Why cyber resilience should be a priority for every business - and how to get there

Hurricane Katrina, the Category 5 hurricane that struck Florida and Louisiana in 2005, was the most destructive natural disaster in US history. According to the National Hurricane Center, the storm wrought a staggering $125 billion in damage.

Compare this figure with the potential losses from a large-scale, global cyberattack: experts predict this could cost an estimated $120 billion.

The “NotPetya” ransomware attack, for example, has cost businesses a total of $10 billion and counting, according to White House estimates. The price continues to rise two years after the incident, as insurance claims are litigated.

As with natural disasters, the damage and scope of cyberattacks is increasing. “Threat actors” are craftier and more insidious than ever before, striking without warning and — unlike many natural disasters — leaving their victims little or no time to prepare for the attack or minimize its impact.

The scale and severity of cyber disasters in recent years has captured the attention of business leaders around the world. Cyberattacks are among the top 10 risks, in terms of likelihood and severity of impact, in the World Economic Forum's latest Global Risks Report. In the US, 53% of CEOs are extremely concerned about the impact of cyberthreats on their growth prospects, according to PwC’s Global CEO Survey.

Many organizations have increased investment in their prevention, detection, and response capabilities. Yet they too often find themselves in recovery mode after an attack— and if ransomware is the culprit, wishing they had planned ahead and implemented better recovery options.

Natural disasters occur within a discrete area. Cyber disasters, on the other hand, can wreak havoc globally. Malware might spread from a single device to infiltrate entire networks, infecting thousands of business systems.

As a current example, cybercriminals are exploiting the spread of the coronavirus to lure victims with malicious attachments purported to contain a health update or a cure.

Threat actors may target core systems with ransomware, encrypting the data so it can’t be accessed. Victims must pay the ransom or restore their systems using backups. If those backups are connected to the main systems, however, the attackers may lock them, too, leaving no recourse but to pay.

Ransomware is simple and cheap to inflict, but much more difficult and costly to remedy. Businesses must pay far more for prevention, detection and recovery from a ransomware attack — millions of dollars, in some cases. Costs may include:

● Lost customers

● Business disruption

● Fines

● Legal

● Public relations

● Breached client records

● Direct financial loss

● Notification

● Credit card reissues, identity repair, and credit monitoring

● Remediation

How much downtime can your business withstand? If a cyberattack disrupts your business, you need to be back online within your “maximum tolerable downtime", according to new Federal Financial Institutions Examination Council (FFIEC) guidelines. To do so, you must think first about digital resilience as you develop a well-tested and repeatable response and recovery strategy.

There are five components to building cyber resilience in your organization:

1. Know your assets.

A retail customer expects seamless service when they interact with a company: shopping, ordering, billing, fulfilment and customer service. The same holds true in technology, healthcare and professional services.

To fulfil these expectations, business systems are highly interconnected. The downside, however, is that one outage could affect many systems. Knowing what’s connected to what and which functions are critical is essential. Leading businesses use automated processes to maintain a current inventory of all the systems that feed their own, to know which systems or assets to isolate if a disruption occurs. More than half of the “high resilience quotient (RQ)” respondents to PwC’s Digital Trust Insights survey — those that scored high on resilience — said they have automated their inventory and mapping processes.

2. Know your supply chain.

In the Fourth Industrial Revolution, businesses grow by forging alliances and supply chain relationships. The global supply chain is highly interdependent. Monitoring your third parties is essential to understanding and responding to the risks suppliers might pose.

3. Practice good hygiene.

Cyber hygiene helps maintain system health and improve online security. Practices include systems patching, using secure computers, and phishing detection and education. Global hygiene trends include:

i. Segmenting the network. To prevent malware or viruses from spreading, divide your network into segments so you can isolate and contain malware. Also, know your perimeter so you can control network traffic.

ii. Keeping systems up-to-date. Update your systems periodically with security patches.

iii. Protecting privileges. Certain privileged users have unfettered access to system resources. Protect these user accounts and their access.

4. Plan your recovery.

How much disruption can your organization withstand without crippling its ability to serve its customers? A short recovery time could be expensive, but a longer one might mean a prolonged outage — which is not good for business.

Your company’s best recourse is to design or procure backup and recovery solutions that a) allow you to maintain versions of backups, b) let you access them quickly and c) are impervious to malware that deletes or corrupts backups. Test drive your disaster recovery plan, and do it every time your environment changes, or quarterly.

High-RQ organizations know how much disruption they can withstand and have plans to recover within their limits. About two-thirds of high-RQ respondents to PwC’s survey have set impact tolerances for critical business services.

5. Conduct disaster drills.

A hypothetical disaster drill (also known as a tabletop simulation) helps you rehearse and perfect your organization’s response to a cyber disaster. An effective disaster drill should be realistic, interactive and moderately stressful for participants. Drills should give employees a better idea of their roles and responsibilities in a cyber disaster, and greater confidence in their ability to react. Using realistic scenarios that are less likely will reveal response gaps. Addressing those gaps will improve the response to, and recovery from, a real disaster.

Achieving digital resilience entails applying equal vigilance to you and your third parties’ critical business systems. It starts with instilling “resilience by design” into the blueprinting process to ensure that those systems are built for resilience.

Resilience also entails using good cyber hygiene day-to-day. Cyber hygiene isn’t enough, however, to protect your organization against the disruptions that cyberattacks can cause. A well tested and repeatable response-and-recovery strategy can help enable your business remains up and running with minimal interruptions.