July 20, 2022
July 20, 2022
Resilience is everywhere these days, in analyst reports, marketing materials, and board tables. While resilience is easy to talk about as one of the latest industry buzz words, implementing true cyber resilience is a complex but worthwhile endeavor that could save your organization millions should a cyberattack occur.
It’s estimated that cybercriminals can penetrate 93 percent of company networks. There’s a ransomware attack every 11 seconds. Former Federal Bureau of Investigation (FBI) director Robert S. Mueller III, who during his tenure created the FBI Cyber Division, was known for saying, “I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.”
Beyond traditional business continuity and business recovery plans, cyber resilience is a shift in mind-set, culture, and approach where you assume that operations will be interrupted at some point. This shift in mind-set from reacting to threats as they occur to assuming that a breach is only a matter of time helps you look at cyber-risk management in a new, vested light.
When I speak with boards about cyber resilience, I talk about implementing resilient measures and practices across people, processes, and technology. By and large, I find that many organizations tend to focus on the technology investments they’ve made to shore up defenses, and far less on people and processes, leaving ample vulnerabilities that could prove hazardous down the line. If you find this to be the case within companies you oversee, below are a few tips boards should consider discussing with management to ramp up the “people” and “process” parts of the cyber-resilience equation.
Innocent mistakes and simple negligence make up 60 percent of insider incidents, costing the average organization $4.6 million each year, according to the 2020 Cost of Insider Threats Global Report.
Cybersecurity is more about people behind keyboards than it is about technology. Threat actors, especially nation-state actors, prey upon innocent and well-intentioned employees. During my time at the FBI, I worked cases where threat actors used an employee’s social media accounts to groom them from an unwitting accomplice into a knowing coconspirator. People are the first line of defense, but still the weakest link.
To boost people resilience, boards should ensure management takes the following actions:
As mentioned above, identifying mission-critical assets and mapping the process to protect them enables rapid recovery to a secure state when an attack inevitably happens. If you’re early in your cybersecurity journey, consider working with a partner who can deliver an incident readiness assessment that:
Boards should discuss the following areas of focus with management:
Cyber resilience is really about people, including culture and relationships, and process. Because people are still the weakest link in the cyberattack chain, creating an environment with your employees where they feel informed, included, and empowered to learn and reduce cyber risk is crucial. Using a process to understand your mission-critical assets is imperative, and developing the right relationships with sales, marketing, legal, communications, executives, and other stakeholders will make the road to recovery faster and less painful.
Building resilience into the enterprise is no small task—but once it is implemented, it significantly reduces organizational risk and helps ensure that your business can keep doing what it does best.
James Turgal is the vice president of cyber risk, strategy, and board relations at Optiv.
NACD: Tools and resources to help guide you in unpredictable times.