With the WannaCry malware still on everyone’s mind, it is hard to forget the importance of cyber risk and how it can become real for anybody, at any time. WannaCry has brought cyber risk to the forefront once again and the fact that 200,000 victims lost their data has highlighted the importance of a robust cyber resilience strategy.
Cyber resilience can be defined as a broad process that encompasses defense and prevention of cyber risk, but goes beyond those measures to emphasize response and resilience in moment of crisis. It recognizes that there is a real need to be prepared for ever-increasing cyber attacks and that security is more than technology as it is also related to people and policies.
However, even with the permanent threat of cyber risk and ever-increasing cyber attacks happening, some of the key features of cyber resiliency – prevention, detection, response – are estimated to have not improved over the past few years. As an example, 75% of a IBM and Ponemon Institute survey acknowledge to not have a cyber security incident response plan applied consistently across the organisation in 2016.
Here are the top five areas, we believe companies should focus on:
Identify Important Assets
As a first step, companies should focus internally and determine which assets are critical to business and must be protected. This analysis must cover many elements from company data to company processes as well as systems and technologies.
An efficient strategy could be to focus ‘backwards’, on outcomes, rather than on inputs. In this scenario companies think of what consequences they can live with in the event of an attack. These questions can lead them to define what is their “data crown jewels“ and where particular protection is needed.
Then comes the assessment: how are the companies’ most valuable business assets protected against cyber risk? Where are the weak links? How vulnerable are they to potential cyber attacks?
To fully realise how disastrous cyber attacks could be on these elements, companies must evaluate the downside of not having those protected. In many cases, attacks can result in data loss or systems being compromised by malware. As direct consequences, companies must take into account the operational, financial, reputational damages that could arise from attacks and determine their assets’ risk profile.
Invest in Appropriate Technologies
Cyber resilience includes cyber security. This means companies must implement security solutions to protect their key assets. When it comes to protection and its funding, companies must think of how their technology investment roadmap aims to reduce their company’s risk profile. It is estimated that funding for cyber security budgets has slightly increased globally, with IT security budgets rising from 25% in 2015 to 30% in 2016 (Ponemon Institute study).
The right technologies are essential to achieving cyber resiliency. Common technologies include malware detection services, encryption services, intrusion detection and prevention systems, identity management and authentication services or incident response platforms. Some companies are also now employing data-centric security to ensure their data remains protected even if there is a breach.
Prepare and Test your Contingency Plan
One of the core elements of cyber resilience is to prepare a contingency plan that defines the actions to take in the face of a successful cyber attack. Ensuring prioritization of tasks, agility, and adaptability of the people and the systems to response to this attack. This plan must encompass both internal and external actions such as the communication strategy to follow.
Recovery is critical to any resilience strategy. A contingency plan must also include a backup & disaster recovery processes that would need to be implemented as soon as possible if a breach occurs to restore any data and services that may have been impacted. This is essential to guarantee the company’s business continuity and the plan must be tested in advance to ensure its efficiency.
People – Workforce Education
No matter how well planned your strategy may be, it will most likely be ineffective if you don’t include people in it. A company’s workforce is an essential part of cyber resilience and in order to get a working plan, organisations must communicate with its members, and share elements of its cyber resilience strategy. This also means looking at technology and making sure it works for the employees. For instance, if an organisation asks its employees to create complex passwords of 10 characters-length, they are likely to meet resistance from them or simply have people writing them down on pieces of paper.
As investing and implementing the right security solution is at the core of a company’s cyber resilience’s strategy, APrivacy provides a data-centric technology that is easy to implement and used while effectively protecting financial services’ data against cyber risk. If you would like to learn more about our solutions, please contact us.
Digital Security Perfected – APrivacy Ltd. is an award-winning company which combines military-grade data security with a seamless user experience on any platform, any device, anywhere. APrivacy Ltd.’s enabling technology now allows the financial services industry to confidently communicate with clients using their favourite channels leading to increased revenues and reduced costs while meeting the strictest regulatory requirements.
