Cyber attacks are increasingly a question of when, not if. In the face of the current threat landscape, an IBM report estimates an average loss of 4.4 million USD in company revenue due to a data breach in 2021. Resilience has become one of the top priorities for governance boards across organisations globally to manage cyber risk. However, various approaches to cyber resilience leave the term open to misinterpretation.
Cybersecurity entails minimising cyber risk to companies through actions that improve security in people, processes and technology, but cyber resilience indicates the robustness of a company in recovering from these inevitable cyber-attacks.
In different contexts, recovering from the effects of a cyber attack or anticipating a cyber threat against risks known and acceptable to companies may measure the robustness of an organisation's cyber resilience. Minimising loss to shareholder value or impact on revenue may also measure it.
Aiming for cyber resilience is a ubiquitous concern, and it may be useful to develop actions through understanding cyber risk at different levels. From a threefold perspective of people, processes and technology, some high-level questions may help achieve an acceptable level of resilience. Firstly, whether the company has a body of staff that is reasonably cyber-aware and invests in efforts to raise this bar in accordance with new threats consistently. Similarly, whether customers are aware of the data they share in consuming the company's products and have confidence in its efforts to secure this data.
Secondly, it is important to consider whether the company’s processes are geared towards preventing poor outcomes in the event of a cyber-attack or a data breach. For example, whether incident response teams are able to troubleshoot and fix underlying issues quickly and comprehensively, whether governance boards are aware of outstanding risks that require prioritisation, and whether a strong audit trail enables frictionless diagnosis of technical or human-centric failures in cybersecurity.
Thirdly, whether the technology involved in creating, selling, distributing, purchasing, or maintaining company assets is secure. This may involve steps taken internally, such as creating network architectures that enable security by default, such as in zero-trust networks where access control is on a need-to-know basis, proactive patching regimes, or reducing attack surfaces in applications exposed to the internet. However, an external view of the resilience of suppliers, vendors, and third parties that companies transact and interact with is equally important, with supply chain attacks comprising most modern cyberattacks, such as the recent SolarWinds attack.
Ultimately, cyber resilience is not a destination but a consistent effort that evolves as the company evolves and the broader landscape around it. Incremental in nature, it cannot be achieved purely by security teams and remains a holistic process that must include stakeholders, staff, customers and third parties.