Resilience is having its moment at the place where business risk and information security meet. By the strict dictionary definition, being resilient describes an object or material capable of regaining its original shape or position after bending, stretching, compression, or other deformation.
Long seen as an IT issue, cybersecurity focused mostly on protecting an entity from harm and keeping its assets secret. By contrast, resilience is a business issue: about recovering from an incident, maintaining operations and service to customers.
Resilience starts with accepting that security incidents will happen, and planning to recover as quickly as the situation allows.
Earlier this year, the Irish National Cyber Security Centre published its “12 Steps to Cyber Security” guide, starting from the same premise. It stated: “It’s no longer a question of if your company will be breached, or even when, it’s likely to have happened already. The real question is whether you will know and are you prepared?”
Step nine expressly uses the word: “adopt a risk-based approach to resilience”.
Cybersecurity has always prized "availability" and keeping systems online. But the concept has gathered fresh urgency in the face of mounting security threats. Nine out of 10 critical infrastructure security professionals say their systems had suffered damage from at least one incident in the past two years, according to a survey by cyber exposure company Tenable. Attacks are also becoming more frequent. Hiscox, a specialist insurance company, found 61 per cent of firms experienced a security incident, up from 45 per cent a year previously.
Threats like distributed denial of service attacks and ransomware infections have pushed the issue into the spotlight because they have an immediate and visible impact on a company’s operations – not to mention the significant costs involved in recovering from them.
"Those attacks have highlighted in many business peoples' minds that they have a huge reliance on their IT infrastructure. They realise that in order to keep the business going, those systems need to be available," says Brian Honan, chief executive of BH Consulting, a specialist cybersecurity firm.
Honan says that being resilient involves treating a security incident or IT interruption with the same urgency as other kinds of business risk. “If you talk to a customer about business continuity planning or disaster recovery, people think, ‘that’s an IT problem’. But if you had a fire in your premises, or a strike, or staff couldn’t get in to work because of weather conditions, you should still be able to do business,” Honan says.
Security in the spotlight
Security technology vendors saw an increase in spending after incidents like the WannaCry ransomware outbreak in May 2017. The widespread media coverage and high profile of victims like the UK's NHS brought the issue to public attention.
"Anecdotally, that's when senior management started taking an interest. They were saying to IT managers: 'I don't want this happening to my business. You tell me what we need to do, and I'll sign the cheque'," says Peter Craig, security specialist with security software company Sophos.
Craig describes security technology as “table stakes” in developing a resilience plan. “If you’re under attack, you want to be able to react quickly. You need alerting mechanisms and you want somebody paying attention to them,” he says.
As well as strong security defences, Craig says an effective tactic is to train employees in good security behaviour – like spotting fake emails. These are one of the most common ways of triggering an infection.
External breaches aren’t the only risk a business needs to think about. As cloud computing’s popularity grows, businesses come to rely on it for more and more services – but even well-known providers can suffer interruptions. “Email is fast becoming mission-critical, and if you’re using a cloud email service, how can you send and receive email if there’s an outage in a data centre? You need to plan for that in a resilience strategy,” says Craig.
Resilience in action
There are some examples of good practice to follow: when Norsk Hydro, one of the world's largest producers of aluminium, was hit with a severe ransomware infection at its facilities in Europe and the US, it took swift action to limit the damage. The company shut its network, reverted to manual operations in some sites, and temporarily stopped production in others. Although this meant some important systems were unavailable, the company could continue operating at reduced capacity while it recovered.
Norsk Hydro’s actions drew widespread praise because it managed the disruption, limited the fallout and it clearly had a tested continuity plan that it successfully executed. Throughout the entire time, Norsk Hydro also posted regular status updates online to communicate with customers and other stakeholders.
Not everyone is ready for the full public glare that follows a major security incident. Any MD should watch a visibly nervous and poorly briefed TalkTalk chief executive Dido Harding face the TV cameras after her company suffered a data breach in 2016. TalkTalk and Norsk Hydro's experiences are at opposite ends of the spectrum, but they share one important lesson: "Don't just have a plan; it's important to rehearse it and test it periodically," says Honan.
Perspective also helps. Over the past three years, the UK’s National Cyber Security Centre has campaigned to increase cybersecurity awareness among businesses and the public. At a conference in Dublin last year, chief executive Ciarán Martin described his goal as “to de-glamorise the subject”. This includes taking security out of the technical realm and putting it into practical terms that a business can act upon.
“There’s a handful of us in any society who will obsess about cybersecurity. For everybody else, just be good enough and safe enough to get by on a risk management basis in our daily lives. ‘Safe enough’ doesn’t involve being an expert, it’s about understanding risk, what’s most likely to happen, and acting accordingly,” he observed.
Smart steps to a resilient business
Good protection usually comes at a price, but resilience doesn’t have to; controls to guard against points of failure needn’t be expensive. It can be as simple as ensuring there are easily accessible back-ups of crucial files, for example.
ISO 27001 is an internationally recognised information security standard whose methodology can help businesses to start thinking about resilience, says Michele Neylon, chief executive of the web hosting company Blacknight.
“Some of this is just a thought process: what’s crucial to your business, who are the key members of staff and could the business function without them? Do you rely on one vendor? Whether you’re a small business or a larger one, it’s a case of working out what are the risks that you can reduce or avoid completely, and then managing the ones you have as best you can,” he advises.
Document what you do
Most companies will have a way of doing things that is in some way unique to them. Writing down the process avoids the risk where just one person understands how it works. “Businesses need to be careful of a situation where only one or two employees know how to run a critical system. Why is that? Is there a way of spreading risk across multiple employees? If a process isn’t documented, you end up in a situation where the person who knows how to do it ends up having even more importance than they might want themselves,” says Neylon.
Identify weak points
When developing a resilience strategy, think about how much damage an attacker could do if they got into a system. That leads to building systems that don’t have an “off” button. “Make it hard for an attacker to do systemic damage,” says Ciarán Martin of the UK’s National Cyber Security Centre.
In a case in point, the NCSC is working with the Bank of England as it upgrades its interbank payments clearance system, to make it resilient so that one attack can’t take out an entire system.
Have an effective plan B
Achieving resilience involves developing safe back-up plans for when part or all of a system is unavailable. When an air traffic control tower’s technical systems go offline, it has a priority list of actions to take. The emphasis is not on recovering the system but landing the planes the old-fashioned way, according to Martin.