×
eBook

3 Tips To Build A Cyber Resilience Roadmap

The conversations on cybersecurity in the corporate world today are increasingly pivoting towards cyber resilience. To achieve cyber resilience, enterprises need a proactive and continuous approach to cyber risk management. It requires embedding risk management across business processes and the extended organization in a way that makes customers, partners, and third-party vendors full-time stakeholders in cyber resilience, while the business is made fully aware of all cyber risks to make better-informed business decisions.

In its Global Risks Report 2020, the World Economic Forum has identified data fraud, data theft, and cyber-attacks among the top five biggest risks faced by the world. A complex cyber-attack not only tarnishes the brand of the strongest organization but could also lead to financial loss in the way of regulatory fines and penalties along with loss of customers, loss of future business and trust, etc. A recent data breach (Jan-Feb 2020) at Marriott exposed the personal information of 5.2 million guests, including their names, genders, phone numbers, travel information, and loyalty program data. In another instance, Equifax agreed to pay at least $575 million, and potentially up to $700 million, as part of a global settlement with regulatory authorities in the U.S. which alleged that the company’s failure to secure its network led to a data breach in 2017 in which approximately 147 million people were impacted. In this eBook learn how resilience management is becoming a new paradigm for cybersecurity in an increasingly digitized world, understand the need for quantifying IT and cyber risks, and gain quick tips on cyber resilience best practices. Last but not the least, a deeper dive into how to combat cyber-attacks effectively with a cybersecurity incident response program.

Resilience Management: The New Paradigm for Cybersecurity

Security leaders have been talking about the need for achieving cyber resilience for quite some time. However, with the surge in digitization efforts across industries, this has morphed into a new paradigm for organizations—to think beyond just prevention of breaches and invest in building capabilities to keep business operations up and running in the aftermath of attacks, be they major or minor.

It is noteworthy that the initiatives taken by regulators and standard setters on this front are aligned. In January 2020, the U.S. Department of Defense (DoD), traditionally the trendsetter for cybersecurity, published the Cyber Maturity Model Certification (CMMC) as a new, uniform set of requirements for Department of Defense contractors and sub-contractors. The key highlights in CMMC focus on resilience, specifically the inclusion of process requirements that are derived from the CERT Resilience Management Model (CERT-RMM). In 2018, the European Central Bank (ECB) launched the European Framework for threat intelligence-based ethical red teaming (Tiber-EU). It is the first cross-border, multi-jurisdictional, multi-regulator initiative, and has raised the standard of cybersecurity testing across Europe.

By leveraging regulations and frameworks, such as CMMC, Tiber-EU, and CERT-RMM, organizations are broadening their perspectives towards achieving cyber resilience i.e. balancing cybersecurity investments in order to achieve both, protection against attacks and build capabilities that allow them to operate in the aftermath of successful attacks. It is fair to assume that resilience management will become more central to cybersecurity across all industries going forward.
 

Why Organizations Need to Quantify IT and Cyber Risk

The path to achieving cyber resilience starts with identifying, prioritizing, and responding to the risks faced by an organization, both internal and external risks. Quantification of risks plays a critical role when it comes to prioritization of risks. Quantification of risks, however, is not a new concept. For example, financial services organizations quantify the credit risks from their customers who hold credit cards, banks quantify the risks of bad loans, and so on. But when it comes to cybersecurity, there are only a few organizations that practice Cyber Risk Quantification properly. As per Deloitte’s 2019 Future of Cyber Survey, half of the participating C-suite executives responded that they use risk quantitative tools while the other half still depend largely on the traditional approach—the experience of their cybersecurity experts or maturity assessments.

Advantages of Cyber Risk Quantification

 

Communicating the risk exposure

 

Making investment
decisions

 

Understanding risk appetite

 

Making cyber insurance purchase decisions

 

Gaining a competitive edge

 

 

  • Communicating the risk exposure: By using the language that the business understands— the dollar value loss in case a particular cyber risk materializes—it is easier for the Board and executive management to understand the value at risk in monetary terms, rather than relying on risk heatmaps.
     
  • Making investment decisions: Cyber Risk Quantification can help determine the right set of investments at the right time, based on the impact of the risk, and its probability to cause a cyber-attack—by considering all the financial and non-financial factors. Organizations can answer questions like “where to invest”, “how much investment is good enough”. This will lead to optimum utilization of resources by minimizing the duplication of technical capabilities and investments in the right technologies at the right time, based on the risk priorities.
     
  • Understanding risk appetite: Quantifying cyber risks also enable organizations to better understand the risk exposure and impact. This allows them to make the decision whether to pass the risk (by purchasing cyber insurances), accept (when investment required is more than the dollar value impact of the risk), or take actions depending on their risk appetite.
     
  • Making cyber insurance purchase decisions: Cyber Risk Quantification also helps in making an informed decision about cyber insurance purchase by giving an idea about the risk that should be covered in cyber insurance and what premium should be paid. It provides a measure for indemnification when deciding on coverages of cyber insurance as a remediation option.
     
  • Gaining a competitive edge: By investing in Cyber Risk Quantification, organizations can level-up their cyber maturity, and build trust with customers, partners, and vendors who exchange critical data with the organization.

Cyber Resilience Best Practices

To achieve cyber resilience, it’s important to strike the right balance between people, processes, and technology. A common mistake made by organizations is becoming over-dependence on tools and technology while ignoring the importance of well-informed and skilled people and well-designed processes for cyber resilience. What organizations should strive for is bringing all three components of cyber resilience together in a complementary and streamlined manner.
 

People

People are considered to be the weakest link in the cybersecurity chain and are usually targeted by bad actors. Needless to say, ensuring cybersecurity is everyone’s responsibility and it is important that every employee is aware of their roles, responsibilities, and accountability.

To make the workforce cyber resilient, here are some key measures that organizations can undertake:

 

  • Providing relevant cybersecurity training to employees depending on their roles.
     
  • Ensuring that the cyber resilience program is supported by the top management and leadership who undertake periodic review of cyber resilience initiatives and monitor the readiness to face a cybersecurity attack or data breach.
     
  • Educating board members so that they aware of basic cybersecurity terms relevant to their business and industry cybersecurity trends.
     
  • Establishing specialist functional groups within the organization to monitor and address risks in real-time
     
Processes

Having the right governance and strong processes in place is crucial for achieving cyber resilience. Speaking of governance, some of the best practices include

 

  • Maintaining regulatory compliance.
     
  • Validating that proper controls are in place and operating effectively on data.
     
  • Having a responsive, agile adjustment of policies, processes, and technologies.
     
  • Monitoring the preparedness to face cyber breaches using strategies such as scenario-based prediction, war-gaming, and proactive reporting.
     
  • Devising an effective communication plan, documenting when and how to notify key stakeholders.
     
  • Ensuring alignment with the organization’s overall governance framework

With regards to processes, organizations can put into practice a number of key measures for cyber resilience, including

 

  • Creating a comprehensive documentation process for collaboration and information sharing within the organization as well as externally with third-party organizations.
     
  • Implementing a centralized asset management system for software, hardware, and data, both internal and external, for full visibility into critical assets and security controls.
     
  • Using continuous monitoring systems, such as Security Information and Event Management (SIEM), and data analytics for identifying and detecting security incidents.
     
  • Deploying various controls to prevent cybersecurity incidents such as application control, patch applications, multi-factor authentication, restricting administrative privileges.
     
Technology

Technology is the biggest enabler to fight against cyber criminals and is the most trusted and important pillar to achieve cyber resilience. Key focus areas for organizations in this regard include:

 

  • Achieving a balanced technology portfolio i.e. in terms of investments in tools and technologies, more investment should be directed towards response and recover capabilities.
     
  • Ensuring that the technologies being used are securely updated based on industry standards as older systems and technologies grow increasingly vulnerable.
     
  • Adopting a more mature and advanced approach to protect assets—using automation and orchestration technologies as a part of response and recovery capabilities.
     
  • Creating an air-gapped copy of critical assets, ensuring robust protection against the corruption or deletion of data by using write once, read many/immutable storage technology.
     
  • Leveraging point-in-time technology to identify potential breach or infections and devise corrective measures, and using advanced technologies like deception to deceive attackers.
     

The New Combative Role of a Cybersecurity Incident Program

It is close to impossible to build an impenetrable defense, especially when it only takes a single loophole for bad actors to exploit a vulnerability to breach an organization's security. However, organizations can take some key measures to minimize the damages and defend themselves against these cyber-attacks.

Today it has become imperative for organizations to focus on security policies and practices as the foundational structure of their overall risk management strategy. In addition, they need to ensure compliance with new laws and regulations that govern how they protect information assets. It is also important to note that network and systems administrators alone cannot protect corporate systems and information assets—the onus falls on the organization as well. All these factors point to the compelling need for organizations to have a Computer Security Incident Response Team (CSIRT) in place.

The CSIRT is a center of information security, incident management, and response in an organization. Establishing a CSIRT enables organizations to quickly respond to increasingly sophisticated and complex incidents such as cyber-attacks. Maintaining a CSIRT program enables organizations to identify and tackle the vulnerable areas with both reactive and proactive measures to safeguard and secure critical assets, build trust and confidence, and foster a culture of security in the business and the industry.
 

Conclusion

Cyber crimes can pose serious threats to businesses and the absence of a mature cyber resilience program can put organizations in jeopardy. Unfortunately, it is a reality that these threats are not going to let up. While organizations cannot always prevent a cyber-attack, an effective cyber resilience strategy can ensure a quick response, which could be a game-changer when it comes to minimizing the financial damage, and protecting the business and its reputation.

Related Stories

Analyst Report

MetricStream Recognized as a Category Leader in All 8 solution Quadrants

Case Study

Global Pharmaceutical and Health Care Conglomerate Accelerates Risk Assessment and Mitigation Across Its Supplier Network

Case Study

Top Entertainment Company Digitally Transforms Internal Audit, Risk, and Compliance Management to Thrive on Risk With MetricStream

lets-talk-img

Ready to get started?

Speak to our GRC experts Let’s talk