Cyber resilience is the ability of an organization or entity to continue to deliver services or solutions even in the face of adverse cyber events, such as cyberattacks. Cyber resilience combines elements of information security, business continuity, and organizational resilience. The ability to recover rapidly from cyberattacks is a critical capability of cyber resilience today.
The importance of cyber resilience
Any cyber event that negatively impacts the confidentiality, integrity, or availability (often referred to as the CIA triad) of technology systems and information and services is considered an adverse cyber event. Such events may be unintentional, such as a misconfiguration or failed software update, or intentional – a “cyberattack,” such as a ransomware attack or distributed denial of service attack (DDoS).
Cyberattacks are inevitable because there will always be an asymmetry between the attacker and the defender: the attacker needs to find a single way in, whether that’s through a new vulnerability, a misconfiguration, inadequate understanding of the technical controls in your environment, or a host of other possibilities, while the defender needs to cover all the potential attack scenarios. Furthermore, the economics of cybercrime means that there will continue to be cybercriminals: frequently, low effort returns high rewards, and the likelihood of getting found and tried for cybercrime is fairly low. For all these reasons, cybercrime is an attractive business for criminals, which means that attacks are, and will continue to be, inevitable.
However, a cyberattack does not need to become a crisis or a catastrophe for an organization. Cyber resilience has a key role in preventing those attacks from becoming catastrophic.
The critical elements of cyber resilience
The goal of cyber resilience is to continue to deliver applications or services continuously, even during a crisis or following a critical breach. It includes the ability to rapidly return to business as usual after a critical event, which may include changing delivery methods as necessary. For example, ensuring that backup systems are in place and functional, the organization has an incident response plan and team available to begin investigation quickly if needed, and disaster recovery operations are all part of the activities an organization can undertake to increase cyber resilience.
Readiness activities are critical to building cyber resilience. Readiness activities help you both measure how ready your organization is for an attack and to improve your readiness. Regular review of incident response (IR) plans and procedures ensure that teams have thought through what a severe incident looks like and tested key organizational incident response capabilities to ensure that a breach does not turn into a crisis. Conducting readiness and resilience assessments can help you establish where your organization is in terms of readiness and what steps you need to take to improve your cyber resilience. Taking the time to work through red team, blue team, and tabletop exercises, as well as conducting proactive threat hunts, are all essential aspects of a robust cyber resilience plan.
Don’t make these mistakes
The biggest mistake that your organization can make is to focus solely on prevention efforts. There are many prevention solutions in cybersecurity, and they play a vital role in blocking some threats, but these efforts do not increase cyber resilience. Simply hoping that prevention will keep your organization safe from attack is not a strategy for achieving cyber resilience.
It is also important to look at resilience as a continuous effort, and not a “one shot” activity. Make sure that your security team keeps reviewing their readiness level and exercising it, otherwise your plans may not meet your requirements as they change — and they inevitably will as your business changes.
Building cyber resilience in your organization
While resilience includes an ongoing effort with several activities, I usually recommend that you begin building your cyber resilience by conducting exercises. Red team, blue team, and tabletop exercises immediately uncover gaps in your security so you can begin increasing your readiness. These exercises also change the mindset in your organization by sending a clear message that cyberattacks will happen, and they should be expected.
Continuing these exercises and conducting proactive threat hunts will help you to continue to build your cyber resilience.
Incident Response and resilience
Incident response is a critical aspect of cyber resilience. The sooner you have actionable intelligence from an investigation during a cyberattack, the easier it will be to respond and recover quickly.
Key steps that will help you accelerate response include:
- Having data recovery and incident response plans in place
- Having forensic data stored and retained, ready to use when needed
- Building partnerships with the appropriate agencies, such as the Cybersecurity & Infrastructure Security Agency (CISA) or the Federal Bureau of Investigation (FBI)
- Searching proactively for new indicators of compromise (IOCs) and running them against your environment to see if you are under attack
- Staying on top of threat intelligence in your region
- Having an expert vendor to partner with in case of emergency