Blog / Don’t Mistake Cyber Resiliency for Cyber Security
Have you ever considered your organization’s cyber resiliency? Don’t feel bad if you said no. In fact, the truth is you probably have but just didn’t know it. That’s partly because cyber resiliency is a fairly broad ranging subject that encompasses multiple topics. In a nutshell, cyber resilience is an organization’s ability to resist or bounce back from a cyber attack. Defenses like firewalls and anti-malware software are crucial to your cyber security and makes your organization more resistant to attacks, which improves your overall cyber resilience. That’s not where the concept ends though.
There’s no empirical measure of an organization’s cyber resilience but it’s really just the concept that’s important. In this case there are two parts to remember. First, in order to improve your situation, you need to improve your defenses. Better defenses mean you are less likely to be successfully attacked in the first place.
Better defenses mean more cyber resiliency
To start, you need to understand how to defend a computer. The Center for Internet Security (CIS) has a list of security controls that details how to improve your security posture, so grab that list and get started with those items. Don’t forget about getting a good firewall and anti-malware software, but if that’s where things end then you’re not cyber resilient.
While we’re on the subject, let’s take a quick detour to remind you that when researching firewalls remember that you need to get a business- class firewall. That means a device with advanced features like AV and IPS, not typically available off the shelf at Best Buy. Devices designed for home use are not built to the same standards as those built for businesses.
Another good idea is to take an inventory of the devices and software in your organization and on your network, then identify the purpose of each. This lets you identify what is actually important and determine additional means of protecting important components. For example, isolating your financial data on separate network will help protect that critical data. Hard copies of tax and property information are often kept in a locked cabinet in a locked room. That’s a good sign your electronic versions need more protection than sitting on your reception desk’s hard drive.
Part of being cyber resilient is recognizing that even excellent defenses aren’t perfect. That’s why we regularly advocate constant monitoring and looking for ways to improve defenses. Vigilance is the price of peace, after all.
Cyber resiliency is about recovery as much as it is security
There’s an old adage that applies well to this concept. “Hope for the best but plan for the worst.” Plan on how to recover yourself from a successful attack, even if it seems a little strange to create a recovery plan after investing so time and money of proper defenses. Unfortunately, like pretty much everything else in the world, there’s no such thing as a perfect defense. You can invest in the best, most expensive, most comprehensive cyber defenses in the world and they still can’t guarantee you’ll never be hacked or breached.
Subsequently, you need to have a plan for how to recover from a successful attack. Figure out what parts of your business are linked to others, a process officially known as Business Impact Analysis (BIA). Basically it’s a report that details the important resources in your organization and what would happen if they were to stop working. Armed with that information, you can build plans and procedures for how to recover as quickly as possible from a cyber attack.
A plan for recovering from an event that takes out key business resources is called a disaster recovery plan. It’s also a vital piece of your company’s overall strategy that can improve your overall cyber resilience. Just remember that plans often don’t change in lockstep with your organization, so remember to review them regularly to keep them relevant and updated. At the same time, if no one knows about a plan it’s worthless, so be sure to educate (and periodically remind) everyone about their roles in the event of particular disasters.
Better cyber resiliency really is just as simple as strong security and codified recovery processes. You need to be both defending your organization and planning for their possible failure. In truth, no organization I’ve assessed does both of these, though many have parts of both. Unreviewed, out-of-date recovery plans are among the most common problems, and often times those plans are little more than just words on paper. It’s those sorts of shortcomings that make a bad situation worse when a breach does happen but the recovery plan references out-of-date material and employees don’t know what they’re supposed to do. That’s easy to avoid.
For today, I’ll take a line from Shakespeare’s Measure for Measure Act 1 Scene 4, “Our doubts are traitors, and make us lose the good we oft might win, by fearing to attempt.”
If you have any questions about cyber resiliency, please reach out to your TRINUS Account Manager for some stress-free IT.
By Kind, Courtesy of Your Friendly Neighbourhood Cyber-Man.