Cyber security is like the politicians in the United States Congress, people love to complain about the industry as a whole, but love to defend their own. A recent survey conducted by Price Waterhouse Cooper and CSO Online found that 84% of CEOs and 82% of CIOs are fully confident in their cyber security programs, while 78% of Chief Information Officers feel their existing cyber security programs are more than adequate.
Yet, the number of cyber security breaches has risen year-over-year. In 2012, there were 2,989 cyber security breaches reported. In 2013, that number rose to 3,741. Additionally, the average loss per incident has risen 23% year-over-year, and the number of companies reporting losses of more than $10 million has climbed 75% from just two years ago. It goes without saying that there appears to be a discrepancy in the opinions and facts about cyber security. So, where do we go from here?
The answer is a new form of cyber security: cyber resilience. Cyber resilience differs from cyber security in a very fundamental way: it accepts the reality that attacks against an organization will be successful from time to time – basically, a successful attack on your website is inevitable. This is where a Cyber Resilience Program (CRP) comes into play. This program doesn’t just focus on prevention and defense, but more importantly, response and resilience to a moment of cyber crisis.
A comprehensive cyber resilience program typically includes:
- Defining of business risks:This requires that you forget industry standards for a moment and laser-focus on your specific business. What would be the most dire consequences of a cyber-attack on your business? What could you live with losing? What would put you out of business? This will help you identify the most important information that your business needs to protect.
- Development of a security plan:Since cyber resilience does include some level of cyber security, but it is important to pool security resources to the vital information that your have identified in the previous step.
- Development of cyber recovery plan:Your new cyber resilience plan needs to identify what steps you would take in the event of a successful attack. What would you prioritize? What channels would you go through? It is important to be as specific as possible in this step.
- Determining a proper testing program:Like anything else in life, practice makes perfect. So put your new cyber resilience plan to the test. And then test it again. And then test it again.Make sure everyone in your company is on the same page.
A new cyber resilience plan does require a general paradigm shift that businesses must embrace: focusing less on total prevention and more on safe-guarding and responding to attacks on the most critical components of your business. So, instead of asking, “do we have this or that security measure in place?” it would be better to ponder, “are our most important business assets protected in a way that reflects their importance?”
Also, allocating your funds to mirror the important of these different business components is equally important. Rather than just having a blanket security portion of your budget, it might be wise to go in and delegate more funds to protect the business elements you wish to protect the most.
Finally, expectations need to be adjusted. The days of complete cyber security are a relic of the past. The successful business leaders will be the ones that expect and anticipate a successful cyber-attack, and have plans in place to mitigate and quickly respond to the damage as best they can.