The faulty CrowdStrike software update that triggered IT outages on a global scale in July was a sobering reminder of the importance of incident response and business continuity plans.The update caused more than eight million Windows devices to crash and take down with them airline reservation systems, hospital and government services, financial and banking applications and myriad other systems across industry sectors. It called attention, in near unprecedented manner, to the lack of cyber resilience even among some of the largest organizations in the world.As worried members of the US Congress wrote in a letter to CrowdStrike, the incident served “as a broader warning about the national security risks associated with network dependency.”The UK financial services regulator Financial Conduct Authority (FCA) found that organizations which had invested in operational resilience were less impacted than others. “Firms that had mapped their important business services, and the resources necessary to deliver these services, were able to prioritize getting key services back online to reduce the overall impact the incident had on their operations,” the FCA wrote in an October post-mortem of the incident. “Firms benefitted from having tested scenarios that were severe but plausible, including those impacting multiple important business services at the same time.”Here, according to several security experts, are four measures that will help prevent organizations from a similar disaster as the one from July. Cross-functional collaboration is critical to cyber resilience because it ensures that teams across IT, security, operations, and business units work together to identify, mitigate, and respond to threats effectively. Such collaboration enables incident responders to leverage different expertise and skills sets, improve communication and align strategies.”Operational resilience is a team sport and cyber resilience is no different,” says Christy Wyatt, CEO of Absolute Security. “Discussing cyber-risk as an organization and fostering partnerships across teams to create a community focused on business continuity and compliance is your first step,” she says.Organizations should establish a cyber resilience steering committee to provide a foundation for joint efforts, recommends James McQuiggan, security awareness advocate at KnowBe4. Ensure the steering committee includes representatives from all stakeholder groups including cybersecurity, business continuity, crisis management, and legal teams. “Establishing regular or monthly meetings can bring together the security features of disaster recovery/business continuity, crisis management, leadership, and legal teams to discuss objectives and emerging risks,” McQuiggan says. Using these meetings to share metrics around desired response times, recovery speed, and critical asset protection can further align different teams towards common resilience objectives.
Stakeholder-specific cyber resilience playbooks
Cyber security playbooks offer step-by-step guidance on actions for responding to different cyber incidents such as ransomware attacks, data breaches, insider threats and phishing campaigns. They can help standardize response efforts and minimize confusion and duplicative effort during a crisis.To bolster resilience consider developing stakeholder specific playbooks, Wyatt says. Different teams play different roles in incident response from detecting risk, deploying key controls, maintaining compliance, recovery and business continuity. Expect that each stakeholder group will have their own requirements and set of KPIs to meet, she says. “For example, the security team may have different concerns than the IT operations team. As a result, organizations should draft cyber resilience playbooks for each set of stakeholders that provide very specific guidance and ROI benefits for each group.”Stakeholders should practice these paybooks as part of their tabletop exercises, Wyatt advises. Establish clear accountability at every organizational role and make sure everyone is clear about their role in maintaining resilience.
Focus on what happens after risk mitigation
Cyber resilience is as much about the ability to recover from a major security incident as it is about proactively preparing, preventing, detecting and remediating it. That means having a formal disaster recovery plan, doing regular offsite back-ups of all critical systems and testing both the plan and the recovery process on a frequent basis.”Integrate cyber resilience into business continuity planning and ensure alignment with overall business objectives,” says Luigi Lenguito, CEO of BforeAI. “Make sure to have the people involved in plans, practice the execution. Not exercising is like exercising for failure.”From a technology standpoint, implementing a resilience capability requires investments in backup and recovery systems or services, redundant systems, fault-tolerant infrastructure and reliable failover mechanisms. It also involves training staff on proper recovery procedures and roles and ensuring that vendors you rely on have robust recovery plans of their own. “Cyber resilience is about the ability to resurrect from an attack, ideally with continuity,”Lenguito says.Make sure to consider your hybrid workforce when developing processes to minimize downtime and ensure quick recovery, Wyatt from Absolute Security says. Take your table-top exercises all the way to the end by incorporating remote recovery capabilities. Your ability to operate and avoid reputational harm depends on getting remote workers back online safely. Also make sure your vendors and others in the supply chain are doing their part. “Select, deploy, and test applications that can demonstrate their ability to remain always on and operational,” she says. “Rigorous compliance checks and resilience measures must be integrated into vendor management processes.McQuiggan stresses the importance of testing. Develop and test business continuity plans regularly along with backup testing quarterly to ensure the backups are available to use in the event of a failure, he says.
Know how to pitch the ROI of cyber resilience
Boards have become very focused on managing risk and have become increasingly fluent in cyber risk. But many boards are surprised that when a crisis occurs, broader operational resilience is not a point of these discussions, according to Wyatt.Bring your board along by having external experts walk through previous events and break down the various areas of impact. “For example, a recent survey showed that only one in 11 companies paid the ransom but even for those that did, the ransom itself was less than 32% of the total cost of the event,” she says. Not being able to operate internal systems, take orders, or connect with customers can have a longstanding reputational and financial impact on a company. “How you recover from an event has almost more impact on the overall cost than from the attack itself,” Wyatt notes.Jeff Williams, CTO at Contrast Security, believes that security leaders may be making a mistake in pitching the ROI from cyber resilience investments in terms of financial impact alone. Often, security leaders try to estimate the costs of avoided breaches to demonstrate value in security investments. But the numbers they estimate can be so astronomical that it causes eyes to glaze over. Business leaders and boards simply tend to tune out those numbers, Williams says. “Business leaders are much more responsive to legal requirements such as the new EU Product Liability Directive that creates no-fault liability for software defects, including security vulnerabilities, and cost-savings,” he says. “So, I recommend focusing on metrics like accelerating software development and improved innovation.”Use both data and stories where possible. “Too many leaders rely on dry and abstract charts about policy, vulnerability rates, mean time to recover, downtime, etc.,” Williams says. “The data is important, but don’t forget the stories that make the data real and compelling. Use those stories to build support for the initiatives you are pursuing.”Stress the importance of maintaining customer trust, Lenguito from BforeAI says. Point out the need for compliance with legal and regulatory requirements. And do not forget to highlight the potential brand impact and reputation cost of downtime related to a cyberattack. “No cyber insurance will help recover the lost value from your brand,” he says.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3618501/key-strategies-to-enhance-cyber-resilience.html
