You can fortify your client’s network by installing firewalls, restricting lateral movements, putting MFA and VPNs in place, and implementing training. But sometimes, all the protections in the world aren’t good enough if someone makes a mistake and opens a well-targeted attachment that they shouldn’t. This unfortunate fact has initiated a slow shift towards the philosophy of cyber resiliency.
Most scholars define cyber resiliency as: “The ability to deliver the intended outcome despite adverse cyber events continuously.” This means accepting the fact that hacks and breaches will occur and making plans accordingly, so that an organization can recover quickly.
“The embracing of resiliency essentially means that you are admitting that nothing is foolproof, so instead of expending a lot of time and resources to make sure your client is as secure as Fort Knox, instead focus on helping a client recover if they are hacked,” explains Michael Foster, a cybersecurity consultant in Halifax, Nova Scotia.
At first blush, some would call the trend towards cyber resiliency as handing victory to cybercriminals, but Foster says that isn’t the case. “Resiliency is recognition of reality,” Foster adds.
“For instance, people get sick. You can pop all the vitamins you want, diet, exercise, and scrub germs from your life. Eventually, though, you’ll get a cold or the flu or something, so rather than spending all that effort trying to prevent the unpreventable, why not instead focus on recovering quickly once you are sick?” advises Foster.
Cyber resiliency, while controversial, is gaining supporters
TechRadar recently described the importance of resiliency:
“Establish a cyber resilience mindset and reassess the people, policies, and technologies being employed. Then, move to a position of proper, risk-appropriate security. The benefits of doing so for organizations, nations, and the international community are enormous. Getting there will take bold thinking and decisive action.
So what are some elements of shifting to “resilience” over the “resistance” when it comes to cybersecurity?
First of all, everyone needs a plan, and part of the plan is anticipating what needs to be mapped out ahead of time
“You should to have a plan in place in case your client gets hacked. That plan may be immediately locking down systems, calling the CEO, or putting back-ups in place. The plan will be different for each enterprise, but you need a plan,” Foster says.
Secondly, Foster advises that organizations need access to real-time data, which is something an MSP is well-position to provide. What systems have been compromised? What functions are impacted? And what kind of attack? The more real-time data an organization has access to, the better the response and the quicker recovery can be.
Thirdly, businesses and the MSPs that protect them need a “continuity plan.”
“Most businesses can’t just shut down and wait out an attack or take a month to get everything up and running again. Time is money, and the longer a business is down, the more costly an attack is. The whole point of resiliency is to avoid this outcome, mitigate the losses, and move on,” Foster points out.
Setting the right plan
The plan will be different for every business, but a big part of any plan for any organization, Foster notes, is backup data and redundancy.
“Redundancy can save a business. Think of a bunch of cash registers in a supermarket. If a couple go offline, then get the others up and running. That’s the philosophy behind redundancy, make it so that if something goes down, something else comes up,” Foster says.
A redundancy system requires a lot of preparation and planning, but it also can save businesses a lot of headaches. Another aspect of a good resiliency program, Foster adds, is communication.
“So many times after a hack, everyone is paralyzed, that causes inaction and when it comes to a hack, those early hours are critical,” Foster says. There needs to be a chain of command for communications, and equally important, all stakeholders who might be impacted should to be looped in.
“If the credit card information for 5,000 customers is now in the hands of hackers, those customers need to be notified as fast as possible,” Foster advises. And having a plan in place ahead of time can allow for that.
By the way, all of this emphasis on resiliency does not mean an organization can and should cut its cybersecurity budget. Some people say if you accept that a hack will happen, why spend so much on cybersecurity in the first place?
“That is not what resiliency is about. We recommend continuing to invest as much as always in top-of-the-line defenses, but resiliency is the next step, what comes after a breach,” Foster says. “And, believe me, if you didn’t have all of those defenses, you’d be doing clean-up all day every day from hacks.”
Foster encourages MSPs and their clients to think about cybersecurity as a levee protecting a city from a river. “Hopefully, that levee holds, and the river never breaches it. Resiliency, however, is planning and adapting if such a breach occurs,” he adds.
And that means knowing where the lifeboats are, the escape routes, and so forth.
Photo: DreamLand Media / Shutterstock