Cyber resilience is defined as the ability of an organization to continue to function, even in a degraded manner, after components of the organization have been disrupted due to information system failures that randomly occur or are consequences of a cyberattack. 1 We often think of the quality of “resilience” as a feature of one’s character that is inherent, that they were born with the quality that allowed them to persevere through obstacles and setbacks, and perhaps even thrive because of them. Cyber resilience… is not that. Cyber resilient organizations are resilient because they recognized the innumerable potential threats to their information systems and prepared themselves accordingly.
While we hear the most about cyberattacks on large organizations, and Interpol reports that major corporations, critical infrastructure, and governments are cybercriminals’ top targets2, cyberattacks on small businesses are exceedingly common. A report found that more that 67 percent of companies with few than 1000 employees have experienced a cyberattack, and 58 percent have experienced a breach.3The report goes on to note that a cyberattack could be devastating for many small businesses, as it would force 60 percent of them to close due to the damages associated with a cyberattack. To be clear, any organization of any size could be targeted by cybercriminals or experience some other more random information system failure, and the first step towards becoming a cyber resilient organization is recognizing those facts.
The next step towards developing cyber resilience is to navigate: “The Seven Stages of Cyber Resiliency”4
- Classify. All assets need to be identified so that they can be protected. System assets must be identified, labeled, and organized into a baseline which describes all potential protection targets and is maintained under strict configuration management.
- Risk. A broad-spectrum risk assessment must be performed that characterizes all known scenarios as they apply to identified assets.
- Rank. Assets that cannot afford to be compromised are selected, evaluated, and effective countermeasure responses are deployed for each critical asset. Components that are not designated as critical are allocated to the protection and recover of the rest of the system.
- Deploy. The functionality to ensure resilience must be baked-into the architecture of the system in a fashion that confirms that critical functions are assured in the event of a largely successful attack.
- Test. The system’s architectural resilience must be assured through methods such as penetration testing.
- Recover. Well-defined processes are documented and established so ensure all of the system functions are fully restored within established parameters.
- Evolve. The organization dynamically adjusts the system’s cyber-resilient architecture based on lessons learned.
Through deliberate and exhaustive planning and training, any organization can be a cyber resilient organization that will continue to function in the event of a cyberattack or random information system failure, and perhaps it will even thrive.
1 Choudhury, et al., 2015, “Action Recommendation for Cyber Resilience”
2 Interpol, “News and Events”, 2020
3 Ponemon Institute LLC, “2018 State of Cybersecurity in Small & Medium Sized Businesses”
4 Conklin & Kohnke, 2017, “Teaching Cyber Resilience for Critical Infrastructure Systems”