Thwart cybercrimes by making cyber-resilience your last line of defense

Thwart cybercrimes by making cyber-resilience your last line of defense

Connecticut-based Ryan Weeks, CISO, Datto, tells us how organizations are starting to take a new approach to mitigating their cybersecurity with cyber-resilience providing a focus on keeping systems up and running during recovery, speed restoration, reducing downtime and minimizing the overall impact of an attack.

Over the last few months, we’ve witnessed security breaches on leading global companies such as Acer, Microsoft Exchange and SonicWall, making it painfully clear that no cybersecurity defense is impenetrable. A report from Cybint estimates that, on average, there is a hacker attack every 39 seconds and since COVID-19, there’s been a 300% increase in reported cybercrimes.

Ryan Weeks, CISO, Datto

With attack vectors constantly evolving, organizations across the globe are starting to take a new approach to mitigating their cyber-risks. What companies are realizing is that the traditional approach of trying to stop attacks is no longer enough.

Instead, organizations are actively shifting from a prevention mentality to one that assumes a security breach. This means that organizations are operating as though a breach has already taken place and ensuring they can quickly recover to minimize operational damage.

More often than not, companies rely on a protective layer of firewalls, anti-malware solutions and intrusion prevention. However, they are now beginning to understand that to minimize security breaches protection needs to go beyond these first lines of defense, and to do that they need to build cyber-resilience.

In addition to their well-established cybersecurity practices, cyber-resilience incorporates incident response, as well as Business Continuity and Disaster Recovery (BCDR). We can say with the utmost certainty that incidents will almost certainly happen and the focus needs to be on keeping systems up and running during recovery, speed restoration, reduce downtime and minimize the overall impact of an attack.

Cyber-resilience relies on people, processes and technology

Using the most conventional definition, cyber-resilience measures an organization’s strength in preparing for, operating through, and recovering from an attack. Using this description, companies will require a holistic security program to assure the resilience of their organization and that of their customers before, during and after adverse events. Key to the success of cyber-resilience is an organization’s ability to quickly identify, respond to and recover from security incidents.

To achieve this next level of security, cyber-resilience must rest on people, processes and a combination of technologies. When assessing their security posture, organizations need to identify gaps in their security capabilities from a people, processes and technology perspective and take the necessary steps to address these.

For instance, if a company finds that the staff lacks security know-how, they need to determine the best way to remedy the gap. The solution may be to hire or develop dedicated security experts, as well as create enhanced security awareness throughout the organization by conducting periodic training.

The second element – processes – need to be clearly defined and must be repeatable and measurable. For most organizations, pinpointing weaknesses and gaps and making the necessary process improvements will be an iterative journey that will require constant review.

Finally, technology solutions must be able to properly support people and processes. This requires organizations to evaluate whether they have adopted the right solutions, determine whether they are using them to their full potential, and look at how technology could be more effectively harnessed.

Since a great number of cyber-resilience issues aren’t technology based, it’s important for organizations to realize that their cyber-resilience initiatives rely primarily on people and processes. In fact, technology investments come second, and they should be made based on the needs of people and processes, not vice versa.

Use security frameworks for guidance

To achieve security objectives that lead to reduced risk and cyber maturity, cybersecurity frameworks are known to provide useful guidelines. To meet cyber-resilience objectives, businesses can use specific aspects or combinations of frameworks, such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework or the Center for Internet Security (CIS) Security Controls.

The CIS Security Controls cover a prioritized set of actions to help organizations identify and protect their data from known attack vectors. From this list, the most critical controls to implement include inventories of hardware and software assets, continuous patch management, controlled use of account privileges, secure system configuration baselines, and the maintenance, monitoring and analysis of audit logs. Most of these controls can be achieved with technology that an organization already has in place.

The CIS Security Controls map directly to the NIST Cybersecurity Framework, which compiles industry standards and best practices into a cohesive format that organizations can use to better manage their risks. This framework is based on the five key functions required for cyber-resilience: identify, protect, detect, respond and recover.

Since it’s not prescriptive, it provides businesses with guidance on the outcomes they need to achieve. It is then up to the company to define which capabilities they will need to develop to reach these outcomes.

These include understanding the environment and identifying vulnerabilities and gaps in order to better manage risks to people, data, assets and systems; limiting and containing impacts resulting from attacks; the timely detection of cyber events; effectively responding to incidents and finally, recovery capabilities to restore normal, safe operations.

Businesses that establish or strengthen their capabilities in each of these five functional areas will be in a much better position to reduce the potential for adverse outcomes. Since no two organizations are the same, there isn’t a silver bullet for how to achieve cyber-resilience.

Nevertheless, building cyber-resilience needs to be a fundamental objective for every business. Since most organizations already have many of the required capabilities in place, they are able to use existing frameworks as a guide to identify gaps in their security posture – and address them by tweaking processes, acquiring specialist expertise and optimizing how they use technology.

Not a one-and-done initiative, cyber-resilience is an on-going business effort that requires careful evaluation at every step of the journey. While the endeavour may sound overwhelming at first, the most important step that any company can take is to begin the process.

Browse our latest issue

Intelligent CIO North America

View Magazine Archive