Newly Released Research Highlights Cyber Resilience as both a Critical and Perpetual Cybersecurity Practice
More than 2.5 quintillion bytes of data are created each day—and more than 90 percent of the world’s data has been generated in the last two years alone. Datacenters—the places where all that data is stored—can consume as much power as a city of a million people, and in total, datacenters can emit roughly as much CO2 as the airline industry. That accomplishment is both a testament to the incredible leaps forward mankind has taken with respect to technology, but also a solemn reminder of just how vast and how densely saturated our attack surface has become in recent years.
André Gide, a French author and winner of the Nobel Prize in Literature, once said that “You cannot discover new oceans unless you have the courage to lose sight of the shore.” Loosely translated with cyber in mind, one might say, “You cannot separate technological innovation from cybersecurity risk—after all, positive risk is another way to describe the uncertainty of opportunity.” Large volumes of data, incredible innovations, and risk all have one thing in common: cyber resilience—the ability to recover quickly from a cyberattack, breach, or another security incident.
Scalar, a Canadian IT solutions provider, recently released the results of its annual security study, which focused on the cyber resilience of Canadian organizations. While the study and its findings are focused on companies within Canada specifically, many of the findings also apply to enterprises around the globe.
Scalar’s key findings
Scalar’s research revealed a myriad of findings. At a high-level, Scalar uncovered five key conclusions:
- The cost of compromise is at an all time high;
- Detection and response time is too slow, resulting in high costs;
- Evolving threats create new opportunities for malicious actors;
- Cloud security strategy is not keeping up with the rate of adoption; and,
- Strategy focus is shifting from protection to detection and response.
Ultimately, what Scalar found was that Canadian organizations that understood and invested in cyber resilience best practices and took a holistic approach that extended beyond basic protection had far fewer security incidents and significantly lower associated costs.
What is cyber resilience and how can my organization become more resilient?
The National Institute of Standards and Technology (NIST) defines cyber resilience as “the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources.”
Scalar included five key cyber resilience calls-to-action in its report:
- Conduct Regular Threat Risk Assessments (TRAs);
- Create a cyber resilience plan and keep it up to date;
- Practice cyber resilience fundamentals;
- Cloud security should be included in adoption roadmap planning; and,
- Shifting sole focus from protection to including monitoring and response.
The bottom line is that every organization can no longer assume that it is immune to compromise. It’s not a matter of if your organization will be compromised, but when. Assuming that your organization is a target for malicious actors—or even that your organization has already been compromised—is the mentality that can best arm organizational leadership and decision makers to handle attacks when they happen.
NIST has developed timely and industry-leading frameworks and guidance for cybersecurity best practices. With respect to cyber resilience specifically, NIST has released NIST SP 800-160, Cyber Resiliency Considerations for the Engineering of Trustworthy Secure Systems, which also leverages the best practice cyber resiliency controls from NIST SP 800-53, Security and Privacy Controls for Federal Information Systems and Organizations.
Additional Guidance Recommendations
Regardless of industry or geographic location, organizations would be wise to educate themselves and their users on cybersecurity best practices and document specific procedures to help the organization become resilient. Here are a few tools and resources that organizations should consider:
- Within Canada, organizations can leverage the Canadian National Cybersecurity Strategy, which details Canada’s vision for security and prosperity in the digital age, and highlights cybersecurity and resilience best practices with strategic context and an understanding of the evolution of the cyber threat. Learn more about what the Government of Canada is doing to make its systems more secure and resilient.
- Within the U.S. Public Sector, DHS’s newly formed Cybersecurity and Infrastructure Security Agency (CISA) offers a voluntary, no-cost, non-technical assessment to evaluate an organization’s operational resilience and cybersecurity practices. Learn more about the Cyber Resilience Review (CRR).
- In the United Kingdom, Axelos, a best practice institution most famously known for the Information Technology Infrastructure Library (ITIL), offers the Resilia portfolio, a suite of tools and training designed to help enterprises achieve the global best practice in cybersecurity.
- In Europe, the European Commission launched a public-private partnership on cybersecurity in 2016 to boost industrial capabilities with a focus on Strengthening Europe’s Cyber Resilience System and Fostering a Competitive and Innovative Cybersecurity Industry.
- Also within Europe, the European Central Bank has taken a strong interest in cyber resilience, requiring banks to report major cyber incidents, monitoring banks’ IT risks and participating in meetings and working groups to ensure a coordinated approach to cyber risk. Learn more about ECB cyber resilience initiatives.
- Network and Information Systems (NIS) Regulations, which apply to both operators of essential services and digital service providers, became law in May 2018 and paved the way for cyber resilience within Europe.
- In Asia-Pacific, Japan and 10 member countries of the Association of Southeast Asian Nations have established a platform to share information about and respond to cyberattacks, ultimately in an effort to boost cyber resilience.
- The Australian Securities & Investments Commission (ASIC) offers good practices to enable organizations to operate highly adaptive and responsive cyber resilience processes, all categorized by ownership and responsive and agile governance tools.
Cyber resilience isn’t necessarily a new concept, but it is a new practice for many organizations across multiple industries in 2019. It is the next evolution of best practices in a constantly evolving cyber terrain. There are just as many solution-specific approaches to resilience as there are guidelines, but it’s important to remember that your approach to resilience should be rooted in a comprehensive understanding of your network—knowing what’s on your network and being empowered to take action against adversaries. Organizations that leverage Center for Internet Security (CIS) controls can reduce the potential impact of known high-risk attacks while also statistically lowering the likelihood of a breach in the future. As an example, many would agree that the massive Equifax breach could have been prevented by CIS controls and best practices. Organizations seeking a more secure state should pursue a holistic focus on implementing overlapping controls, such as segmentation and asset inventory, to help build technical resilience.
Earlier, we highlighted how much data has been generated in just the last two years and consequently, how data-rich most enterprise networks have become, but it’s important to understand that data only becomes information and ultimately intelligence when it’s used to make a decision or take action. A static organization that can’t intake data for action is, by definition, inelastic and not resilient. However, dynamic and cyber resilient organizations will employ a holistic perspective, a zero trust model, overlapping controls and the 80:20 Pareto rule in order to focus on delivering value aligned with the business, governance, and objectives. Such an approach also enables organizations to manage both the upsides and downsides of risk ROI.
Cyber resilience should be another focus area within an overarching enterprise cybersecurity plan and strategy. Part of that plan—and a key component to resilience—is understanding and securing your network by seeing the data-rich devices that are on your network—seeing them in real-time when they connect and having the ability to act on that visibility. Learn more about how you can gain total device visibility and control.