How confident are you that your business will continue to operate in the event of a cyberattack? How would you recover? What would be the impact?
IT security and business continuity leaders often face these questions from their chief executives or boards. In all likelihood, they often ask themselves these questions. A strong cyber resilience strategy that provides a unified approach combining cybersecurity with data protection and disaster recovery methods can help businesses protect against and rapidly recover from disruptive cyber incidents.
In September 2020, a crippling malware attack brought down the computer systems of one of the largest hospital chains in the United States. The company had to shut down all remaining systems used for medical records, laboratories and pharmacies across nearly 250 facilities to prevent further spread of the malware. It also had to cancel surgeries and divert ambulances, while its healthcare workers switched to paper records for patients.
Around the same time, a hacker released private and confidential information on students after school district officials refused to pay ransom in return for unlocking district computer servers he had hacked into and encrypted.
Such breaches could happen to large enterprises, even those with robust security technologies in place. Today’s malware can affect systems and networks even if they seem fully patched, leading to high financial costs. For example, in April 2020 a multinational IT services company confirmed that its network was hit with Maze ransomware that encrypted its servers, disabled tools used to automate and provision devices, and inhibited work-from-home capabilities. The initial financial impact to the company was estimated to be in the range of $50 million to $70 million.
According to a recent survey by IDC, the average cost of downtime exceeds $200,000 per hour. This cost estimate includes actual loss of revenue and cost of recovery, but doesn’t include regulatory penalties, loss of reputation and long-term brand damage.
Most cybersecurity programs continue to be hamstrung by organizations’ traditional perspective of investing in prevention technologies. This is largely due to their inability to fully evaluate the complex landscape of risks and threats – often manifested in deployment of multiple point solutions that generally have a shorter shelf life. This challenge can be aggravated by the unintended vulnerabilities created by digital transformation, IoT adoption and hyper-convergence.
A large number of organizations still have aging infrastructures and processes, which makes it challenging to segment their critical workloads from other workloads using legacy network infrastructure. While many organizations have business continuity and disaster recovery plans, their existing configurations may not allow for easy recovery because they were not designed to be resilient against destructive cyberattacks. In addition, existing incident response plans and playbooks may not be effective against evolving cyber threats.
And it doesn’t stop there. Let’s look at some of the other risks and challenges:
Cloud migration: The trend of workload migration to cloud is rapid and pervasive. But most organizations face challenges understanding dependencies and prioritizing what data and workloads to protect.
Shadow IT: The pressure for innovation and faster time to market, BYOD and the simplicity and agility of public cloud experience, coupled with legacy central IT procurement processes, fuel increased use of shadow IT.
Shortage of skills: Many recent studies point to a worsening cybersecurity skills shortage that may impact business and government organizations globally.
Organizational silos: Cybersecurity, business continuity and the teams that own systems and applications are siloed and have difficulty collaborating to solve critical problems.
Boardroom sponsorship: While the board needs access to cyber expertise for budget allocation and risk oversight and governance, security and business continuity leaders often struggle to translate IT risks into a business language the board understands.
Why build resilience?
Cybersecurity technologies have evolved by leaps and bounds during the past few years. We are getting better at securing our network perimeters, and threat intelligence today is powered by AI and machine learning. But adversaries are now as equipped and resourceful as legitimate business organizations – and they only need to get it right once, while we need to be right all the time. In the recent IDC survey, 73% of respondents indicated that they had experienced major security breaches of their IaaS environments in the past two years that involved the spending of significant extra resources to rectify. In fact, the median number of breaches in that time frame was 2.0.
With attacks becoming more malicious and techniques more advanced, the strategies and plans to mitigate the impacts of such attacks must also change. Businesses need new technologies and practices to survive and adapt to today’s cyber outage scenarios. Traditional recovery plans must change to support these new scenarios, and it will require new thinking and teaming between disaster recovery and security teams.
As IT and information security executives struggle to determine the appropriate technology areas to spend their limited budgets on, it is imperative that they take a holistic view of IT risks and build a robust cyber resilience program to keep their business processes and operations functional during and after a cyberattack. With a cyber-resilient environment, IT can be at the forefront of fostering relationships with business leaders and partnering with them to confidently drive their digital transformation journey forward.
Andrea Sayles is the General Manager for IBM Resiliency Services. Over the past 40 years, she has held different leadership positions in technology, manufact...