Cyber Resilience: A Need for Strategy Beyond Cybersecurity

Published in

Magda On Cyber

6 min readJun 30, 2022

So you’ve got all the good stuff in place: firewalls, two-factor authentication, comprehensive cybersecurity policies, and regular staff training, and a team of dedicated cybersecurity personnel armed with the latest and greatest cyber gadgets and gizmos to detect and manage vulnerabilities. And you might think to yourself… we’re good, we’re safe… we’ve got cybersecurity covered.

But are you really all good and safe…? or is 100% cybersecurity a myth?

I’m afraid the latter holds. There’s no guarantee that even with the best and most valiant defensive efforts that an organization will not fall prey to the fiends motivated to make a living out of cybercrime.

And why not?

Cybercrime trumps regular crime in so many aspects

a lot less physically demanding than real crime (no need to go to the gym to train to outrun the police)
affordable, user-friendly, plug-and-play ransomware readily available on the Dark Web (i.e., one doesn’t need to be a cyber genius to embark on a career as a cybercriminal)
no need to acquire scary weapons or worry about potentially getting wounded in a physical heist
the take-home loot does not have to fit into a duffel bag; in 2021 the largest ransomware paid out reported was USD40 million from an insurance company (https://www.mimecast.com/blog/the-biggest-ransomware-attacks-of-2021/) whilst the average paid out by US companies was USD6.312 million (https://www.zdnet.com/article/average-ransomware-payment-for-us-victim-more-than-6-million-mimecast/)
here’s the icing on the cake: according to Third Way (a Washington DC-based public policy research institute), only an approximate 0.3% of all reported cyber crimes are enforced and prosecuted.

Furthermore… based on just two findings below (and there are so many more), it would appear that there are no opportunity shortages for these very bad eggs:

In Dec 2021, Redscan.com reported more than 50 new vulnerabilities logged daily during the year. What this means is that every new day brings 50 more opportunities for the bad guys to outwit, outpace, and outcode an exploit BEFORE the team on the other side comes up with an update or patch to fix each vulnerability.
In Aug 2020 Palo Alto Networks published research that discovered that 80% of exploits had been circulating on average 23 days before their respective vulnerabilities were reported.

Armed with opportunities aplenty, wit and will, and the Adidas mantra that “impossible is nothing”, the odds look pretty rosy for cybercriminals on the prowl.

On the receiving end, organizations are forced to face up to the sobering fact that even with the best cybersecurity measures, falling victim to a cyber incident is no longer an ‘if’, but a ‘when’. Indeed, in Mimecast’s 2021 “State of Ransomware Readiness” study of 742 cybersecurity professionals, it was found that 80% of businesses around the world had been attacked with ransomware.

What is out there coming for me?

Apart from ransomware that was earlier mentioned, there are many types of attacks lurking out there. Well, threat actors can typically sabotage their targets through malware attacks which may cripple the services and operations of the business.

Just think of how much money and trust will be lost if your business stops operations or loses services for a day?

CONGRATULATIONS! You have won 2 tickets to Paris from the company’s annual lucky draw. Click here to redeem ß

Well, attacks are not limited to using high-tech software to achieve their malicious goals, social engineering focuses on the behaviors and patterns of a target. An attack is then designed to exploit the weakness of the target. These attacks could be in the form of baiting, phishing, and pharming amongst others.

Organizations should educate their employees on possible attacks targeting the business or even their personal lives.

Would you expect an employee to continue working without distraction if that employee just suffered a cyber-attack?

Remind employees by providing regular training, and briefings, or by just sending a memo or news article. Update them on the latest trend on attacks for their awareness.

Organizations need to look beyond cybersecurity to build cyber resilience

When one assumes that a cyberattack is inevitable, the best and only counter is to always be fully prepared to respond to one. Essentially, building cyber resilience is a strategy that involves identifying the worst-case scenarios that could result from a successful cyberattack, and planning and putting in place a comprehensive plan that would include the immediate follow-up actions and incident response necessary to ensure business continuity, whilst remediating the situation and learning how to prevent a similar occurrence.

Identify worst-case scenarios

There are a few different ways to approach building risk scenarios. One common method is to first identify the key risks (these could fall into categories like security/fraud risk, compliance risk, operational risk, financial/economic risk, or reputational risk) that a business faces, and then create specific hypothetical situations (or “scenarios”) that could play out if those risks materialize.

Another approach is to start with potential events (such as a successful ransomware attack that has compromised the organization’s entire network and equipment; or a data breach where sensitive customer data have been stolen) that could have an impact on the business and then drill down to assess how likely they are to occur and what the potential consequences could be. This method can help businesses not only identify key risks but also prioritize them for mitigation in terms of likelihood and potential impact.

Of course, no matter which approach an organization decides to use, it’s important to think through all the possible implications of each scenario identified. Best practice indicates focusing on the top three to five worst-case scenarios.

Ensure business continuity with a solid cyber incident response plan

For each scenario identified, the impact(s) on the business must be detailed and measures must be put in place to mitigate anticipated damages. For example, an organization that conducts its business online might need to develop offline emergency processes to keep essential functions such as customer services and service running as best as possible until the situation can be fixed. This plan should address in detail:

What steps need to be taken in the immediate aftermath, as well as remediation action that would get the organization back to ‘normal operations as soon as possible, and who would be responsible for each action item
How the incident can be communicated to stakeholders, and/or reported to regulators (if there is a regulatory requirement)
How to assess and report the impact/success of resilience measures that have been adopted (for improving plans)

Continuous assessment and improvement

A robust cyber response plan will also need to be regularly revisited and updated to ensure that it remains effective:

A proper debrief and discussion after each incident (if one has occurred) to assess and incorporate any new learning
Regular and continuous revisit to assess if updating is required (such as when there have been changes to staffing/responsibilities, or if new/more effective tools have been made available to enhance response)
Regular training for staff, especially where there have been new hires so that the team is always aware of their respective roles and responsibilities in the organization’s cyber resilience strategy and prepared to respond

Embarking on your cyber resilience journey?

“Building a Cyber Resilient Business: The cyber handbook for non-cyber executives” is a book specially written for company executives who do not have a technical background.

Pre-order your copy here: https://lnkd.in/dd5pd74h

Building cyber resilience in any organization needs to be a top-down approach; it cannot be left to just the IT department. Everyone, down to the newest intern needs to be aware of their roles in this strategy. The top will need to set the tone, display leadership, and provide support to underscore the criticality of building cyber resilience within the organization.