4. Adapt and improve the resilience strategy
The threat landscape is constantly evolving and the organisation should adapt its resilience posture according to its experience, lessons learnt from past incidents and threat intelligence.
Finally, robust cyber resilience needs to take place inside a larger cyber security strategy, which includes a governance body, robust situational awareness, and the ability to assess the organisation’s cyber response capabilities and plan.
Mathieu Cousin is a Senior Research Analyst with the Information Security Forum (ISF)