In 2016, President Barack Obama set forth the Cybersecurity National Action Plan (CNAP). This plan recognizes the worsening nature of cyber threats to our country, especially in regard to securing national infrastructure. The plan focuses on resilience.
"Even as we focus on preventing and deterring malicious cyber activity, we must also maintain resilience as events occur.… By applying lessons learned from past incidents we can improve management of future cyber incidents and enhance the country's cyber-resilience."1
The view expressed in the CNAP is a realistic one. As a nation, attempting to prevent the rapidly growing sphere of cyber crime is important; however, remaining strong through these events when they do happen and planning mitigation strategies is essential to managing our technology. On a smaller scale, organizations also need to balance cyber security and cyber resilience.
As cyber attacks become more common and harder to prevent, organizations find themselves needing to reassess the balance of their proactive and reactive cyber-security measures. As I've written in previous articles, proactive security measures seek to prevent cyber attacks or lessen their impact. Education programs, training, and regular security assessments, including penetration testing, are all elements of a strong cyber-security protocol. Trying to stay one step ahead is always going to serve an organization well and may even counteract a large number of vulnerabilities.
However, no proactive cyber-security measure is foolproof, and no amount of preparation can successfully ward off each and every potential attack. Changing technologies, adaptive cyber criminals, and the amount of room for human error can often foul even the strongest proactive strategies. Resilience is all about when those proactive measures do not work with 100 percent efficacy.
To differentiate, cyber-security measures are the steps that organizations take to protect their networks, data, and systems. Comprehensive security programs take into account which assets ought to be prioritized and how to best shield them from cyber attacks.
Cyber-resilience measures are implemented to protect organizations from the operational risks that cyber threats pose. Cyber attacks often focus on stealing an organization's data, but they also can target an organization's ability to perform tasks and maintain its operations. Resilience measures help an organization work through cyber attacks as they are happening.
Cyber resilience is focused on recovery. It takes into account the likelihood of cyber attacks occurring and the potential cost of operational impact. In the event of a cyber attack, consolidation, layering defenses, creating backups, and having procedures in place for a quick recovery are all elements of having a resilient structure. Resilience builds on proactive measures organizations take, especially security assessments.
Security assessments help create an idea of the cost of operational risks that may occur due to cyber threats. Resilient systems help to ensure operational continuity and lessen financial and reputational damages that ensue from stalled services. Conducting penetration testing and doing test runs of how a cyber attack would be handled (and who would be responsible for communication both in and outside of the organizations) helps to set an organization up for success. Practice makes perfect, and being able to work through and respond efficiently to adverse cyber events require practice across management. In this article, I will discuss some of the ways that organizations can prioritize resilience in their cyber-security strategies.
Cyber-security professionals are sometimes met with an attitude of, "Thanks for the information, but this will never happen to us." With this mindset comes a dismissive and begrudging stance toward cyber awareness and a cavalier approach to resilience. After all, if it "probably" won't happen, why bother with the time and expense necessary to practice resilient strategies?
Even now, with large-scale data breaches spanning our daily newsfeeds, cyber security is still something that upper management often takes for granted. Investing in strong cyber-security professionals, and communicating with them often, is critical for resilience. The public response needs to be well informed, and this kind of information is best received from those within the information technology department.
Taking cyber security seriously starts with the development of a culture of security. Upper management buy-in is critical, as I discussed in my last article, "Real-Life Consequences in a Digital World: The Role of Social Media." Regular evaluation and reporting of security assessment results inform steps that should be taken to strengthen resilience.
Recognize the impact of operational losses within your organization and assess what might occur should breaches in operability occur. For example, a distributed denial-of-service attack on a financial institution may disrupt business operations by flooding a server with more traffic than it can manage. As a result, clients may be unable to access their accounts. How would this impact the institution reputationally? Financially?
In addition to targeting data, cyber criminals may also target your organization's ability to perform certain functions. Determining the potential impact, and conveying its severity to upper management, helps to demonstrate the need for cyber resilience in conjunction with cyber security.
Cyber resilience is an ongoing effort. As technology adapts and changes, so too should your organization. Recovery methods may take time to become truly established, just as building a culture of security takes time, patience, and ongoing training to cultivate. Cyber resilience is a realistic approach in combination with cyber-security strategies. While we can't guarantee complete immunity to cyber attacks, we can do our best to maintain operations and create plans to work through them and recover as quickly as possible. Just as the CNAP took previous incidents into account as part of learning about resilience, organizations can also learn from the past when it comes to strengthening security and preparing for continued operability.
Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI.
Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion.
If such advice is needed, consult with your attorney, accountant, or other qualified adviser.