Building cyber resilience for businesses: key concepts, benefits, and best practices
Earlier this year, news of a major regulatory proposal by the European Commission stirred up quite a storm in the cybersecurity space. Last week, provisional agreement on the so-called Cyber Resilience Act was reached between EU lawmakers, giving way to the passage of the first legislation in the world to regulate digital product safety.
The Cyber Resilience Act will lay down requirements for all hardware and software, from baby monitors and smart watches to firewalls and routers, to ensure robust cybersecurity from their conception throughout their entire lifecycle. This “cybersecurity by design,” EU Commissioner Thierry Breton pointed out, is key to protecting both consumers and society at large.
But what is cyber resilience, and why is it so important in this day and age? Aren’t cyber security and cyber resilience essentially the same thing? And how can businesses, in and outside the EU’s digital consumer goods market, boost their cyber resilience and stay protected against ever-evolving threats? Read on to find out.
What is cyber resilience? Meaning and key objectives
According to the National Institute of Standards and Technology’s definition, cyber resilience is “the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources.” Also referred to as cyber resiliency, it’s intended to enable organizations to continue working towards their mission and achieve their objectives even in the face of adverse cyber events.
Why is cyber resilience key in today’s digital landscape?
Cyber risk resilience lays the foundation for businesses to effectively mitigate and quickly recover from cyber threats and breaches. Cyberattacks can leave businesses with not only significant financial losses, but also damage to reputation and loss of customer trust. By implementing a robust cyber resilience strategy, organizations can ensure the continuity of their operations, even when faced with a severe cyber incident.
A strong cyber resilience posture can also boost companies’ regulatory compliance. Many industries have mandatory cybersecurity requirements, such as HIPAA for healthcare and PCI DSS for the financial services sector, and falling short can result in hefty fines or sanctions. With sensitive data being a high-value currency in the knowledge economy, a breach can have devastating consequences for individuals and businesses alike.
The most concerning cyber risks businesses face, explained
As per the Identity Theft Resource Center, a total of 2,116 data compromises were reported in the first three quarters of 2023, breaking the all-time high of 1,862 compromises in 2021. At the same time, the global average cost of a data breach reached $4.45 million – that’s according to IBM’s annual Cost of a Data Breach Report. Let’s see the most common types of attacks that add to companies’ growing cyber stress.
1. Phishing attacks
Phishing attacks involve cybercriminals impersonating a legitimate entity to trick users into revealing sensitive data such as passwords, credit card numbers, or personal identification numbers. Phishing is often executed through deceptive emails, text messages, or fake websites, and it poses a significant threat to organizations of all sizes.
2. Ransomware attacks
In a ransomware attack, hackers infiltrate a network, encrypt company data, and then demand a ransom to restore access. Attacks of this kind can cripple business operations and result in major financial losses, especially if the organization isn’t prepared to restore from a backup. Ransom payouts totaled $449.1 million in the first 6 months of 2023 alone, per Wired.
3. Insider threats
Insider threats refer to cyber threats originating from within the organization, either from disgruntled employees, former staff, or careless team members. These threats can involve data breaches, data theft, or the introduction of malware into the company’s systems, and they often fly under the radar until substantial damage has been done.
4. Advanced persistent threats
Advanced persistent threats, or APTs for short, are long-term, targeted attacks, where cybercriminals, usually of the well-resourced and sophisticated variety, gain access to an organization’s network and remain undetected for an extended period. The goal is typically to steal, spy, disrupt, or destruct and is often achieved using multiple attack vectors.
5. Distributed denial-of-service attacks
Denial-of-service (DoS) attacks render an organization’s online services unreachable or inaccessible by overwhelming them with a flood of internet traffic. A DoS attack becomes a distributed denial-of-service (DDoS) attack, CISA explains, “when the overloading traffic originates from more than one attacking machine operating in concert.”
6. Zero-day exploits
Zero-day exploits take advantage of software vulnerabilities that are unknown to the software’s developer. These vulnerabilities are exploited before the developer has had a chance to create and distribute a fix, making them particularly dangerous and difficult to defend against. LinkedIn was famously hit by such an attack in 2019, affecting 90% of its user base.
8. Supply chain attacks
In a supply chain attack, a cybercriminal targets a less secure element in an organization’s supply chain to gain access to its network. These attacks are notoriously hard to fend off due to the broad and interconnected nature of most supply chains. In fact, research shows that up to 40% of cyber threats are now occurring directly through the supply chain.
Cybersecurity vs. cyber resilience: key differences and why they matter
Cybersecurity and cyber resilience, while interconnected, represent two distinct aspects of organizations’ overall cyber risk management strategy.
Cybersecurity refers to the practice of protecting systems, networks, and data from attacks in the digital space. It is typically preventive in nature, focusing on setting up defenses to keep intruders out. Traditional cybersecurity measures often include firewalls, antivirus software, and password protection methods. The primary goal of cybersecurity is to minimize the risk of a cyberattack and prevent unauthorized access to sensitive data.
Cyber attack resiliency, however, describes an organization’s ability to continue operating despite a cyberattack or any other security incident.
Rather than honing in on prevention, cyber resilience incorporates elements of response and recovery. It acknowledges that not all threats can be completely eliminated and emphasizes the importance of having systems in place to limit the damage, recover operations, and ensure business continuity when an incident does occur. Cyber resilience may include disaster recovery planning, business continuity plans, and incident response teams.
Building an effective cyber resilience strategy: main components and considerations
Effective cyber resilience starts with accepting the reality of today’s cyber environment, which is that security breaches are not just possible, but highly probable. A strong cyber resilience strategy can aid an organization in efficiently bouncing back and recovering from such incidents, drawing on multiple tools and approaches.
The first is risk assessment. This involves identifying potential vulnerabilities within an organization’s systems and processes that could be targeted by cyber threats. Rather than a one-and-done affair, risk assessment should be an ongoing evaluation of threats as new vulnerabilities emerge and attack methods evolve.
Second is incident response planning. This involves developing a detailed plan that outlines the steps to be taken in the event of a cyberattack. It should include the initial response to detect and limit the impact of the incident, communication processes to inform stakeholders, and procedures to investigate the breach and identify its cause.
Third, business continuity and disaster recovery planning are essential. The former will ensure that critical operations can continue in the face of adverse cyber events. In comparison, disaster recovery plans focus on restoring systems and data after an incident using data backups, redundant systems, and data restoration procedures.
Lastly, effective cyber resilience involves regular testing and reviews to ensure that plans remain effective as the organization and its threat environment change. This could involve simulated attacks to test responses, regular audits of systems, controls, and processes, and updates to cyber resilience plans based on the results of such assessments.
How to strengthen cyber resilience? Best practices and solutions
1. Routine security audits
Regularly scheduled audits are crucial to uncovering potential vulnerabilities before malicious actors can exploit them. They provide an overview of the existing security architecture, helping to find any weak points and make necessary improvements.
2. Regular system updates
Organizations must commit to regular updates of all software, hardware, and operating systems to stay protected against the latest known threats. Delaying updates can lay systems bare to potential cyber attacks and breaches.
3. Data backup
Regular data backups are paramount to building a cyber resilient business. They should be automated and stored off-site or on a secure cloud platform. In the event of a breach, backups can minimize data loss and help restore mission-critical functions more quickly.
4. Secure password practices
Implement secure password policies, including the use of complex passwords, frequent changes, and multi-factor authentication, one of the most effective methods of protection against password compromise and unauthorized access to enterprise systems.
5. Threat intelligences
Use threat intelligence services to stay in the know about the latest attack vectors. Such services provide real-time updates about potential threats, indicators of compromise, threat actor attribution and campaigns, allowing businesses to preemptively protect their systems.
6. Employee training
Employees can be a weak link in cybersecurity, so ensuring they are aware of potential risks and understand the role they play in maintaining cyber resilience is key. Training should be regularly updated to keep pace with evolving threats, such as social engineering attacks.
7. End-to-end encryption
Protect sensitive data with encryption, both at rest and in transit. Even better, end-to-end encryption, which encodes messages before they’re sent and decodes them only after arriving at a recipient’s device. This means that no one in the middle can read or modify them.