As dependence on digital technologies and data rises within organizations, resilience in the face of cyber risk becomes more critical than ever. The globalization of supply chains, the complexity of technology stacks, and the continued appetite to innovate with digital technologies have led to continued aggregation of systemic cyber risk.
Effective cyber resilience is complex. How this goal is attainable is very highly context-dependent because what works for one type of threat may not work as well for another.
In an era with significant capacity gaps in the workforce’s cyber-risk management skills, there is an urgent need to learn the lessons from the front lines and to systematize and share them in order to raise the general baseline. Therefore, the World Economic Forum, in collaboration with the University of Oxford, recently released a white paper on cyber resilience, noting its importance in today’s evolving world and the best practices to follow for success.
Digital transformation raises key concerns
Cyber risks are among an organization’s highest priorities, and the threat keeps increasing. The evolution of the digital landscape and infrastructure, driven by the disruption of connectivity and emerging technologies, has vastly complexified the threat landscape and the cyber risks organizations face.
The scale, scope, and significance of online connectivity is a defining feature of the digital age. Around 70 percent of the world’s population can access the internet and online services. In addition, digital technologies and processes have become central to everyday life as well as to the work of governments, businesses, and societies globally.
The digital transformation is continuously reshaping and evolving how businesses and governments work. The primary goals and objectives of organizations often come with business processes that are critically reliant on digital technology, commonly without any alternatives.
Therefore, it is imperative that organizations prepare for significant cyber incidents. Continuous investment in cyber-resilience capabilities enables organizations to maintain their primary goals and objectives without fearing the impacts of cyberattacks and other cyber incidents, making sure their growth potential remains.
Key challenges facing organizations
Damage to the integrity and accuracy of information, whether due to sabotage or accidents, can have ramifications for entire business ecosystems and supply chains. Another key challenge is undermining confidentiality which can endanger individual privacy and compromise intellectual property restrictions and the government’s national security protections. Moreover, service instability and lack of availability can result in reduced revenues, and in critical environments, can cause important functions to fail.
Therefore, being cyber resilient enables an organization to minimize the impact of significant cyber incidents on its primary goals and objectives, allowing it to maintain critical services, safeguard stakeholder confidence, and protect strategic value.
Investing in cyber resilience reduces the economic costs of cyber events (for example, data breaches and intellectual property loss), while contributing to improvement in an organization’s reputation. Notably, more resilient companies generate shareholder returns that are around 50 percent higher than those of their less resilient peers, the report notes.
Therefore, failing to build cyber resilience can disrupt business operations and even lead to the organization’s collapse. The impact of cyber breaches is particularly significant among small and medium businesses, with some estimates suggesting that 60 percent of SMEs that fall victim to a cyberattack close down within six months.
Cyber resilience vs cybersecurity
Cyber resilience is not the same thing as cybersecurity. However, cybersecurity is essential to achieve cyber resilience. The National Institute of Standards and Technology (NIST) defines cyber resilience as: “The ability to anticipate, withstand, recover from and adapt to adverse conditions, stresses, attacks or compromises on systems that use or are enabled by cyber resources. Cyber resiliency is intended to enable mission or business objectives that depend on cyber resources to be achieved in a contested cyber environment.”
To achieve cyber resilience, organizations need to consider the many ways in which they are exposed to cyber risk and how they can limit potential impacts, whether by investing in operational cybersecurity controls, by changing business processes or by taking steps to reduce legal or regulatory liability.
What can organizations do to ensure cyber resilience?
There is no such thing as 100 percent cybersecurity. Organizations need to act on the basis that significant cyber incidents will occur. In order to ensure that they can continue to deliver their primary goals and objectives, organizations need to be able to:
- Anticipate and plan for incidents: Organizations must understand the types of threats they are exposed to and the potential harms that could arise from them.
- Design processes and establish contingent capabilities: This will place the organization in a good position to absorb and recover from events.
- Adopt information governance practices: These practices can limit the impact arising from confidentiality breaches and data integrity compromises.
- Learn from incidents: Organizations must learn from experiences affecting their own organization and its peers, and adapt to strengthen the resilience posture. They may also find better ways to deliver business value.
- Take a broad view of cyber risk: Cyber risks can manifest in many different ways to exploit cyberspace and cause harm to operations, profitability, or reputation.
Read: UAE committed to building advanced technological ecosystem that captivates global attention
Key themes in good cyber resilience practices
Various standards, models and frameworks exist to help organizations manage cybersecurity risk and increase their cyber resilience. These models are valuable. However, they have their limitations. Most have been designed to apply broadly across various types of organizations, which makes them somewhat static over time.
While organizations should be cautious about simply copying practices from others, exchanging insights and lessons with peers can greatly enhance the generic approaches that common models offer. In order to encourage peer interaction, the Cyber Resilience Blueprint initiative, a collaboration between the World Economic Forum and the University of Oxford, convened a community of cyber practitioners from several sectors and geographical areas to share good practices and identify how organizations can take collaborative action to address cross-cutting and systemic threats to the resilience of the ecosystem as a whole.
This initiative highlighted several themes, among the most important of which are that:
- Cyber resilience starts at the top. Leaders need to foster the right cyber-resilient mindset that fits their organization’s primary goals and objectives.
- Decision-making on cyber resilience needs to be part of the governance structures of the organization, ensuring clear accountability while empowering individual parts of the business to determine what suits their circumstances and strategic priorities.
- In addition, business processes that depend on IT (and OT) need to recognize that 100 percent cybersecurity is not attainable. Therefore, cyber resilience needs to be part of business processes and information governance practices upfront to ensure that service availability and quality can remain and stakeholder interests are safe in the event of a major cyber disruption.
- Finally, organizations must establish plans that come into effect when incidents occur.
For more news on technology, click here.