Unit 5.4 Measuring Cyber-Resilience
• What is organisational resilience?
• The Indicators of Organisational Resilience
• How to conduct a cyber-resilience assessment
• How to improve cyber resilience posture
• Cybersecurity resilience assessment checklist
• Questions to ask when conducting a cyber-resilience assessment
• Common Cyber Resiliency And Security Mistakes in SMEs
• Summary and key takeaways
What is organisational resilience?
The capacity to endure a crisis and thrive in a world of uncertainty is organizational resilience. Resilience is a strategic capability.
It’s not just about overcoming difficulties. The foresight and situation awareness necessary to avoid potential crises and the capacity to transform crises into a source of strategic opportunity are two additional important capabilities of a truly resilient organization.
The Indicators of Organisational Resilience
Leadership and culture
The following indicators can be used to determine the organization’s culture and leadership’s adaptive capacity:
- Leadership
- Staff engagement
- Situation awareness
- Decision making
- Innovation and creativity
Networks and relationships
The organization’s ability to leverage internal and external relationships when needed; is identified by the indicators listed below:
- Effective partnerships
- Leveraging knowledge
- Breaking silos
- Internal resources
Change ready
The planning that was done and the direction that was set so that the organization could be ready for change; are identified by the indicators listed below:
- Unity of purpose
- Proactive posture
- Planning strategies
- Stress testing plans
How to conduct a cyber-resilience assessment
A cyber resilience review provides a better understanding of an organisation’s cybersecurity posture.
Plans, policies, and procedures for cybersecurity are evaluated on a regular basis to guarantee that cybersecurity programs are effective and prepared for use in the event of an attack.
These assessments, which are referred to as cyber resilience, define an organization’s capacity to recover from a disruptive event and resume operations. However, modifying the assessment procedure to ascertain an organization’s resilience requires more than merely asking “do we have it” or “don’t we have it.”
How to improve cyber resilience posture
The review provides: An improved comprehension of an organization’s cybersecurity posture is provided by a cyber resilience review. The evaluation offers:
- Enhanced awareness of the need for efficient cybersecurity management across the entire organization
- A look at the capabilities that are most crucial to ensuring the continuity of essential services in times of crisis
- A proof of managerial success
- A driver of conversation between participants from various organizational functional areas
- A comprehensive final report that uses recognized standards and best practices to map the relative maturity of the organizational resilience processes in each of the ten domains and includes suggestions for improvement
It is not ideal for an organization to strive for the highest maturity level in all domains when analyzing gaps that have been identified. Instead, the company ought to ascertain for each domain the degree of cyber resilience maturity that best enables it to achieve its business goals and cybersecurity strategy.
The organization should prioritize the actions required to fully implement the practices that enable the achievement of the desired capability in specific domains after the gap analysis is finished. The criticality of the business objective supported by the domain, the cost of putting the necessary practices into place, and the availability of resources to put the practices into place should all be taken into consideration when prioritizing. Prioritizing the necessary actions can be made easier by conducting a cost-benefit analysis of gaps and activities.
The organization should then devise a strategy to fill the identified gaps. Organizations must provide sufficient resources, including people with the necessary skills to complete the planned tasks and a sufficient budget, for the plan to be successful. In addition, the organization must continue to support the plan’s implementation by recognizing achievements and tracking progress.
Cybersecurity resilience assessment checklist
The following checklist can be used to prepare a cyber-resilience assessment in light of the previously recommended actions:
- Identify dangers. Make a list of the risks and dangers that could make cyberattacks easier, as well as the systems that need to be protected.
- Find out about possible cyberattacks. Make a list of possible cyberattacks, like ransomware or phishing.
- Examine the organization’s current attack response. Make a list of the plans, procedures, systems, and technologies that are currently in use.
- Secure current networks, software, and systems. Ensure that current IT resources and assets are secure from attacks.
- Examine your network for vulnerabilities and threats. To find vulnerabilities, perform forensic activities on a regular basis, like pen tests.
- Test procedures and plans for cybersecurity. Check procedures and plans to make sure they deal with and reduce the effects of a cyberattack.
- Train members of the cybersecurity team. Make sure members of the cybersecurity team are familiar with the systems and software used for cybersecurity and how to deal with threats.
- Inform senior management and employees about cybersecurity. Conduct cybersecurity awareness training to educate senior managers and employees about cyberattacks and their roles in them.
- Conduct activities following the cyberattack. In order to prepare for future attacks, identify the activities that were successful and those that were unsuccessful, as well as the steps needed to rectify policies, plans, procedures, systems, and technology.
Questions to ask when conducting a cyber-resilience assessment
The following questions will help guide your cyber-resilience assessment:
What is at risk from cyber-attacks?
This includes employees, business systems, manufacturing systems, business processes, communications, and network services, desktop systems, data storage facilities, network perimeters, and facilities systems, such as fire suppression, building security, access control, and utilities.
What types of cyber attacks could occur?
In order to stay abreast of the most recent risks and threats, it’s a good idea to conduct a cybersecurity risk assessment on a regular basis. This could include threats to critical infrastructure, supply chains, ransomware, phishing, denial of service (DDoS) attacks, and others.
What are the likely threat vector access points?
Examples of these encompass remote work, the use of remote access technologies, infected files entering an organization’s network infrastructure, and even rogue employees activating or inserting software code that allows unauthorized users access.
Currently, how does the organization respond to cyber-attacks? This could involve a cybersecurity strategy that handles different cyberattack scenarios, a cybersecurity incident response plan that gathers harmful code for examination, and a cybersecurity incident management plan that controls the problem until it is fixed and reported. Organizations should also develop technical disaster and business continuity plans to help restore systems and businesses to normal operations. To help promote organizational resilience following an incident, the final two points are presented.
How does the company deal with the five main activities for responding to cyber-attacks?
Examine all relevant cybersecurity materials to ensure the following five activities are performed in the event of a cyber attack:
Assessing risks, threats, and vulnerabilities will help you find potential threat actors and attack routes. This process aids in assessing how well-prepared the institution is to react to threats.
This phase explains how firewalls, intrusion detection, and prevention systems, and cybersecurity analysis tools are used to thwart cyberattacks.
The likelihood of an attack exists even with preemptive security measures, therefore employ investments in security hardware and software systems to find any potentially malicious code.
This stage remediates the malware, analyzes it, and neutralizes it to stop future damage using the systems, software, and cybersecurity incident response protocols.
Measures to restore damaged systems and services, restore interrupted business operations, and assist the company in promptly resuming operations are all part of this step.
How does the company check for cyber vulnerabilities and threats?
In order to regularly test for and find any potential weaknesses at the network perimeter and within the organization’s infrastructure, companies must have protocols and systems in place. This covers a range of methods, like penetration testing.
How frequently are cybersecurity procedures, plans, and systems tested?
Since cyber attackers frequently update and improve their malicious code, this is particularly crucial. Institutions must be meticulous in their planning as well. Employees must be aware of what to do in the case of an attack, management must support cybersecurity management procedures, and cybersecurity personnel must receive ongoing training on how to handle cyber events. For instance, firms should upgrade their firewalls frequently to improve the chances of identifying a threat actor.
Are members of the cybersecurity team well-trained?
Members of the cybersecurity or information security team must stay current on the latest local and international malware, phishing, and malware operations. Members of the team also need to know how to use cybersecurity tools that spot suspicious code and lessen the chance of an attack.
How well-versed are senior management and employees in cybersecurity event procedures?
Employees and top executives must be aware of the company’s policy on dealing with cyberattacks, in addition to the cybersecurity team. This also covers what to do in the event of an attack. Making sure staff members are aware of corporate regulations and the value of cybersecurity diligence is crucial, as is ensuring they have received regular training on these topics.
What happens in the aftermath of a cyber attack?
This step examines the organization’s response to the cyber attack objectively, determining which actions were successful and which were unsuccessful. The company ought to initiate follow-up actions to resolve any issues that are discovered.
How are systems, software, and network cybersecurity managed?
This category encompasses a wide range of activities, including the following:
- managing patches;
- updates for antivirus and other malware software;
- proper management of passwords;
- strict control over access;
- making certain that applications, databases, and data are regularly backed up;
- restricting authorized personnel’s access;
- establishing and maintaining hardware, network, and facility security; and acquiring insurance for cyber security.
Common Cyber Resiliency And Security Mistakes in SMEs
There are three mistakes companies make when it comes to cyber resiliency and security that decision-makers should be cognizant of, three of which include: cyber complacency, assessment shortfalls and failing to make resource updates.
1. Being cyber complacent:
“If it’s not broken, don’t fix it” remains the mentality of most decision-makers when comes to increasing their cybersecurity posture. Although that witty of “old school” thinking might work to prevent routine attacks, it has allowed sophisticated adversaries the opportunity to drill down deep into networks without being detected.
Information theft has become a common and recurring event to which many people have fallen victim, are becoming complacent about and are consciously numb. In my experience, this situation is no different in the corporate world (except that certain types of institutions are required by law to directly inform individuals whose information has been compromised).
Create a strategy for putting a continuous monitoring concept into practice, with an initial focus on key cyber terrain, and conduct an end-to-end security vulnerability assessment of your network. The advantages of knowing how exposed your network is and which functional business areas are most at risk far outweigh the relatively low cost of conducting security vulnerability testing and assessment.
Decision-makers ought to be aware of the following three mistakes that businesses make when it comes to cyber resiliency and security: failure to update resources, assessment gaps, and cyber complacency.
2.Neglecting the significance of vulnerability assessments for security:
A common follow-up error that many businesses make is to view risk assessments as a wasted expense now that we are aware of the significance of carrying out a security vulnerability assessment of the company’s network.
However, the possibility of a devastating cyber attack increases with the development of data centers. Understanding where technology is now—not in the future—requires risk assessments. Cybercriminals have no rules and can use technology however they please. We will always be fighting adversaries who can deploy technologies in ways that were unexpected, undocumented, or even illegal and do not operate within the constraints that we do. Reactionary fighting becomes even more difficult as a result of this. Having said that, businesses need to stop thinking of cyber security as a wasted expense because it has the potential to be a lifeline for their business in the event that it encounters cyber attacks.
Penetration testing, also known as “pentest,” is highly recommended for finding vulnerabilities or inconsistencies throughout a network when conducting a security vulnerability assessment. As a pentest that imitates a criminal attack can have a number of negative effects, it is critical that you choose a team with experience in the field.
Decision-makers ought to be aware of the following three mistakes that businesses make when it comes to cyber resiliency and security: failure to update resources, assessment gaps, and cyber complacency.
3. Failing to update as necessary:
Keeping cyber resources up to date in order to appropriately and effectively respond to and mitigate new cyber incidents is an essential component of maintaining a robust cyber security posture that is frequently overlooked by businesses. This applies not only to employees but also to any IT equipment that comes into contact with the network. Sadly, some businesses do not view IT infrastructure components as essential assets for carrying out their corporate mission. As a result, they are only addressed at the end of their technical lifecycle when replacement costs become apparent.
Even though things appear to be stable, that doesn’t mean they are. Leadership is aware, to no one’s surprise, that technology is developing at a rate faster than any business can sustain financially. But is that leadership aware of the consequences of not keeping up with technology? A company’s risk is high if it does nothing, and it is not financially possible to keep up with technology, so company leadership must choose a middle ground.
SUMMARY AND KEY TAKEAWAYS
- The capacity to endure a crisis and thrive in a world of uncertainty is organizational resilience.
- An improved comprehension of an organization’s cyber security posture is provided by a cyber resilience review.
- The cyber resilience review report may be used to develop a strategy for addressing weaknesses and utilizing identified strengths. The report can serve as a starting point for a project to improve processes based on data.
- A company’s cyber resilience assessment can be completed in nine steps.
CHECK YOUR UNDERSTANDING
Consider each of the following inquiries. Before moving on to the next question, check the material you have read if you are unsure of the answer.
What is the definition of organizational resilience?
What are the key steps in conducting a cyber resilience assessment in a company?
What are the most important questions to measure a company’s cyber posture?