Are your cybersecurity investments making you less resilient?
In the past decade, digital transformation has become a buzzword in nearly every industry. Organizations have scaled down workforces in favor of automation, moved their servers and networks off-premises, and transferred their data to the cloud, but mostly kept to their old ways when thinking about cybersecurity.
But things are finally changing, and the idea of cyber resilience is taking hold as an extension (or enhancement) of traditional business continuity (BC) and disaster recovery (DR) plans.
Digital transformation calls for digital resilience
If your organization were hit with a major cyberattack, how would you continue to operate the company in the most basic way possible while your security and technology organizations rebuild everything? This is assuming you have (uncompromised/thorough) backups and rebuild processes in place, of course. But even so, in the case of big companies, rebuilding machines, infrastructure, customer environments, and more takes time and money.
This is on top of the time and money you’ve likely already invested in being good at traditional BCP/DR. But it’s these investments that may be putting you at a disadvantage when it comes to being truly cyber resilient.
For instance, we’ve all been taught how important it is to back up our data. It started with weekly backups, or even nightly. But now it’s near constant, including any malware that might have snuck into your network. Are better and more frequent backups leaving us at risk for a larger impact? Should a more advanced strategy – e.g., some backups going to immutable locations, being constantly scanned by advanced anti-malware solutions, and stored in air-gapped cyber vaults – be pursued for the most critical systems?
In addition to system backups, should you consider an out-of-band, continuous extract of the most recent orders in your systems so you can fulfill them in a different manner in case you suddenly lose everything? Are you also backing up the authoritative documents (e.g., support model, security model, etc.) that your teams will need to rebuild everything to the same fully integrated state?
Or take for example single sign-on (SSO). “hat happens if your SSO is compromised and suddenly you can’t log in to anything? Or say your automated call center and purchasing system becomes inaccessible? Suddenly you have millions of transactions and not a single employee standing by ready to take manual orders. The more we become reliant on automation or a single solution for anything, the more we inhibit our ability to recover when that solution goes down. The same applies to multi-factor authentication (MFA). Nobody would argue MFA is bad — it’s great! But are you prepared to quickly pivot to a reduced log-in experience if your MFA or SSO provider is temporarily inaccessible?
It’s great that you have a virtual desktop available, but if you lose access to it, you can’t ask folks to go home and use their personal devices, leaving the organization at risk for compliance and legal risk.
It’s not that these investments are bad – they’re not. But the more reliant we become on the technology we use every day and the security solutions we implement, the more we need true cyber resilience.
Achieving cyber resilience
The first thing organizations should do is recognize that this is a tough challenge. While there’s no easy answer, we simply cannot pretend that this is not the state of things, given the enormous financial, operational, and reputational risks tied to a major cyberattack. As they say, the first step is admitting we have a problem.
The second step is committing to it not being solely an IT, business, or security organization problem. Implementing the characteristics of a cyber resilient organization needs to be collaborative across the business. You’ve spent years figuring out how to do more with less. If the time comes to rebuild everything, it will be important to have an agreed-upon playbook for the order in which systems are going to be rebuilt and business re-enabled.
Together, every company should go through the exercise of identifying what is critical to keeping the business running. When everything is running smoothly, of course, everything seems “critical” to the business, but when faced with a major security event that requires rebuilding, you simply can’t get everything back at the same time.
Consider how you would maintain command and control among the most critical personnel if your primary collaboration platforms were inaccessible. Should you maintain a “dark site” for critical employee communications or enhance your capabilities to mass dial your entire company to convey an important message? Should you have alternative email and messaging capability unrelated to your primary domain? You’ve spent years securing your use of, and access to, SaaS providers with things like SSO, MFA, only allowing access from allowed IPs, etc. Are you prepared to quickly modify that in case it’s a matter of existential business risk and have you practiced it?
Is the month-end close critical if you don’t have a month to close? Companies need to identify what their obligations are to keep the business alive, and it usually comes down to the movement of product and money. Paying creditors, employees, compliance, and regulatory obligations, those are all critical. Being able to move a physical product, tangible logistics if that applies. What are your critical systems?
In addition, what processes (usually a combination of technology and business processes) do you need in place to limp the company along while rebuilding? This might include things like identifying critical employees and providing them with secondary machines, or thumb drives that boot straight into a secondary operating system. Identity systems, connection points, provider relations, and any necessary alternatives.
The considerations highlighted in this article aren’t meant to be comprehensive or apply the same way to every company, the important part is to go through this thought exercise yourself. Work out all the scenarios. Even the ones you can’t see coming. This exercise can help you move away from simply checking the boxes of a traditional BCR/DR and set your organization on the path to cyber resilience.