All organisations will be attacked and some attacks will succeed. The litany of unpleasant consequences arising from a major incident is sobering, if less pithy. Among other things, it may include the loss of sensitive data, disruption of business systems, or both; confusion about who is to blame and who is responsible for fixing the problem; an embarrassing realisation that the risk had been recognised previously but insufficient action taken to stop it materialising; reactive incident response and media handling, fuelling a sense of crisis; dented stakeholder confidence and share price; regulatory punishment; legal action by those affected; and so on.
When bad things happen, the victim’s natural priority is to fix the problem and return to normality as quickly and painlessly as possible. That may involve deploying in-house technical resources or, more likely, reaching for the comforting support of an expert cyber incident response team. The right kind of first aid can staunch the bleeding. But what happens after that? Too many victim organisations fail to apply the lessons of their bad experiences. They bandage their wounds and carry on as before – until the next time. Their response is all tactics and no strategy. So, what should they do? The answer lies in resilience.
Resilience
The term resilience means different things to different people, so it needs defining.
A useful distinction can be drawn between ‘weak’ resilience and ‘strong’ resilience. Weak resilience is about recovering back to the state that existed before the incident and carrying on as before. Strong resilience is about learning from your bad experiences, applying those lessons, adapting and growing tougher as a result.
A biological analogy is physical exercise. Lifting heavy weights will stress your muscle fibres. But muscles do not recover to their prior state after repeated bouts of strenuous exercise: rather, they adapt to the challenges and grow progressively stronger. With the pain comes gain.
How does an organisation go about building cyber resilience in the strong sense? The concept is simple to explain, though not trivial to implement. The starting ingredients of strong resilience are the same as for good security in general. They include board-level ownership; clear governance (knowing who is in charge); a holistic approach (considering cyber security, physical security and personnel security in the round); and effective processes for understanding and managing risk. A further, crucial ingredient of strong resilience is an explicit strategy of actively learning from experience and adapting to risks before they materialise. The aim is to grow progressively stronger by reducing all three components of risk – namely, threat, vulnerability and impact.
A strongly resilient organisation has effective measures in place to understand and tackle the security threats it faces, reduce its vulnerability to attack, and minimise the impact of a successful attack. Conventional protective security focuses mainly on reducing vulnerability by wrapping the target in defensive layers, such as physical fences or virtual firewalls. Many organisations would benefit from doing more to reduce the impact of attacks that succeed in breaching those defences. To minimise the impact of an attack you must first detect it and then respond as rapidly as possible – ideally before any serious damage is done. Other ingredients of impact-reduction include the familiar panoply of business continuity planning, secure backups, incident management, disaster recovery and insurance. On top of these, strong resilience requires an embedded process of learning and adapting. A strongly resilient organisation continuously learns from experience and actively applies those lessons to reduce the risks.
The most searing way of learning is through the raw experience of suffering a major attack. Even then, the learning will only bear fruit if the organisation has a systematic regime of analysing each incident and converting the lessons into practical responses. Fortunately, there are other, less traumatic ways of learning from experience that do not involve suffering a real incident. The safest ways include exercising, red-teaming and learning from the experiences of other organisations through information-sharing forums.
Any organisation that is serious about developing its resilience should invest in a programme of regular testing, exercising, red-teaming and information sharing. It should also ensure that the lessons learned are converted into tangible outcomes by adjusting its policies, procedures and security postures in the light of new information. Broader guidance on developing organisational resilience may be found in British Standard BS 65000, published by BSI. The standard defines organisational resilience as “the ability of an organisation to anticipate, prepare for, respond and adapt to incremental change and sudden disruptions in order to survive and prosper.”
None of this is easy and some of it will cost money. Building strong resilience requires leadership from the top. However, the alternatives are usually worse and the potential benefits are substantial. A strongly resilient organisation will suffer fewer breaches of its security; those breaches that do occur will cause less harm; and it will recover faster. More importantly, the organisation will grow tougher and more resilient over time, giving it more confidence to focus on its core business and take considered risks, rather than endlessly tussling with the disruption of security incidents.
Contact and Follow-Up
Paul is a strategy advisor in Context's Advisory team, and is based in our London office. Prior to joining Context at the end of 2016, Paul was the Director of Security for Parliament for three and a half years, with responsibility for the physical, personnel and cyber security of both the House of Commons and Lords. See the contact page for ways to get in touch.