You might have noticed a trend around terminology when we talk about cyber. We’ve started to talk less about cybersecurity and more about cyber resilience – in legislation (think the EU’s Cyber Resilience Act), with cyber insurance and its requirements, and even in conversations with consulting firms.
There’s a fairly obvious reason for this; you only have to look at the number of high-profile, high-revenue businesses that spend significant budgets and invest in significant resources in cyber and information security roles to know prevention is pretty damn hard. Anyone who works in this field clearly wouldn’t be surprised it’s impossible to guarantee any organization is 100% safe from cyber-attacks.
Prevention and preparation
Prevention is still better than cure, of course, so it’s important we still evolve and continue to mature defenses, but critically we need to be as well prepared as possible for when the arguably inevitable happens.
Many organizations are putting more emphasis and effort into their cyber incident response planning. The better you can anticipate and be prepared for incidents of different types, and ideally be practiced, the lower the impact. Any response typically involves a number of phases, as we all know, but in many cases due to various factors including our ability to detect quickly, by the time our incident response process is invoked, the attack has taken hold and we’re already a good way towards looking at a recovery position rather than containment.
This is where integration between our different plans and processes comes into play. If you’re at this point, we’re now looking at our business continuity considerations and more traditional technology aspects such as availability and disaster recovery.
From a security perspective, we’ve evolved from looking purely at prevention to responding but haven’t in many cases gone the extra step of reviewing our (often long-established) availability designs, business continuity plans and disaster recovery capabilities in conjunction with our cyber incident response plans.
A new threat landscape
Many of those provisions, which have served us well for some time, didn’t fully consider the current cyber landscape when they were put together and implemented. We tended to think more about technical failures due to hardware faults or misconfiguration that could be mitigated through technical design, and physical events such as the loss of a data center or office location through fire, flood or even environmental or political events.
What we didn’t consider in those original discussions and designs was deliberate malicious attacks of the kind that make modern cyber events so damaging. We designed our operating systems to sit on virtualized highly available infrastructure but didn’t anticipate malicious attacks on that infrastructure itself. We didn’t consider events that would render our entire desktop estate unusable in a very short time frame.
We also generally have a huge reliance on third-party infrastructure partners, often relying on their availability capabilities, sometimes without doing the appropriate due diligence over whether they meet our business needs. Many business continuity plans are often established based on assumptions rather than a comprehensive business impact analysis. For example, we only consider simple metrics like how long backups take, without measuring how long others actually take to restore, which is crucial for meeting the business’s needs.
The art and science of managing cyber incidents
Following a cyber-attack, the business impact felt by so many organizations isn’t so much driven by their ability to detect or manage the cyber incident itself, but more about traditional recovery capabilities.
If you’re in cyber, or in a continuity role, then it would be a great idea to work closely with your counterparts in the relevant teams, those responsible for availability and recovery. Take a look at your designs for availability, your business continuity plans, your disaster recovery capabilities and processes, and see how they would stand up to various types of cyber incidents. Ideally, validate this with joined-up exercising.
Assess how your incident response plans integrate with your business continuity and disaster recovery processes, where the hand-off points are. Do you know who’s responsible, and what to communicate, when to communicate, and whom to communicate to around all of this? Where do third parties fit in?
It’s common to look at all of these aspects in isolation but given the nature of attacks and the way they often permeate across an organization, a more joined up approach is critical. Collaboration and communication are the keys to success.
Related Content
ABOUT THE AUTHOR
Darren Chapman
Darren Chapman is principal security consultant at Quorum Cyber. He is a Certified Information Systems Security Professional (CISSP) and an ISO27001 Lead Auditor. As an active member of the cyber security community in the UK, Chapman serves as an advisory board member for the East Cyber Resilience Centre, a director of the Cyber East Security Cluster, and a cyber and information security ambassador at the Institute of Directors.
DOWNLOAD EXCEL 
DOWNLOAD PDF 
DOWNLOAD WORD DOC 
