Cyber attacks on business and government continue with regularity and increasing sophistication. Some of these are well publicised (for example, the recent attack on UK Internet Service Provider TalkTalk) and considerable press hype ensues, making it difficult to understand what actually occurred and what actual damage was done.
It becomes increasingly clear that however much is spent on defensive measures, an organisations must figure that a breach will occur. Whether this is from an insider threat or an external hack, it is no longer a matter of “if” but “when”!
So the ability to protect sensitive information and continue with critical operations whilst detecting and recovering from the attack will be key. This is referred to as RESILIENCE.
Any effective cyber security resilience approach must balance the core components of
- technology, including end point protection, cryptography, security incident detection
- process, such as the methods for reporting an incident or a new risk or vulnerability
- leadership, demonstrating the importance of holistic security to the top of the organisation
- education, starting with basic awareness and appropriate for all job roles in an organisation; regularly updated as technology and the threat changes
to each step in the cycle shown in figure 1 below.
Figure 1 – Resilience Cycle
Cyber resilience is a key principle underpinning ISO 27001, and the wider issue of information technology’s role in business continuity is covered by ISO 27031.
Governments and industry realise that Cyber Resilience is increasingly important to maintaining business continuity, information privacy and reputation / brand value. There are a number of interesting Government-led responses, including:
World Economic Forum launched an initiative to advance cyber resilience in 2012 with the goal of enabling the digital economy to grow and thrive in the face of determined cyber-attacks. There are currently more than 100 organisations involved in this and the project currently focuses the impact of cyberthreats and creating risk assessment models so leaders can ask more sophisticated questions about the threats most relevant to their own industry. WEF cite the UK Government’s Ten Steps to Cyber Security booklet as “an excellent example of putting the principles in practice”.
US Government | Cyber Resilience Review – offers a combination of self assessment questionnaires and (optional) on site assessment to “evaluate an organization’s operational resilience and cybersecurity practices”. This was created by the Department of Homeland Security partnered with the Computer Emergency Response Team (CERT) Division of Carnegie Mellon University’s Software Engineering Institute. This is promoted by voluntary activities, which are often featured in academic and trade journals.
These are steps in the right direction for sure – but are they enough? Or is there more / different that can be done by Governments (and Industry) to address this vital topic? And what are the inhibitors to progress?
I look forward to exploring these questions – and more – in the Cyber Resilience Workshop at AFCEA’s Cyber Symposium in Sofia, Bulgaria on the 8th – 10th December 2015. I will write a follow up blog post outlining what I learnt!