Denial of Service due to a successful cyber-attack has major implications to any business. In addition to the costs associated with the actual disruption to service, lack of confidence in a company’s security can damage a company brand, discourage future investment and have a long-lasting effect on the bottom line.
Organisations today therefore must make the assumption that a cyber incident will happen – it is a case of "when, rather than if". Crucial to this is the ability to continue operating critical services in a secure manner during a cyber incident.
Cyber Resilience is not a new concept; however, as yet, there is not a single recognised definition. Leonardo considers Cyber Resilience to be:
"The capability for organisations to continue to deliver services or capabilities during and after a cyber incident, in a manner which is within the organisation’s risk appetite and in which critical information is protected."
Benefits
Adopting a methodology for Cyber Resilience helps to construct a framework of controls, processes and procedures, based on the assumption that a cyber incident will happen. This allows a more resilient organisation with the ability to:
- Detect cyber-attacks in their early stages
- Contain the adversary – restrict their movement within the estate, thereby reducing the ability to deliver the objectives
- Capture actionable intelligence of adversarial actions
- Allow services to continue to operate in a secure manner, even in a cyber-affected state
- Safeguard assets – prevent the compromise of critical information assets
An Approach to Developing Cyber Resilience
Leonardo has set out six principles which guide organisations in implementing Cyber Resilience. These principles should be a core part of an organisational Cyber Resilience strategy, which should define what they mean in the context of your organisation, and how they should be applied.
Principle 1: To understand your resilience capability, you must understand your threats
This will allow all other controls to be prioritised and targeted at areas of risk.
Principle 2: Strategy and technology should be Resilient by Design
Design systems based on the underlying assumption that they will be compromised. This is a significant shift in culture, but is crucial to ensuring that you can continue to operate in a secure manner.
Principle 3: Understand when you have been breached
Understand what attack scenarios would look like on your estate and monitor for this activity.
Principle 4: Cyber Resilience extends to your Supply Chain
In modern distributed systems, critical information assets and capabilities are often held or delivered by third parties – they therefore need to be included in your Cyber Resilience approach.
Principle 5: You need a response capability that is holistic and comprehensive
The adversary does not care about your internal organisational structure, or who looks after what areas of your estate. Therefore, your response must be holistic and well tested.
Principle 6: Resilience begins with your people
In many cases, humans are the weak link, so any Cyber Resilience efforts must include appropriate mechanisms for driving the required behavioural change within the organisation.
Conclusion
Adopting and introducing Cyber Resilience provides an organisation with a clearly defined strategy and road-map to adopt and achieve a business and risk-driven resilience enterprise.
When introduced at a strategic level, Cyber Resilience can:
- Provide the organisation with the confidence and trust in people, processes and technology to identify, respond to and recover from a cyber event
- Sit alongside and complement a traditional defensive approach to implementing security controls
- Enable organisations to continue to operate and maintain critical services during a cyber-attack, whilst also safeguarding critical assets
- Offer a genuine differentiator to boost competitive advantage as customers are increasingly cyber-aware