As business enters the digital age, cyber resilience must become a regular agenda item for boards and excos. Given the extent of the cyber risks companies face, and their extreme reliance on ICT, cyber security is only a partial answer. Nobody can identify and prepare for all the risks that threaten ICT systems, so it is essential that security and risk mitigation measures are part of a wider programme to ensure that the organisation can detect a cyber attack, respond appropriately and recover operational functionality.
There are signs however that the C-suite may not yet have come to grips with the nature of the challenge posed by the digitalisation of business, and thus the extreme need to look beyond cyber security.
Research from a leading consulting firm has shown that CEOs, CIOs and Chief Information Security Officers (CISO) alike remain confident about their cyber security measures - while security breaches are quite high. This misplaced confidence is surely one of the primary contributory causes for the belief that, at present, the bad guys appear to have the upper hand.
Despite financial service respondents admitting the number of detected incidents remaining relatively unchanged from 2013, last year saw that a 154% increase was evident in the number of detected security incidents against retail and consumer products companies, with the number of e-mail compromises and ransomware threats a growing risk, and phishing at the top of the log of these concerns. So much so, that research has shown security investments increased 11% in the last year, and 41% of these companies aim to address these concerns by increasing their budgets respectively. CISO’s roles are increasingly growing to become pertinent to Boards directly, as a matter of urgency to address the reality of cyber related incidents.
Regulatory authorities are far from unanimous about how data ought to be protected, as the current roll-back of existing US data privacy regulations by the Trump administration shows. These kinds of regulatory gaps offer unscrupulous operators plenty of opportunity.
The growing use of accelerometers on mobile devices to report on physical activity as part of health/ wellness programmes shows just how new threats are manifesting all the time. These and similar apps are insecure, and can allow hackers to 'eavesdrop' on keystrokes, and so access passwords and other sensitive information. The same vulnerability is multiplied across industrial systems as the Internet of things takes hold, and insecure sensors and similar devices proliferate. A hacker could thus use a sensor tracking the flow of chemicals or fuel to shut a plant down, dramatically affecting whole value chains or, in the case of a power utility, the national economy.
We must accept that event and technology based security is no longer adequate to protect the organisation’s very ability to function. Organisations must begin taking proactive action to subsume cyber security into the broader, strategic initiative of cyber resilience.
Cyber threats cannot be considered and provided for in isolation; they must be integrated into business and organisational strategic thinking, and specifically into the business continuity management lifecycle. In so doing, the organisation will move away from a compliance mindset, becoming better able to identify cyber risks and recover from cyber incidents. In other words, becoming a cyber resilient organisation. To achieve this, cyber resilience needs to be integrated into the very corporate culture. It must form part of existing policies, rather than a silo of new ones; very critically, a cyber recovery plan must be part of the overall recovery plan.
The end goal should be that the organisation have processes and procedures in place to identify the risks it faces, mitigate them and recover from the materialisation of any risk. Focusing on specific responses to specific threats becomes counterproductive when the risk is multiplying so rapidly.
Business Continuity Awareness Week (BCAW2017) [15-19 May] this year explores the issue of cyber resilience. Find out more about the series of webinars designed to explore this critical subject.
Karen Humphris CBCI is the Senior Manager Advisory Services at ContinuitySA, and Alex Ferguson is an Intern at ContinuitySA.