Are you equipped to be cyber resilient?

The key to winning any battle is “know thy enemy,” and a cyber threat is no different. Cybercriminals use the infrastructures of their intended target to leverage their vulnerabilities against them. They look at a system, work out the flaws, and try to infiltrate the cracks in the wall before someone else spots the weakness.

That’s why cybersecurity experts need to adopt an approach of resilience over recovery. A cyber resilient organization is one that has prepared for possible threats and vulnerabilities, developed defences against them, and allocated resources to help recover from a security breach after the threat is over.

Cyber resilience requires a certain degree of risk assessment and strategic planning. It’s dynamic, changing as new technologies enter the market – and it’s not something that can be implemented overnight, but should form part of a long-term business strategy.

In 2014, The Center for Strategic and International Studies (CSIS) released a report on the Global Cost of Cybercrime¹, in which they estimate the global losses related to insufficient cybersecurity strategies:

Cybercrime is a growth industry. The returns are great, and the risks are low. We estimate that the likely annual cost to the global economy from cybercrime is more than $400 billion. A conservative estimate would be $375 billion in losses, while the maximum could be as much as $575 billion. Even the smallest of these figures is more than the national income of most countries and governments and companies underestimate how much risk they face from cybercrime and how quickly this risk can grow.

As technology continues to spread deeper into our lives, bringing an array of solutions to our socio-economic challenges, it demands a dynamic perspective of cyber security.

Each new system or gadget brings with it a new layer of cybersecurity to be considered.

The Internet of Things

The Internet of Things (IoT) took the internet out of the realm of computers and brought it into our everyday household items:

• Refrigerators can automatically sense when you’re running low on milk, and remind you to buy more
• Some fridges can place grocery orders on your behalf, so you might find that new bottle of milk on your doorstep before you’re aware your morning cup of coffee is in peril of being dairy-free
• Your running shoes can connect to the internet and send metrics to your phone, counting your steps and providing you with personalized health advice
• You can install smart locks on your front door, which open automatically when your device comes within a certain distance of the door

The IoT opened up new avenues for consumers to make their lives easier and for businesses to create value in an emerging market. However, it brought with it a host of new opportunities for cybersecurity to be compromised.

Those sensors in your running shoes can also be used to track your movements, habits, and exact location. Your smart front door can be unlocked remotely by a hacker.

As consumers integrate more of the IoT into their daily lives, more sensitive information is being shared, making the IoT an attractive target for would-be cybercriminals. Furthermore, the IoT is always online – making it available remotely 24/7 to any cyber criminal with the right skills and software. The architects of IoT solutions have the difficult task of predicting the future: they need to spot the vulnerabilities in the system before a cybercriminal does, for the safety of consumers and the sustainability of the business.

AI

From speech recognition to autonomous vehicles, applications of Artificial Intelligence (AI) are expanding rapidly.

Machine learning allows computers to learn and adapt through exposure to experiences. This branch of AI enables the technology to emulate human behaviour and predict patterns, independent of human interaction.

This has important implications for enterprises:

• Financial entities can make faster, more accurate investment predictions
• Large-scale data frameworks can be analysed quickly and at scale
• Security systems can operate without human intervention, detecting cyber threats in the earliest stages

Every action, however, has an equal and opposite reaction, and every advance in AI technology brings with it new possibilities for cyber risk. While cybersecurity experts develop machine-learning models to anticipate cyber attacks, hackers leverage the same technology to evade the very measures that exist to protect against them.

Imagine the phishing capabilities of machine-learning technology that analyses the most effective messaging to trick users into sharing sensitive data, or AI-powered intelligent malware that can fool the watchdog security programs that prevent malicious code from spreading through an organization’s systems. The use of AI allows hackers to develop more targeted attacks at a high volume, ensuring a greater return on their black hat activities.

Ransomware and the threat to Cloud Computing

Good old-fashioned blackmail has found its digital niche in Ransomware, malicious software that takes over computer systems and uses powerful encryption to deny victims access to their data. Attackers extract their ransom with a promise to restore access – or a threat to publish sensitive data online – often demanding payment in nigh-untraceable cryptocurrencies.

With companies using the cloud to house their big data, cloud computing is an attractive target for ransomware-savvy cybercriminals. From email and personal photos, to your organization’s data analytics and financial information, what would you be willing to pay if a hacker stole your digital key and locked you out of the cloud?

Resilience against Cyber Attacks

Cyber threats move swiftly and simultaneously across a broad host of networks. They succeed not because cybersecurity measures are insufficient, but because cyber criminals find ways to turn these measures upside down and use the technology to bolster their own malicious tactics. A successful hacker is one who is adept at finding the cracks in the system to slip past your cyber security system undetected, despite the tools and processes in place to prevent intrusion.

It’s not enough to install the cybersecurity equivalent of a vault door, brush the dust off your hands and call it secure.

It’s only a matter of time before some clever criminal finds the crack in the system. Organizations need to consider an approach of cyber resilience over cybersecurity.

Cyber resilience, simply explained, is the ongoing evaluation of what happens before, during, and after a network encounters a threat. It is not unique to a specific threat, but an ever-expanding base of knowledge that grows over time, giving cyber security experts a dynamic lens through which to analyse the unpredictable landscape of cyber risk. Key to this is the understanding that cyber risk is an occupational hazard in any organization that uses networked systems of any kind. It’s impossible to avoid, and every business should prioritize an ongoing strategy to mitigate risk.

The idea of cyber security is inherently binary: your data is either secure, or it isn’t. If that were true in practice, installing network security solutions would be sufficient. But with hackers working hard to ferret out the vulnerabilities in such systems, a robust cybersecurity solution requires a more dynamic approach worthy of an equally dynamic opponent.

In a complex network, all it takes is a single unsecured node to bring down the whole system, so good cyber resilience requires partnership across all stakeholders. Strategies are built collaboratively over time, evolving to manage new threats while maintaining the line of defence against traditional ones. Good cyber resilience demands buy-in from the top down: organization leaders are the ones who will be held accountable for the collateral damage of a systems breach, and they must be the ones who set the tone for a broader organizational strategy.

An AIG report on Cyberresilience² outlines a roadmap for companies to become cyber resilient:

While standard hygiene is a start, it simply cannot prevent all attacks. As such, leading firms are moving beyond prevention and focusing on resilience. This can be achieved by developing a “cyber resilience” action plan for responding when an attack occurs. A plan is best developed by a cross-functional working group of senior managers (Sales/Marketing, Operations, IT, Finance, Legal, Risk, HR) that meets regularly to discuss cyber security, monitor evolving internal and external threats and model and analyze hypothetical attacks. A good resilience plan will detail roles and responsibilities, external parties that will assist with remediation, communication and crisis management plans and operating strategies for various types of events. Having an action plan in place prior to an event has been shown to dramatically reduce the cost, time to recovery and reputational damage of a breach.

Richard Horne, Cyber Security Partner from PwC UK, highlights the dire need for a more pragmatic approach to cyber security governance:

“All organisations are different and each board needs to set its own direction and tone for cyber security. Given the nature of cyber security, this will impact all aspects of a business including strategy, business development, supply chain, staff and customer experience. In coming years, managing cyber security risk will potentially require radical change to businesses and their operations – to make themselves more securable as well as building security controls.” ³

Because of the inherent differences each system requires, Horne continues, a singular standard for cybersecurity governance is impossible, “but a principles-based approach allows each board to establish and review its own direction within a recognised framework.”

Establishing a good set of cyber hygiene standards unique to your organization is key to maintaining cyber resilience in the volatile cyber risk landscape.

Written for the Harvard portfolio site