While most professionals living in the modern world understand the importance of cybersecurity, far fewer people ascribe adequate significance to cyber-resilience. In fact, many folks do not understand the important difference between the two disciplines – a deficiency that sometimes leads to unnecessarily tragic outcomes after data breaches.
Cybersecurity, of course, refers to protecting computer systems, networks, and other information-technology infrastructure, and the data that they all house, from disruptions, theft, modification, or damage. People have a tendency to view cybersecurity from primarily a proactive standpoint – cybersecurity is often described and measured by how well it prevents various forms of deliberate maleficence by attackers. Major principles of cybersecurity, therefore, traditionally focus on areas such as authenticating users, implementing least-privilege authorization, layering security countermeasures to create perimeters and zones, coding with security in mind, and the like.
Cyber-resilience, on the other hand, measures how well an entity can continue operating – and delivering its goods and services as intended and expected – regardless of cyberattacks, technical failures, and other significant cyber-disruptions of normal business processes. Major principles of cyber-resilience, therefore, tend to focus on areas such as business continuity planning, implementing secure redundancy for critical business processes, continuously examining potential attack surfaces, identifying and assessing attackers’ actions within compromised computer-infrastructure, reacting to attacks, cleaning up and restoring normal operations after a breach, etc.
In short, cybersecurity is primarily about protecting, and cyber-resilience is about surviving and thriving when that protection fails, as it inevitably will at some point in time.
In today’s world, focusing on only cybersecurity, without paying sufficient regard to cyber-resilience, can be disastrous; organizations simply cannot perpetually stop 100% of all cyberattacks launched against them. With minimal expenditures, hackers can launch literally millions of attacks using a wide variety of techniques and technologies, and create a tremendous imbalance: attackers need to succeed only once in order to achieve their goal, while defenders must successfully stop EVERY attack in order to prevent a breach. As such, organizations must prepare for the reality that their defenses may not always work, and must design and implement appropriate measures to deal with successful penetrations into their information systems.
The consequences for not addressing reality as such can be severe. Research by the National Cybersecurity Alliance, for example, found that a significant majority of small businesses that suffer a significant cyberattack go out of business within six months of the attack. And, when it comes to larger enterprises, the difference between being cyber resilient and not can translate into the difference between an inconsequential breach and a major business disaster costing hundreds of millions of dollars to address.
So, be sure to allocate budget to address cyber resilience, and to create a formal plan to deal with cyberattacks and other IT disasters. Make sure you know what critical resources you have – and what the business impact would be of their being nonfunctional or malfunctional. And plan accordingly to prevent such problems from becoming reality. Have an adequate business continuity plan. And be sure to implement technology to deal with successful breaches.
Remember, even if your organization can fend off 99.9999% of attacks, you will eventually have to deal with the .0001% that get through.
In a future piece I will discuss in more detail the steps in preparing a cyber-resilience plan. In the meantime, if you are interested in learning more about cyber-resilience, please consider attending the Command Control Cybersecurity Summit to be held on March 3rd and 4th, 2020, in Munich, Germany.