The Expert View: Integrating cyber resilience
Resilience is vital for modern businesses, particularly in a world where changing technology produces a host of new risks. Solutions must be carefully integrated and tested in training exercises, delegates heard at a recent Business Reporter breakfast briefing.
“Cyber-risk is the driving factor in resilience today,” said Chris Butler, Resilience Director at Databarracks, opening a Business Reporter Breakfast Briefing at the Goring Hotel in London. He told attendees – all senior resilience experts from a range of sectors – that an integrated approach is the only way to deal with this problem. Every aspect of the business has to be resilient, and the different capabilities tied together.
This is a challenge, said those at the briefing, as changing technology changes threats. One participant said artificial intelligence (AI) could now be used to optimise attacks, such as by writing better phishing emails, or even to carry them out. In some cases, there is a risk of attacks against AI, for example, with attackers poisoning the target’s AI training data.
However, others were relaxed about the threat from AI, suggesting that it is simply a new way of carrying out the same attacks as before. If organisations are prepared for those attacks, then they will have gone some way towards protecting themselves against emerging threats. The priority is to get the fundamentals right.
Supply chain resilience
Even so, one area which raised concern for all was supply chain risk. An executive from a large financial services company said that major firms were facing fewer direct attacks today, with attackers instead targeting their suppliers and gaining access that way. An integrated resilience plan, therefore, must consider supplier vulnerabilities – but this can be difficult.
Attendees said they typically categorise suppliers based on the level of risk they represent. A third-party handling a business-critical process would therefore have a higher category than one that handles something trivial. But this often involves unwieldy questionnaires that everyone finds frustrating.
Those at the briefing had experience of both sending and receiving questionnaires and all expressed hope for a better system, for example using a company’s existing certifications in lieu of certain questions.
There is a power balance at play here too, with smaller companies likely to have no choice but to comply with questionnaires or risk losing business. Major firms, in contrast, are often secure enough in their position that they can refuse to provide any information at all.
Protecting the Crown Jewels
Within the business, participants agreed that an important first step in building integrated resilience is a business impact analysis (BIA) to determine what really matters. If a company suffers an attack or outage and not everything can be brought back at once, what should be brought back first? What is the most important service, what technology enables it and what data does it depend on?
Those questions help identify the ‘Crown Jewels’ and the priority is to then put them in an environment you know you will have access to, whatever happens. A properly air-gapped backup is one tool here, said Chris. Databarracks recommends a backup that is not just offsite, but also running on different systems and managed by different people.
Several of those at the briefing said that any backup strategy needs to have multiple elements. The amount of data most companies rely on is far more than they can realistically backup – at least not regularly. That’s why identifying the ‘Crown Jewels’ and ensuring those are protected is so important, then it’s a matter of having parallel systems, regular data snapshots, and other measures to fill in the gaps.
Incident training
Running through the conversation was an awareness that a truly integrated resilience plan needs to be driven by senior leadership. In some organisations, this can be difficult to achieve, though attendees noted that an incident provides a short window of opportunity for getting the board’s attention. The ideal is to reach a situation where the board is calling for greater resilience, but many organisations are stuck in the opposite position of trying to remind the board how important it is.
Nevertheless, regular training is essential, including tabletop exercises. These should include the board, senior staff, and their seconds-in-command. Other sessions, ideally, would be scheduled for other teams within the business, such as HR or marketing. The goal is to have a plan that people are familiar with.
When an incident occurs, leaders must be prepared to make tough decisions, often ones where all the options are unappealing. They also must ensure resources are available for recovery efforts and be prepared to remove barriers for the resilience team. Recovering from an incident can be a difficult and draining task, no matter how well prepared a company is. One thing that was clear from the briefing is that better preparation will make recovery significantly more likely.