Well not you personally, but it’s your business in particular. And to be clear we’re talking about cyber resilience. How well is your business prepared right now, to weather a significant cyber attack? I don’t want to know what you understand about cyber, or what you plan to do, but rather, Right Now! How resilient are you. Because cyber isn’t a future threat. It’s a significant threat right now. And it will only get worse in the foreseeable future.
I ask this question a lot, and I get a wide variety of answers. It’s not a technical question. It’s a business question. Cyber security is a business risk not a technical problem. One that can be quite worrying if you don’t know the answer to the question above.
Cyber risk can destroy your business possibly faster than any other mitigatable risk I can think of.
I don’t want to criticise any possible short comings, because, let’s face it. We all have them. I’d rather tell the story of a business I consider to be quite resilient. We’ll call them XYZ Co. I know they’re quite resilient as I have seen this up close. They have withstood and prospered in the face of some substantial cyber attacks. They’re quite inspirational. I am privileged to have assisted them on this journey, so I have seen them in action.
100% Secure from a cyber attack?
You can be 100% secure from a cyber attack… all you need is a VERY hot furnace! Put everything electronic or computer controlled in the furnace, and it is then rendered 100% secure from cyber attack. Useless to be sure. But very ‘Secure’ from attack.
Is XYZ Co. 100% Secure? No! Of course not. It’s impossible.
Are they resilient? You bet they are. Very!
Outside of the ridiculous measures I mentioned above, the best you can be is resilient. This is what we aim for cyber resilience. It’s quite achievable, and it doesn’t need to cost much. Certainly nowhere near as much as a significant cyber breach does.
Cyber resilience what does this mean?
But what does that look like? What is a cyber resilient business? In short, it is one that can mitigate the majority of known risks effectively and recover readily from being affected by the unforeseen.
In my work I get to deal with 2 types of businesses.
- Those where the business leaders (Boards, C-Suite, Owners etc) are taking proactive steps to build a cyber resilient business (I love this part of my work a lot!),
- Those that are embroiled in the depths of a cyber security breach. (This part, is horrible. Seeing good hardworking people suffer the anguish, and lose so much, when I know it could have been avoided.)
There are a lot of known cyber threats to security. Some simple, some not so simple. However, many, many businesses have done little to mitigate many, if any of them. Either that or they have a false sense of (cyber) security. They incorrectly believe ‘someone else is handling it’.
This does not need to be the case. Any business can be cyber resilient. The only thing that changes between, a 2-person micro business and a global enterprise is the scale of doing the same things to build the resilience.
It’s the same as many other areas of business risk though. There’s some that prepare for contingencies, and some that are taken by surprise. The former has a plan, the latter has a ‘wing it’approach to a cyber hacking. I’m here to assure you that cyber is not a risk to ‘wing it’.
Preparation is key to avoid cyber hacking
As with all things, preparation and planning are the only ways to succeed. My dad always used to tell me that it was amazing how ‘lucky’ hard-working, well prepared people were…
So here’s a picture of a business I have the great honour of providing services to. They are indeed what I would regard as cyber resilient.
From the Board and CEO down, XYZ Co. have a positive cyber security culture. Everyone is on board, because the leadership is. Many moons ago they had an, ‘IT has it covered’ mentality. They’ve grown amazingly since then. The current board are informed and ask excellent, hard questions about the state of cyber security. They receive very regular updates on what is happening in this regard. The senior management and everyone who needs to, understands their role in the security of the business.
They have a pervasive culture of security
The employees don’t all walk around suspicious of shadows on the walls, but they do have a healthy understanding and knowledge of what is safe, and what is risky cyber behaviour. They have had some training, but it is more of a culture. It’s commonly talked about. People who made a simple mistake, like inadvertently clicking on a link, are applauded for quickly ‘fessing up. They aren’t ‘encouraged’ to hide any mistakes, by being berated for being human, and making a mistake.
They have a mature CSF
If you haven’t yet been introduced, a CSF is a Cyber Security Framework. It’s simply a framework to help you easily organise and prioritise your businesses cyber security. The one our XYZ Co. employs is a variation we developed for them of the NIST CSF.
As they don’t have a requirement to ‘demonstrate compliance’ to any clients the NIIST CSF works well for them. If they did, we’d most likely have worked with the IEC/ISO 27001 framework instead. But the NIST CSF is suitable for most businesses.
They know what they’re protecting, and how to protect it
XYZ Co. has gone in depth through step one of their CSF. They have identified and given a ‘Value’ to the assets in their business they’re trying to protect. The value allows them to prioritise what to protect.
Everyone that needs to, knows what’s important to the business, and the leaders have clear plans in place for protecting those valuable assets.
They also have a great Defence-in-Depth, or Layered-Defence mindset for defending their assets. You wouldn’t just build a fence, and not have any locks on your doors would you. If you did, all an attacker needs to do is hop the fence, and they’re in. It’s the same with cyber defences. Many layers are needed so that if one fails, it should be caught in the subsequent layers. It starts with high-level governance, and layers all the way down to protecting the actual data. It sounds complicated, but it’s not.
They know what’s happening
Can you imagine not reviewing your balance sheet, and P&L, because you already had a plan for how you would be profitable? Madness! You have to measure and know.
There’s little to no point in protecting anything if you don’t know if those protections are effective. If you have no monitoring in place you have no way of knowing if what you’re doing is effective. You have to have intel.
XYZ Co. has a very simple system of monitoring and automated reporting and alerting regarding all their critical assets.
In your business this could be as basic as some simple alerting in your email system or EDR *(Endpoint Detection and Response ) and IPS **(Intrusion Prevention System), through to a dedicated SOC (Security Operations Centre). It’s simply a matter of scale.
They have a response plan
Similarly, if you see your lead indicators, or your balance sheet reflecting some weakening cash flow position, what do you do? Hope it will go away? Again, madness, you have a response plan.
If you have a cyber attack, you have it investigated. XYZ Co. has an IRT (Incident Response Team). They start with initial incident response to see if it warrants escalation. And there’s an escalation plan and team.
They also understand what sort of time frame this needs to happen within. We call this the MTD (Maximum Tolerable Downtime). Every business on the planet needs to know this metric. How long could you be ‘off-line’ for, before it’s not worth opening the doors again. Once you know this, your response and recovery obviously needs to be tested to know that you can respond and recover well within your MTD.
They’re constantly evolving and learning
Nothing is static in business, it hasn’t been for a long time. XYZ Co. has constant information feedback to see where things can be tweaked and improved. From staff feedback to systems that report. XYZ Co. are constantly reviewing and making tweaks to their cyber security. From the Board all the way through the C-Suite and every end point. They are constantly improving. But this is hardly surprising, as they do this in all aspects of their business from what I can see.
Like all other aspects of business, you can’t just set up a cyber security strategy, and then forget about it. It needs to constantly evolve and mature. Again, this doesn’t need to be (and shouldn’t be) complicated. It should just be a simple part of doing business in this era.
This is what a resilient business looks like. They aren’t jumping at shadows on the wall. They just go about their business confident that they have plans in place. They’re confident that they can mitigate many if not most attacks. But if something unforeseen happens, they have tried and tested plans, to get back to business with a minimum of fuss. And more importantly, a minimum of business impact. XYZ Co. are not 100% ‘Secure’ from a cyber threat, but they are very resilient.
It’s simple business risk mitigation. Like with most aspects of business, if you fail to plan, you plan to fail…
* An Intrusion Prevention System (IPS) is a system that monitors a network for malicious activities such as security threats or policy violations. The main function of an IPS is to identify suspicious activity, and then log information, attempt to block the activity, and then finally to report it.
** EDR looks deep into your system and records and analyses all activity. Network Intrusion Detection/Prevention Systems (IDS/IPS) and Security Information Event Managers (SIEM) have been using similar techniques for years now in that they record, correlate, and analyse.
About the author: Ross Marston
BIS (Business Intelligence Security Pty Ltd) aim is to remove the fear from Cyber Security. Their goal is to give SMB leaders the vital tools they need to make informed and proactive decisions, to build resilient and robust businesses.
Ross Marston is Founder and Chief Security Strategist for Business Intelligence Security with over 30 years of technical experience and works extensively with business in breach prevention and resolution, as well as incident response and management.