Cyber resilience is about the time you or your business need to recover from a cyberattack. The Stuxnet attack has shown the world that no facility is secure enough to be safe from a cyberattack. With AI increasingly targeting employees and making emotional appeals, we need to focus on building resilience and decreasing the time to recover. Yet, there are some hard questions we need to ask when getting started. Join me in how board members and C-Levels can start talking about cyber resilience.
What would someone want?
In the first step, you need to identify what someone would want. What would criminals want to steal from you? What would they want you not to have access to? What could they want to expose? What could they want to control?
Questions about denying you access often get overlooked. We have a good idea about viruses and theft in the real world. Yet, ransomware has little real-world, petty crime equivalents. Thus, look at your data, from invoices and contacts to intellectual properties and trade secrets, and ask yourself the questions above.
Ultimately, you should develop a list of files and procedures you will need to protect from attacks.
Who would want to attack us?
The question about who would want to attack you isn’t about names but actor groups. For example, state actors might be a significant source of attacks if you work in the defense industry. Your intellectual property is precious to our political adversaries. A law office, in contrast, is more likely to be targeted by a ransomware attack trying to get money out.
The type of enemy determines their budget and the types of attacks available to them. The criminals targetting the law office will be most concerned about their bottom line and will try to maximize their profit margin. Thus, you might see spam and e-mail scams taking the forefront.
For a state-sponsored attack like Stuxnet, the budget is almost limitless. These attacks can also utilize intelligence tools, like agents, bribery, or blackmail, that are unavailable to criminals.
How could they get it?
Once you have established who and what criminals might want to steal, it is time for IT to determine the most likely path into your environment. From humans clicking on e-mail attachments to actual hacks, there are many ways into a network. Keeping an open mind and examining every person and system interacting with a particular target is critical. Otherwise, it becomes too easy to forget that many people, dashboards, and processes around the organization often use data.
Hire an external consultant to attack your systems to make the exercise more engaging for your IT team. These simulated cyberattacks put your team on the edge and make them experience an attack that they usually wouldn’t see.
How could we recover?
After a successful attack, the biggest question will be how long it will take to return to business as usual. The first aspect is how long it will take to ensure that the attacker doesn’t remain in the system. The first steps might include:
- Changing all the passwords and access tokens.
- Tightening firewall rules.
- Separating the internal IT from the internet.
Afterward, the technical focus would be on restoring all IT systems. That might include reinstalling servers and computers, issuing new devices, or retrieving data from backup.
Each of these tasks needs a minimum amount of time. The total amount of time is required to restore your systems to working order.
However, when summing up the time, you should ask whether or not any unforeseen issues might arise. For example, if you need to reinstall hardware, how do you handle employees currently on a business trip overseas? What do you do if there are supply chain issues? How do you handle downtime that might lead to extreme losses, e.g., computer-controlled freezers?
What can we do to improve recovery?
Once IT and boards have looked at the underlying baseline, the question of future strategies arises. Are there ways to improve the recovery outcome? It is the first one that will pop into everyone’s mind. Yet, in many cases, it is also the least productive one. No IT manager will have artificially inflated the recovery time, as we all want to avoid standing in the spotlight for the wrong reasons.
Thus, focussing on the wider world might be more helpful. Can we provide a scaled-back service when IT is down? This question has the most significant impact on any business. If there are manual overwrites or tasks you could do while IT recovers, you might lessen the impact on the bottom line. You also protect your employees from feeling useless and create a more resilient company culture during the crisis.
Start asking now!
How often do we see cybersecurity as the gate to avoid attacks? Yet, with the ever-increasing number of attacks targetting employees and their rising success rate, we must start looking at cyber resilience. Boards must begin asking CISOs, CIOs, and CTOs the right questions. If we do not, we will end up in a situation we are utterly unprepared for.