To paraphrase Rudyard Kipling, “If you can keep your head while all around you are losing theirs …” it is very likely that you were expecting something bad might happen and that you had already taken steps to ensure that if it happened your systems would be resilient enough to keep working.
Tl;dr : Identify the risks that matter, plan to survive them.
When we consider cyber risks we should not start by thinking about the many thousands of potential cyber threats that exist, no matter how many large headlines they have had. We must first focus on the ten to twenty systems we need to protect to keep our business functioning, and understand the threats that may prevent them from functioning. Only by understanding what matters to our business can we then begin to manage the complexity of resilience in our own context.
If we already have a Business Continuity Plan, or a recent IT strategy that covers availability of critical systems, then we have the basic information needed to focus on which systems matter most in terms of a cyber-attack against us. Such a plan should have highlighted the specific systems required to maintain either a minimum operational service level, or to restore critical failed systems within a business or regulatory acceptable timeframe.
If you are following on from our two previous Cyber Safe articles you will already have an idea of what really matters to your business, and how much of your resources you need to deploy to bring your cyber risk posture to an appropriate level for your business to continue.
The focus here being to continue. Cyber Resilience is not about making your systems totally immune to any possible cyber-attack. It is about making your business resilient enough to interruption when it is attacked so that you can continue to trade with an acceptable level of service if an attack occurs.
The interpretation of ‘resilient enough’ is where your business becomes different from every other business that exists. If you are a fintech business, or a bank, cyber resilience means something completely different than if you are operating a manufacturing business, a bottling plant, or a hospital. And, even when you are trading in a common business or industry sector, your systems and processes will have their own detail and dependencies that make your business unique.
To help you on your quest for resilience here are a few questions and concepts that can guide your journey.
- How much business would you lose (lost customer, lost payment, lost product) if a system were down? Can you estimate the loss per hour, per day, per week to the nearest $1k?
- How much revenue would only be deferred or delayed if an outage occurred? How long would that outage need to be to lose that revenue or customer permanently?
- Which systems can be totally offline and not affect your business for several days? For example if your business is based on recurrent revenue, and that could be maintained – would losing the ability to add new customers, or change customer details be inconvenient or damaging?
- Which systems may never be compromised for regulatory reasons? What is the impact of a data breach in terms of fines, costs, and future business?
- Would it make sense to design some systems to be to be unreadable by an attacker, even if that prevented some normal functions from working?
- What is the minimum level of service you need to offer to your customers in case of any outage, cyber attack included? Can you restore to this level if a cyber attack is the cause?
When you have considered these ideas you will be able to determine how much it is worth spending in terms of process and systems to bring any such outages into a manageable and business defensible state.
Cyber resilience is all about investing appropriately in the design and operation of your critical business systems, and their alternatives, back up and recovery components and processes so that in a crisis you can maintain a functional level of operation that delivers a level of service that maintains trust in your business.
Communications is unavoidably a part of your cyber resilience design, if your services are only partially functional it will certainly be noticed. Make sure you are prepared to communicate to customers, stakeholders, and partners exactly what has happened and what the current service implications are. This goes way beyond mandatory incident reporting!
Cyber resilience is a part of your cyber incident response plan, but it is not automatically present unless you have taken the necessary steps to design it into your business and to test it. Those who have implemented a business continuity process will recognize all the above ideas, they are indeed the same. The focus on resilience this time however is not to address accidental or environmental outages, it is to address deliberate adversarial cyber threats that have a similar impact.
Cyber resilience does not happen by accident or for free, it needs to be a conscious choice in your business case and system planning. Although cyber resilience has a technical aspect, as all things cyber inevitably will, its true value delivery is in the business trust and cost to recover aspects of your operations.
Worrying about Cyber resilience is too late when you find out at 3am that in fact your business is not resilient. Including cyber resilience into your business strategy and planning process will never be a waste of money.
Be cyber resilient out there!