Cyber attacks and damaging data breaches are happening with increasing frequency. Talk Talk and the Carphone Warehouse are just a few of the many companies to show their vulnerability to cyber crime. These attacks highlight how important it is that organisations accept that a cyber breach is very real possibility. It’s been said that there are only two types of organisations – those who know their systems are being hacked and those who do not. All too frequently information security is overlooked; organisations are naturally focused on their primary objectives. As a result, information security has often been bolted on rather than built in to an organization’s systems and, in many organisations cyber resilience remains the domain of IT Security alone. While many organisations are keen to capitalise on the savings of new technologies and the internet, they continue to treat security as an afterthought, which leaves them exposed.
What companies need is an enterprise wide cyber resilience approach; resilience best practice – as set out in the AXELOS RESILIA™ methodology is as much about security (preventing a breach) as it is about responding, recovering and remaining operational when a breach happens. It is also about designing and managing an effective balance of people, process and technology controls to best mitigate all the risks.
The Cyber Resilience Approach
RESILIA’s cyber resilience best practice provides practical ‘know-how’ guidance, centred on essential processes complementing ‘what to do’ information security frameworks e.g. ISO 27001. RESILIA provides one overarching management system for an organization with a joined-up approach for all areas, focused on collaboration across the whole enterprise and not just IT teams. Take incident management for example: RESILIA gives guidance on how to follow and embed a process while aligning organizational cyber resilience with business objectives and strategy. It also focuses on awareness training for everyone in an organization as well as targeted training for security specialists.
Through its close alignment with ITIL (Information Technology Infrastructure Library) – the de facto global standard for service management, RESILIA builds on the ITIL best practice guidance. So, the countless organizations with the ITIL framework already embedded will be well placed to improve their cyber resilience.
Cyber Resilience in Action
Focusing on cyber resilience brings a more holistic approach to the cyber breach problem, than simply focusing on the technology aspects of security. Its processes are considered in the strategy and design phases and are then embedded to ensure they are being effective used and referenced day-to-day. Lessons are learned and the resulting robust processes are well-managed. In this way resilient processes – installed from the outset rather than bolted on later – are ready and proven when the breach occurs. They are thoroughly tested so the organization is able to react, respond and recover in a well-understood and effective manner.
Why “React, Respond and Recover”?
Cyber security best practice has previously focused on protective and detective technology, with additional attention given to business continuity and disaster recovery. Crucially, however, resilience is about recovery and minimising the effects of a security breach. For example, resilience can encompass practising board room scenarios in the event of a breach; dealing with affected personnel, including customers; and returning the organisation to an operational state so it can continue its core business functions.
What is becoming more and more prevalent is that organisations believing they have done enough to protect themselves are still victims of cyber crime. To combat this, an organisational culture change is required in order to achieve the requisite level of robustness.
The Practitioner level is applicable for people who have responsibility for data security, risk compliance, cyber security practitioners, and is built upon the Foundation level certification, ideal for people in roles with some peripheral cyber resilience responsibility, such as those in HR, procurement, supply chain, commercial, legal and finance teams. In order to embed an effective cyber security approach across the organisation, employees need to be made aware of cyber resilience. It’s no longer enough for IT or security teams to have sole responsibility for maintaining the cyber safety of an organisation.
Cyber resilience best practice addresses company culture, and AXELOS’ range of RESILIA products addresses this need for organisational culture change. Cyber risk training is predicated on regular updates to affect behaviour and attitudes to cyber security: this is the most valuable and effective way to react, respond and recover with confidence.