Main content

Cyber resilience - what is it and how can you achieve it? The experts’ view

Chris Middleton Profile picture for user cmiddleton June 24, 2024
Summary:
What’s the difference between cybersecurity and resilience? A panel of experts sets out the key issues.


resiliency

Resilience, rather than security, is an increasingly important strategic and operational issue: the ability to prevent, respond to, and recover from attacks with minimal damage to the business.

With the digital world becoming more complex and unpredictable – partly due to the rise of accessible AI tools that enable attackers to spoof voices, create deep-fake videos, or generate plausible phishing attacks – attention is turning to organizations’ ability to be resilient, rather than watertight and inviolable.

In this sense, resilience is as much an attitude and a set of behaviours as a portfolio of security tools – though the latter remain critical, of course. And as I explored in my one-to-one interview with Splunk’s Chief Technical Advisor Mark Woods recently, it is also about matching real-world culture and business operations to the right security systems.

Put simply, resilience asks searching questions about who you are as a business, and not just what is in your technology stack.

Don’t victim shame

But another key aspect of cyber resilience should be setting aside the culture of victim-shaming that often accompanies a successful incursion by hackers, gangs, or hostile states.

Recent 'big ticket' data thefts, plus ransomware attacks on targets such as US city governments, hotel groups, and in the UK, the British Library and NHS hospital trusts, have often been accompanied by sensationalist, finger-pointing media reports.

Typically, these portray victims as lone dunces in a world of geniuses; how could these idiots have failed to secure X, Y, and Z? How could they have stored their data in that way, failed to protect their backups, or clicked on an obvious malware link?

But while there may be examples of basic security protocols not being followed, the reality is that, for many organizations – especially those that are publicly funded – outdated systems can’t simply be stripped out and replaced at scale. Money is tight, budgets have been cut, and even the wealthiest, most cutting-edge enterprise is only as secure as the number of opportunities everyday office procedures afford to make a simple mistake.

Put another way, in a world where even the evidence of our own eyes, ears, and contacts may no longer be trustworthy, who among us can guarantee that we will never slip up?

The point is this: disclosure and transparency are vital in battling cyberattacks. So, the media’s tendency to victim-shame a damaged enterprise risks having unintended effects: companies becoming secretive about their security failures in order to prevent reputational damage and financial loss, making it more likely that they will pay attackers’ ransoms. And the more they pay up, the more such attacks will continue – with no guarantee that ransomed systems will ever be released, of course, even if leaders opt to pay their assailants.

Dr Melanie Garson is Cyber and Tech Geopolitics Lead at the Tony Blair Institute for Global Change, the non-profit set up by the former British Prime Minister. Speaking at a Westminster eForum conference last week on cyber resilience, she said:

We know that the key to dealing with systemic cyberattacks is information sharing. But, that battle to make information sharing comfortable is one that demands taking away the victim-shaming from it. And with ransomware attacks there is a huge amount of victim shaming. There's a vast amount of data that is not being captured because of the ‘cyber walk of shame’. So, how do we create an environment where we can report this on a no-fault basis, so that we can all really understand the system?

An excellent question.

It’s about humans, not tech

In part, the answer is to adopt a more human-centric approach to cybersecurity – policies that consider people as the strongest, rather than the weakest, link, via a no-blame culture of open reporting.

Gareth Stinton is Cybersecurity Specialist at provider Toro Solutions. He explained that part of this more pragmatic, resilient, human-centric approach is to recognize that attacks don’t need to be cutting edge to succeed. He said:

Organizations have invested heavily in sophisticated technical controls, expecting them to be a silver bullet, but many have neglected to mature the kinds of controls that mitigate more common every-day or low-tech threats. We see, time and time again, that people are simultaneously both our greatest asset and weakness, which means the importance of actively supporting our workforce cannot be overstated.

If we look at the MGM Resorts hack a few months ago [the US casino group lost an estimated $100 million to an attack in October], such a big, wealthy organization with endless resources at its disposal… but their security was undone by what amounted to a well-crafted phone call.

Social engineering is as much a factor in successful attacks as the most sophisticated software engineering or backdoor exploit, he explained:

There is a long and frequently updated list of high-profile hacks where we have seen that attackers do not need to make use of advanced techniques and simply exploit human failures to do the basics.

The political dimension

It is also important to remember another, all-too-human trait: politics, he said:

The context for our security landscape is in the news every day. We need to recognize that the escalating risk of global conflict, plus deep social divisions and less tangible factors, such as the impact of climate change, are all intertwined. They often provide the context and motive behind the cyber threats that we face.

Global conflicts play out in cyberspace. But cyber warfare is not typically restrained to the same extent by politics as real-world warfare is.

Due to its deniable nature, a cyberattack on our infrastructure can have a similar impact to a well-targeted missile strike, but it's not typically seen as an act of aggression on the same scale […] Also, attacks are intensified by growing misinformation and disinformation, which proliferate easily across social platforms.

Now, because these cyber threats have no geographical boundaries, they're typically more agile and adaptable than the governments and private companies that are attempting to protect against them.

Doubtless that is true. However, while the political objectives of some hackers and ransomware gangs are genuine, others may be trying to claim a bogus moral high ground to justify criminal behavior.

As Dr Srinivas Bhattiprolu, Global Head of Advanced Consulting Services for Nokia Cloud and Network Services, put it:

There are certainly non-state actors who are serious, and hobbyists who are actually building ransomware just for the sake of it, and this is being propagated into the system as well.

Meanwhile, UN Secretary-General António Guterres last week warned of the growing threat of “cyber-mercenaries”, malware coders for hire who are weaponizing technology for cash.

Dr Madeline Cheah is Senior Cybersecurity Consultant for Cambridge Consultants, the deep-tech division of services giant Capgemini. She stressed the view that a pragmatic, human-centric approach is essential: resilience more than a solely high-end, tech-focused policy, saying: 

Where you have legacy, bespoke, and/or proprietary hardware, some of which is critical, it cannot simply be taken out. So, we have to manage the risk. But how to manage risk if we don't know what they [attackers] will do?

One of the biggest factors in uncertainty is the need to see years, even decades, into the future. And if we can't tell what's coming in five years, then 50 years would be quite a challenge.

The complexity risk 

In this sense, the growing complexity of the tech landscape is a problem, she explained – and not just in terms of AI:

We can engineer everything that we need to as safely as we need to, as securely as we need to. But what happens when your interactions are not controlled by you? That could be anything from consumables to drones, to cars, to AI, and a whole load of other technologies that are compounding that uncertainty.

And if “uncertainty is the only constant”, she said, then taking a big-picture, resilience-based approach is essential. That means assessing not just the cyber threat, but also the business risk and the human factor – the potential for any staff member to be either an asset or a liability when it comes to security. She noted:

To do that, we need to find a way to give assurance, to find the evidence, to find the ways of creating a risk-based judgement that will allow us to more flexibly, and in a more agile way, address some of the security challenges.

For Tristan Morgan, Managing Director of Cybersecurity at BT, recognizing your real firewall is essential. He said:

We mustn't forget the human firewall. The people who work in our businesses are also one of the main ways of introducing risk, so significant investments in things like cyber training, awareness, and ease of reporting are fundamental in building that culture [of resilience] within an organization, helping to strengthen overall defences.

Wise words. Resilience, therefore, is all about empowering people to do the right thing, with access to as much information as possible.

However, another factor is recognizing that the wider supply chain – both upstream and downstream – is also a source of risk; no enterprise is an island in a cloud-enabled world. Morgan explained:

Understanding that the perimeter of the business extends right into that supply chain is paramount. […] You can't outsource accountability. You can outsource technology, but not accountability for those services.

So, in an environment of, on the one hand, bad actors, hostile states, amateur hackers, ransomware gangs, and cyber mercenaries, and, on the other, escalating complexity, ageing systems, tight finances, and ever more ways to make a costly mistake, who can organizations look to for guidance?

Dr Claudia Natanson is Chair of the Board of Trustees and Interim CEO at the UK Cyber Security Council. She emphasized the importance of setting minimum standards for cybersecurity professionals, to ensure both trust and resilience among organizations. A role that the Council fulfils admirably, of course. She explained why this is important:

We must make sure that we engender trust – trust in what we do, and trust in the people who implement the standards. And take command of cybersecurity to ensure that there's good resilience and maturity across organizations, so we can realize the government's vision of making the UK one of the safest places to work and do business in cyber.

She added:

For an organization to be able to identify risk is important – and in cyber, the inability to identify risk is really very serious. But if you can identify it, then you can know what you must do to accept it, or manage it, or mitigate it. And to have the right governance around it is equally important.

Aside from the need to achieve minimum standards, professionalism, and trust, Natanson acknowledged that the industry faces other challenges on the long road to cyber resilience. A resilient organization is one that is diverse and reflects the needs of all society, she suggested:

We still need to grow our profession more. We are not pleased with the fact that the gender needle is not pointing enough in the area of diversity. Ethnicity is another area that is not growing at the rate we want.

And we are not retaining professionals at the rate we should – in fact, they are leaving the profession. And the area closest to that is mental health, because it's stressful, it's about long hours, and we need much greater management support for the profession.

So, what can be done about the personnel shortfall? Natanson said:

Even though you may have started in one profession, you should consider how cybersecurity is an ongoing thing. But we don’t advertise or market it in the right way. We have been myopic about it. You know, the person with a hoodie on a computer in a dark room [is the picture most people have of security]. But what we do is protect organizations. The way we work with the business and with core functions. We need people to understand that.

To do that, you could come from another profession. In the cyber resilience centre, when we have taken folks from completely different professions and started to train them, we have achieved amazing benefits – more analytical, a different vision and a different view.

My take

Good advice from some of the leading experts in the field. And words that reinforce a simple message: security is primarily a people problem. So, a resilient organizations is one that invests in training its staff, while pushing simple but effective messages about business risk.

Loading
A grey colored placeholder image