Cyber resilience: Preparing for the worst
With the technologies available to cybercriminals improving all the time, organisations need to place an increased emphasis on resilience and recovery
Organisations have to move away from the traditional view of cybersecurity as being about defence to one where resilience of essential services is the primary concern. Photograph: iStock
A new word entered the cybersecurity lexicon over the past number of years: resilience. Up until then, the language had almost entirely been based on the terminology of warfare. Indeed, many of the early cybersecurity systems featured demilitarised zones, which were sterile areas where nothing was connected to the network. Like a medieval castle under siege, the systems featured various lines of defence and if they were all breached, the citadel fell.
This all-or-nothing approach has been replaced by something far more nuanced, however. It is now accepted that organisations will, unless they are spectacularly lucky, be breached by cybercriminals at some point in their existence and it is their resilience and ability to recover from such an event that is most important.
Organisations have to move away from the traditional view of cybersecurity as being about defence to one where resilience of essential services is the primary concern, according to KPMG head of cybersecurity in Ireland, Dani Michaux. “If an event happens, an organisation has to be able to continue doing business,” she says. “That’s resilience. It is a question of understanding that an event will happen at some stage and the organisation must be able to continue with its core business and serve its customers when it does. If an organisation can do this, its resilience level is good.”
Anyone can suffer an attack. The important thing is having a process in place to deal with the impact
And this view is gaining ground. “Financial regulators are now placing much greater emphasis on cyber resilience,” she adds. “At the end of the day, when an event happens, the banks and other financial services organisations have to be able to continue in business. The challenge for big organisations is much greater. If you are a small shop, the damage will be limited. The bigger the organisation, the bigger the impact.”
According to Three Ireland’s head of regulatory affairs Niamh Hodnett, the post-breach response is just as important as the effort that goes into defending against it. “Anyone can suffer an attack,” she says. “The important thing is having a process in place to deal with the impact. There is a cybersecurity framework for this process – identify, protect, detect, respond, and recover.”
This framework sees an organisation identify the systems and critical data which could be impacted by an attack; put in place the defensive measures to protect against an attack; have detection systems to know when a breach has occurred; have a response plan to activate following breach detection; and a recovery plan to implement in order to resume normal business as quickly as possible.
“The recovery plan should also include learning lessons from what has just happened,” Hodnett advises. “It should also include meeting reporting obligations under GDPR and so on.”
BDO partner Brían Gartlan, who heads up the firm’s Risk & Advisory Services department in Ireland, says the response should also involve external assistance. “In order for businesses to be prepared, they should implement an incident-response plan and identify key third parties and internal skills required during a breach,” he says. “This approach may also benefit from a series of simulation training exercises to ensure all parties are aware of what steps need to be taken in the event of a breach.”
He has advice on the steps organisations can they take to limit the impact of a breach and prevent its spread. “A critical step in planning is to ensure logical separation of zones are in place. The business must ensure they have the ability to identify early and have the controls in place to isolate affected zones.”
Gartlan also emphasises the need to learn from experience. “It is important for businesses to remediate root causes from the previous breach. Prevention within cyber has always been a challenge. As technology improves, it becomes easier to use but threat actors’ technology also improves, and businesses must therefore have plans in place to respond to any breaches.”
Ulster University professor of cybersecurity Kevin Curran recommends some basic steps for organisations to take in order to build their cyber resilience. “You need to have back-ups,” he says. “You need to make sure if the system goes down you have a means of getting it back up as quickly as possible. You also have to ensure the back-up works. You wouldn’t believe how many don’t work. I still see cases where companies are using traditional tape-drive back-ups.”
Those old tape drives may not have been tested for years and may not even be compatible with the systems they are meant to restore. All data backed up should be encrypted to provide an additional level of security, he advises.
You have to put yourself in the shoes of the attacker and look at the practical impacts. Attackers don’t care about the damage they do
“If an organisation is large enough, they can actually mirror their complete infrastructure,” Curran adds. “Some organisations have these systems ready just in case they are brought down by a natural disaster or other event. A large truck pulls up in the car park containing all the technology needed to ensure the organisation’s systems continue to function. SMEs can also back up systems and data to the cloud. There are organisations that will do that for you and can make sure that you get up and running very quickly.”
Organisations should also consider the type of damage likely to be done by a cybercriminal during a breach. “Someone in the organisation has to be responsible for considering the scenarios,” says Michaux. “You have to put yourself in the shoes of the attacker and look at the practical impacts. Attackers don’t care about the damage they do. The only care about what they want to get out of the attack.
“You have to run through the scenarios. A ransomware attack might be kids or organised criminals or even nation states. You have to ask, who’s after me? What are they after? There are no generic solutions, but it is about the availability of systems following a breach. The question that must be asked is if a system crashes, how quickly can you get it back up and running in the different scenarios.”