Cyber security alone, is no longer enough: businesses need cyber resilience

Today, we work from anywhere, on more devices, more networks, facing more risk than ever before. Most of the Askaris Cyber Security team work remotely, which involves lots of onsite cyber support for our large-scale customer base, so no one knows remote working as much as we do. With that said, and the growth in widespread phishing, malware, ransomware attacks, and other frauds pose a risk not just to individuals or platforms, but to entire global organisations economies, and governments.

Yet the way we think about securing our businesses and our data hasn’t really kept up. Business resources are often still allocated to defensive cyber security, which is focused on protecting the confidentiality and integrity of organisational and sensitive data. But these defences are proving insufficient in the face of attacks that grow more sophisticated by the day. We need cyber resilience in addition to cyber security, and it’s important to understand the difference.

Why Cyber resilience over cyber security

The Askaris Cyber Security team believe that cyber resilience starts with nailing the cyber security fundamentals and adopting basic housekeeping principles. This includes but is not limited to patching vulnerabilities, detecting and mitigating threats, and educating employees on how to defend company security. But we need to be doing these things continuously, not just once a year.

Beyond that, businesses need to build resilience into every part of the business, from business process mapping to engineering service availability to critical vendor dependency. They need to limit the impact of cybercrime on their organisations brand, finance, legal, and customer trust obligations. While these areas typically receive limited attention, resources, or executive focus, they are significant elements in the case of a real threat.

The aim of cyber resilience is clear enough: to ensure operational and business continuity with minimal impact. But the reality can be harder to pin down because there’s currently a no good way to measure cyber resilience. As leaders, we need to have a certain level of confidence in our ability to respond to an attack, to maintain our customers’ trust, absorb the financial, legal, and brand impact and get back to business.

Askaris Cyber Security believe that here is countless basic tick box exercises needed to show that your organisation is complaint with cyber security rules and regulations, such as GDPR, but are these basic models mature enough? With countless other maturity models more robust, which allow businesses to measure capabilities, digital transformation, supply chain, cyber security, and data management to name just a few to become fully protected. We ask what might cyber resilience maturity look like? This is not just about the ability to respond and recover; it's how quickly we recover and what we prioritise. This is why Askaris have created a Baseline Security Assessment, which brings together a 360 Cyber Security Review combined with an internal and external pen test to give you an inside-out and outside-in view of your company’s security in one place.

We are not proposing another basic checklist or self-assessment methodology. We believe in a fully 360-degree security assessment that will be flexible, adaptable, and continuously supporting your organisation and its protection against cyber threats.

I propose we design a framework that describes a set of characteristics that helps a company and its leadership to fully understand what cyber resilience is and how it will be achieved. This framework would describe an approach and attitude towards delivering cyber resilience.

For instance, is your organisation committing random acts of resilience? Building a plan only to look at it when an auditor asks? Building call trees when you would be better off using PagerDuty? Real resilience involves a multi-dimensional approach that dynamically responds to threats while keeping your business goals intact.

Measuring cyber resilience with Askaris’ Baseline Security Assessment would involve:

• Identifying your crown jewels and critical capabilities

• Looking at the interconnectedness of your systems and how vulnerable you are to attack

• Adapting more quickly to the broader social and political climate

• Creating partnerships with peers, competitors, and public entities

• Looking at how your team hires and develops skills

• Changing your approach, so you are not only securing the business but enabling the business through security.

• Measuring whether you are maintaining a culture of trust and agility; and measuring customer trust and transparency.

We all know that every organisation will have its unique risks, and no one security protection can serve as a one-size-fits-all approach to cyber resilience. But this approach can help guide investment decisions, unite stakeholders around a common goal, and usher in the practice of continuous improvement. Most of all, cyber resilience should provide senior and executive leadership with the confidence that when the worst happens, your organisation can still deliver on its commitments.

An assessment-focused framework for cyber resilience which is based on your organisations need to understand its own vulnerabilities is not a simple box-checking exercise. But cyber resilience is not about comparison, and there is no final destination. Our Baseline Security Assessment measurement framework should scale for the industry by focusing on your people, processes, and technology required to ensure entire value chains are resilient.

Askaris is the Cyber Security support that users need, and that businesses worldwide rely on. It’s up to us to protect 150+ of our customers and keep them protected online.