Cybersecurity attacks are inevitable, and in some cases a cyber criminal’s attack will succeed. While defending these attacks is important, it’s equally important to prepare for what happens after a breach occurs, the “assumed breach” mentality. The assumed breach mentality sees SMEs move away from just prevention and focus on how they can ensure they recover fast, with minimal damage to operations.
An organisation’s ability to defend against attacks, coupled with its ability to recover quickly, is also known as cyber resilience. It encompasses incident response, as well as business continuity and disaster recovery (BCDR). The focus is on keeping systems up and running during recovery, to speed up restoration, reduce downtime and minimise the overall impact of an attack.
The holy trinity: People, processes and technology
Cyber resilience is the result of an effective and in-depth cybersecurity strategy. The ability to defend against, as well as quickly identify, respond to and recover from an attack is imperative in building cyber resilience.
To achieve this, cyber resilience rests on people and processes, as well as a combination of technologies. SMEs should look for gaps in their security capabilities from a people, processes and technology perspective and take steps to address these. If the business lacks the resources and/or skills to manage this in-house, it’s important they engage a third-party provider, such as a managed service provider (MSP) for support.
Processes should be clearly defined to deliver the desired security outcomes and must be repeatable and measurable. For most businesses, pinpointing weaknesses and making improvements to their processes will be an iterative journey, which should be kept under constant review.
Finally, technology solutions must be able to properly support both people and processes. SME managers should evaluate whether they have adopted the right solutions, whether they are using them to their full potential and how technology could be harnessed more effectively. In fact, many cyber resilience issues are not technology-based. Cyber resilience hinges primarily on people and processes. Technology investments come second, and they should be made based on the needs of people and processes.
The Essential Eight
Cybersecurity frameworks can be useful guidelines for businesses to achieve security objectives, leading to risk reduction and cyber maturity. One of the most well-known in Australia is The Essential Eight, which is a series of baseline mitigation strategies recommended for organisations. Implementing these strategies as a minimum makes it much harder for adversaries to compromise systems.
The Essential Eight does not consist of arduous and/or time-consuming tasks that are unrealistic for SMEs to achieve. Rather, it focuses on implementing best practices into the business’ processes, such as patching applications regularly. It gives businesses guidance on the outcomes they need to achieve. It is then up to each business leader to define which capabilities they will need to develop to reach these outcomes. These include identifying vulnerabilities and understanding an organisation’s environment in order to manage risks; limiting and containing impacts resulting from attacks; effectively responding to incidents; and recovery capabilities to restore normal, safe operations.
Unfortunately, there is no silver bullet for how to achieve cyber resilience as no two businesses are the same. Nevertheless, building cyber resilience should be an essential goal for any business. Most organisations will already have many of the required capabilities in place. Using existing frameworks as a guide, they should be able to identify any gaps in their security posture – and address them by tweaking processes, acquiring specialist skills (or leveraging MSPs for them) and optimising how they use technology.
Cyber resilience is an ongoing business effort and not an overnight endeavour, and it is a journey that requires careful evaluation of an organisation over time. The most important step is to get started.