Risk Management in the Digital Era: A Blueprint for Cyber Resilience
Cybercrime continues to make headlines around the world, with the velocity and sophistication of attacks climbing to ever higher levels. It’s happening in every industry, including the financial marketplace, healthcare entities, and other critical infrastructure sectors.
Ten years ago, an organization could temporarily go back to pen, paper, and manual processes to get by. Today, that’s no longer realistic. In the last 10 years, and especially since the pandemic, business processes have become reliant on computer systems.
For example, in the event of a cyber attack on a hospital, nurses and physicians are still at work, but the pharmacy can’t dispense medications without a computer and a barcode scanner rendering patient treatment difficult at best. In the warehouse, the forklift still runs, but the location of items to pick is stored in a computer system.
Comprehensive Prevention to Ensure Business Continuity
Security tools are important but they don’t guarantee freedom from successful attacks. In today’s environment, an adverse condition is nearly inevitable. You can’t count on cybersecurity tools alone to protect the business.
Cyber resilience is a strategy that focuses on keeping the organization functioning as best as possible during adverse conditions. Cyber resilience goes beyond technology tools to include an analysis to prioritize risks and the development of response plans that mitigate damage from successful attacks.
Cyber resilience extends beyond traditional hacking, encompassing threats like disasters and social unrest. If a riot breaks out near your downtown data center, your cybersecurity tools won’t be of much help.
Cyber resilience takes these realities into account. For example, by isolating critical systems such as the hospital pharmacy or warehouse inventory from business systems, the organization can continue to operate if adverse conditions manifest.
Applying Frameworks to Minimize Risk
To stay abreast of best practices for cybersecurity, most organizations use popular security frameworks such as the NIST Cybersecurity Framework and CIS Critical Security Controls. But, the frameworks were developed more to guide tactics and less on creating a cyber resilience strategy. The frameworks are generalized remedies that don’t take your organization’s and your industry’s unique risks and vulnerabilities into account. And frameworks don’t help you prioritize risks to help you focus time and attention on the real threats to business continuity.
Many organizations end up using frameworks as checklists for implementing cybersecurity tools, checking the boxes as capabilities are deployed. Endpoint security? Check! Multifactor authentication? Check! Unfortunately, organizations that take the checklist approach are still dealing with catastrophic attacks.
Cyber resilience takes a different approach. It’s about risk management.
A Risk Management Approach to Minimize Impact and Recover Quickly
A risk management approach to cyber resilience requires CISOs and other IT leaders to understand how the organization makes money and how risks support that because those are the risks that need to be protected.
Instead of focusing on the latest technology tools to secure the business, IT leaders need to focus on how technology risks impact the business. For example, a software company’s risks are quite different from a manufacturer or healthcare provider. For a manufacturer, the risk of idle robots due to a cyber attack is big. No robots, no income. In the hospital, a computer failure can be a life or death matter. Software companies generally focus on protecting intellectual property. Strategies and tactics need to be specific to the threat landscape in your industry and your business.
Cybersecurity frameworks, and therefore checklists, don’t take these realities into account.
Identify Critical Risks
A cyber resilience strategy starts with a risk assessment that identifies the most critical areas of the business and how the technology architecture supports them. Start by identifying the valuable data and other important assets on the network — assets that are critical to your most important processes. Because in the event of an adverse condition, IT leaders need to know which processes are critical and must be brought back to life first.
Then, you need a strategy to deal with the identified risks, which can be transferred, mitigated, or accepted.
Transferring risk generally happens by outsourcing cybersecurity to a managed security service provider or third-party security operations center. To mitigate risk, organizations can use the NIST or CIS frameworks for guidance, which is what they were designed for. In some cases, you can accept the risk because not every risk is critical. Organizations can choose to absorb the consequences if something goes wrong.
To evaluate a risk, do a business impact analysis of what would happen if a key capability suddenly becomes unavailable. You can even take an industry-specific approach to evaluating threats. For example, if there are threat actors targeting your industry with known tactics, you can implement protections to detect those tactics, and ultimately, develop processes to respond and recover.
Quantify Risk
In the event of a successful attack, organizations need to know which systems are likely to be impacted, their order or operation, the business function that’s ultimately impacted, and what level. The idea is to quantify the impact. Rather than merely describing the impact as “catastrophic,” you should quantify the resources needed to recover.
By quantifying consequences, organizations can focus their cybersecurity efforts on leveling up maturity in areas that matter the most.While basic controls may work fine for some systems, it’s likely that you’ll need to go deeper in higher risk areas. The cybersecurity frameworks provide excellent guidance for this.
Being proactive about quantifying risk will also help tremendously when it comes time to recover. The faster you can identify and contain an attack, the faster you can respond to minimize impact.
Test Your Plan with Tabletop Exercises
An untested response plan isn’t much of a plan. To minimize the impact of a cyber event on operations, it’s crucial to test the plan using tabletop exercises. Everyone who’s involved should gather together to step through their role in responding to an incident, including technical and non-technical employees.
Many organizations like to test for ransomware, but in most situations, it’s not the best place to start. While nearly every organization faces a risk from ransomware, the reality is that other threats are actually more common even though they don’t make headlines.
Start by focusing on top threats in your industry, such as business email compromise or account takeover. Then evaluate these threats against your risk level and test there. For example, a common zero-day vulnerability may lead to ransomware, but it could also lead to other issues such as data exfiltration.
Another reason to test other scenarios is that the behavior of one scenario is often similar to another. For instance, the tools commonly used to detect an insider threat are often the same tools used to detect the lateral movement and data exfiltration commonly seen in ransomware attacks. Testing multiple scenarios allows you to holistically test your tools and processes.
For inspiration on what to test for, read the news. Anytime a major newsworthy cyber event is reported in the media, run a mini-tabletop. Pull the response team together and have a quick conversation. Talk about what happened and how a similar event might impact your organization.
For example, the MOVEit file transfer vulnerability made big news because so many financial and government institutions were using it to transfer highly sensitive information. Even if you don’t use MOVEit, you should still have a conversation about the impact of a file transfer breach in your organization.
Develop a Culture of Resilience
Cyber resilience goes beyond the purview of the CISO, IT department, and legal and compliance departments. Every employee needs to know their responsibilities in ensuring organizational resilience. By bringing the organization together through tabletop exercises, you can begin to build a culture of resilience where everyone in the company knows their role in keeping the organization running at top speed.
