In 2023, 46% of all American businesses had a successful E-Mail cyberattack executed against them. Yet, most E-mail attacks require someone to open the E-mail, click on a link, or view an attachment. Thus, most attacks would fail without a human in the loop. Yet, businesses need employees, and replacing a good employee is costly. We must accept that our employees are complex individuals with emotions and mistakes. Thus, let us explore why we must accept that total security will remain an illusion and why we should instead focus on building cyber resilience in our businesses.
The Human Factor
95% of all cybersecurity incidents involve human errors. Whether it is laziness, boredom, or excitement, we haven’t developed to deal with the mundane task of cybersecurity. After all, the risk of cybersecurity to us is relatively abstract. However, the rewards for being helpful or completing a job are real.
A few years ago, a customer of mine had a security incident in which the personal assistant to the CTO changed and e-mailed a new password to his personal E-mail address. The assistant believed that the request genuinely came from the CTO and that it was critical. Yet, the request came from a criminal who used the login to download engineering data.
Yet, the emotional reward for completing the task overwrote cautions and procedures. Even someone close to the IT department wasn’t safe from an attack. Thus, we must contend that we cannot remove the human factor unless we eliminate all humans from an organization, from shareholders via employees to customers.
Why Choose Resilience
Consequently, we must accept that we will not prevent all cyber attacks. Thus, there is no way to create absolute security. Once we accept this, other questions will become critical. How long do we need to recover from a cyber attack? What are the costs of recovery? How can we minimize the impact?
As the MGM cybersecurity incident has shown, every time a business chooses to pay or not, management and the board must weigh the differences between encouraging criminals and losing out on business. They must add the worth of their reputation, the employee sentiments, and the risk of a repeat attack to the monetary costs.
Cyber resilience focuses on reducing business losses due to successful cyber attacks, not just on the monetary side but also concerning reputation and employee happiness. It allows you to shrug off attacks and protect your employees from the shame and feeling of failure often associated with a successful incident.
As such, it is an integral part of disaster planning and disaster resilience. Protecting IT against natural disasters involves many of the same strategies to safeguard it against cyberattacks.
Getting Started with Cyber Resilience
When evaluating cyberattack resilience, it is often hard for board members to ask the right questions. Likewise, it’s hard for CTOs, CIOs, and CISOs to communicate the current state of recovery and cyber resilience programs.
The easiest way is to select a disaster and response pair. You might even start with a more physical disaster. Here in the Pacific Northwest, earthquakes and wildfires are risks.
Thus, “What happens to our data if the building burns down?” is an important question. It is also a question that is hard to misunderstand for board members and the IT team.
Timeline questions, on the other hand, are great for gauging the level of planning in the departments. “How long would replacing all our IT systems after a successful ransomware attack take?” The question conjures up a worst-case scenario but is not outlandish.
Lastly, look for points without alternatives when going over the disaster plan. One of the biggest problems is that communication chains often rely on corporate e-mails. Once you notice them, probe what would happen if that link fails, e.g., “What happens if our mail server burns down or gets compromised?”
While we often think of cybersecurity as a pure software problem, moving the resilience discussion towards more physical issues can help stimulate our imagination. Imagining a fire, earthquake, or alien invasion is much easier for our brains than a ransomware attack. Yet, the implications of a burnt-down server and a locked hard disk are similar.
Build Cyber Resilience Today
With the number of ransomware attacks increasing and the costs per incident skyrocketing, we can no longer afford to ignore cyber resilience. Absolute security is a myth; we shouldn’t expect to be entirely secure. Instead, we should start treating cyberattacks more like natural disasters. We install fire doors, conduct fire training, and purchase insurance to protect from fire. For cyber resilience, we need backups, maintain firewalls, and train staff in handling incidents. No one would rely only on the fire doors to prevent incidents. Neither should we only rely on defensive measures to protect our IT.