4 ways to incorporate cyber resilience in your business

One goal, one team.

Effective cybersecurity has become a shared responsibility that demands teamwork and an unwavering commitment to internal and external collaboration.

Today, threat actors are targeting organizations and entire industries with increasingly effective cyberattacks. Cybersecurity failure has become a leading threat, according to the World Economic Forum’s Global Risk Report 2022. Businesses agree: 70% of board directors view cybersecurity as a strategic enterprise risk, according to a survey conducted by the National Association of Corporate Directors (NACD).

The ascendant trajectory of cybercrime shows no sign of decline. In fact, 60% of executives forecast that cybercrime will continue to surge in 2022. In particular, respondents expect more attacks on cloud services, ransomware intrusions, and compromises of critical infrastructure. Threat actors are also exploiting dangerous new software vulnerabilities such as the Log4j flaw, which can enable them to remotely execute code on systems and networks. There is also growing unease that geopolitical conflict will likely result in further cyberattacks on critical infrastructure.

In a report published by the World Economic Forum, PwC, the NACD, and the Internet Security Alliance (ISA), we identified six principles that can support board directors in governing cyber-risks:

In this article, we dive into the sixth principle: encourage systemic resilience and collaboration. Systemic risks require systemic resilience. This requires a decisive dedication to collective effort — and a great deal of individual resilience.

The good news? There are “power moves” you can incorporate to start building resilience in your organization.

Effective cybersecurity comes from the top. The CEO, board, and other senior leaders should champion a cybersecurity culture that fosters collaboration across the company, the industry and with public and private stakeholders.

Creating a culture of security will require everyone's involvement — the board, C-suite, chief information security officers (CISOs), line of business leaders, and individual employees. You will also need to partner with supply chains, contractors, and other third parties.

Given the complexity and stealth of today’s cyber threats, it is likely that boards will need a bit of cybersecurity tutoring. CISOs may need to step in to help senior executives understand threats, potential business impacts and the specific role each executive can play in keeping the company secure.

Awareness doesn’t stop at the C-suite, however. Cybersecurity education should cascade down to every employee and include training, upskilling, and career advancement opportunities.

Educating the board has become urgent thanks to new regulations requiring cyber disclosures. In the US, for example, the Securities and Exchange Commission (SEC) has proposed rules for disclosing material cyber incidents and practices in cyber governance, strategy, and risk management.

The rules may require public companies to disclose details of the board of directors’ oversight of cybersecurity risk and cybersecurity expertise – if any. Disclosures include the processes by which the board is informed about cybersecurity risks and the frequency of its discussions on this topic. A new law requires entities in critical infrastructures to report significant cyber breaches to the Cybersecurity and Infrastructure Security Agency (CISA).

Security training for employees is essential. But resilience calls for more.

Tabletop exercises, which use simulated attacks to illustrate threat response and decision-making processes, can be an effective way for board members to practice the decision-making required in a cyber crisis. Tabletop exercises can prepare business leaders to confidently — and quickly — take appropriate action when real threats are detected. They can illuminate gaps or weaknesses in current response plans.

Similarly, a business impact analysis (BIA) can help organizations develop more targeted and effective strategies for incident response and business continuity. BIAs prioritize business systems, processes, and interdependencies to focus defence, response, and recovery strategies on the issues that matter most to the business.

If cybercriminals share information on attack techniques and tools — and they do — then why shouldn’t you? Sharing intelligence about cyber threats and responses may be critical to staying ahead of cybercriminals. Companies cannot, single handedly, defend themselves against attacks by powerful hackers.

Critical infrastructure providers, for example, require proactive cooperation and collaboration among governments, cybersecurity groups, industry peers, and organizations to combat geopolitical and nation-state threats.

The practice of cyber-related information-sharing is growing around the world. Today, 84% of global organizations say they participate in public-private information-sharing. Organizations fostering such a culture include the World Economic Forum Centre for Cybersecurity, Interpol, the US CISA, the UK National Cyber Security Centre, and the Open Data Center, where there is global collaboration of over 1,500 governments and organizations.

You should build robust relationships with local, national and global government and law enforcement agencies to promote intelligence sharing. In addition, companies can build ties with nonprofit cybersecurity organizations such as Information Sharing and Analysis Centers (ISACs), some of which offer 24/7 threat warnings, incident reporting capabilities, and networking opportunities.

Sharing requires trust. Organizations are often reluctant to disclose incidents and responses to industry peers and government entities. To create a collective consciousness of cybersecurity, attitudes must change. While private-public collaboration is commonplace — 45% of organizations do so — there is often a reluctance to divulge breached information. That mindset must change.

In today’s hyper-connected digital world, cybersecurity is no longer the responsibility of a singular organization or single executive.

Cybersecurity is the ultimate team sport and it is crucial for businesses, industries, and governments to unite to defend against global threat actors.