Adapting to the Future: From Cyber Security to Cyber Resilience

By: Dr. Fene Osakwe

Cyber Security Awards – Cyber Educator of the Year 2023

Over the last year, we have seen the number of cyber-attacks and data breaches continue to increase. Harvard Business Review titled Why Data Breaches Spiked in 2023 by Stuart Madnick reports that cyber-attacks resulting in data breaches increased by 20 % between 2022 and 2023. For some of the successful targets we read about in the news, you will assume that such organisations have extra fortified security and best practice security practice adopted – from government agencies to multi-million dollar private businesses, several organization who have invested millions in preventing cyber attacks have still fallen victim. The recall being a former CISO and my CEO asking me what hope we have of not being attacked when some of the Tech giants suffered breaches in 2017. Robert S. Mueller, III, former Director of the FBI and now Special Counsel into the Russian interference in the USA election famously said “There are only two types of companies: Those that have been hacked and those that will be hacked.

What this shows in hindsight is that a person, business or organisation cannot completely prevent a cyber attack and in the future, if an individual, your business or organization is targeted, there is a likelihood of a successful attack. Consequently,  the objective of cyber teams, Chief Information Security Officers and business leaders as we move forward, should be to ensure that regardless of a successful cyber breach, business operations are not grounded to a complete halt or that business operations can be restored within tolerable time. This is where the shift to cyber resilience comes in. Whilst cyber security is more focused on – how can we prevent a cyber attack and how can we ensure that the attack doesn’t happen, resilience is more concerned about planning proactively for business operations continuity and impact minimization following a successful attack.

The question is therefore- how do I improve my organisation’s cyber resilience and plan for future cyber attacks but ensure minimal impact on core business operations? There are several controls, processes and practices to implement. This article will focus on just three which I think are extremely important.

Security detection capabilities – One of the worst places to find yourself as a business is to suffer a breach, with data possibly exfiltrated and not known.  For some of the data breaches we read about today, you will observe that the hackers had been in some of the systems for months and weeks before the organization picked it up. So, one question for business leaders to ask is: In the event of a cybersecurity incident, will we know? Do we have full assets and network visibility?  can we stop the spread of the attack without affecting critical business operations?

Can you identify the infected data sources (devices and servers) and quarantine or isolate them so that the infection does not go beyond the already affected hardware? Implementing systems and processes to answer such questions will improve an organizations resilience.

Security response – I always describe cyber security as a chain. But like any chain, it is as strong as its weakest link. One of the mistakes some organizations make is believing that cyber security is the responsibility of just the security team. This cyber security chain has several actors and in order to adequately respond to a cyber security attack, all actors – Board, Management, staff and cyber team, must play their role, in responding to a cyber attack. Improving resilience implies that the organization has deployed processes and technology to ensure the organization has an incident response plan that is tested frequently and details out the responsibilities of different teams when there is an attack. Also ensuring that they have the ability to respond to an attack automatically using automated incident playbooks.

Security recover – This is where the rubber hits the road for resilience. The organization should have previously identified all ( data, people and systems)that are needed to continue its operations and ensured that such data and systems are backed up and tested periodically in line with the approved restore time and point objectives by the business, post a major incident. These include the disaster recovery plan and business continuity plan. Such plans should be periodically tested with appropriate scenarios and restored data should be signed off by the business users after such exercise to validate that such data meet business needs in terms of integrity and validity.  IT teams should also ensure it has high availability has been built into the enterprise network architecture.

Finally, as institutions and regulators with oversight (like we have seen with the SEC in America) begin to demand more from the Board with regards to cyber, it is important that as we position our organizations for the future, implying that you are not only ensuring that your organization can detect, respond and recover, but also the Board is aware of their responsibilities and take accountability for cyber risk as a business risk and not a technology problem.