Faced with the growing number of vulnerabilities and the increasing complexity of cyberattacks, the question is no longer whether your organisation will be attacked, but rather when... And, when under attack, whether it will be able to continue its work unimpeded. This is what cyber-resilience is all about. Let’s take a more detailed look.
Acknowledging the vulnerability of cyberspace...
For nearly twenty years, we have been using the term cybersecurity (and then cyberprotection), to refer to all the ways in which the company’s assets can be protected.
However, the landscape has changed a lot over this period. The Internet, which is becoming ever faster, has become more democratic and the digital transformation is permeating all organisations. These organisations are at greater systemic risk because of their dependence on many different service providers.
Every day, the discovery of new vulnerabilities makes this ecosystem more and more (cyber) fragile. Exhaustive monitoring would require a level of vigilance that is too costly in terms of human and financial resources. So, does this mean that cyberattacks are inevitable? And does this pave the way for a new paradigm, that of cyber-resilience.
...while not becoming resigned to our fate as a result
Far from being fatalistic, this “resilient” approach aims to act to minimize the impact of a cyberattack on the company’s operations. Cybersecurity remains an essential but integrated dimension in a genuinely systemic cyber-resilience approach. The aim is to ensure that the company can continue to operate, even in impaired mode, following a malfunction, failure or attack. This business continuity is ensured by five mainstays: identify, protect, detect, respond and recover.
The first steps towards creating a resilient cyber organisation
Becoming cyber-resilient is not an easy matter, however. First of all, the acknowledgement of the inevitability of a digital emergency must be shared and accepted within the company. This understanding of the environment is particularly important at the executive committee level, as it is the executive committee’s responsibility to allocate the necessary resources for the implementation of cyber-resilience. In addition to basic actions (such as performing regular data backups and storing them in environments disconnected from the company’s network), there are a number of possible approaches that should be considered.
> Check regulatory compliance
For a start, it is advisable to check the organisation’s regulatory compliance and to strengthen its existing Business Continuity Plan (BCP) with a cyber component.
A word of caution: this is not a one-off process – cyber-resilience mechanisms must be updated and tested regularly. On the one hand, threats are constantly changing and on the other, the company is also evolving: a new business project can, for example, increase cyber risk and, if it has not been identified as such, undermine cyber-resilience efforts.
> Take into account the human dimension
The human dimension is crucial. In addition to the technological choices focused on security by design and automation, the company must be able to count on teams that are aware and responsive. So as to avoid being forced to go back to working using pen and paper!
> Ensure that partners are accountable
It is also necessary to work with the right partners, who must also be made aware of the digital challenge. Or even better, they need to be made accountable: in the spirit of the General Data Protection Regulation (GDPR), the idea would be to formalise contractual arrangements for sharing the responsibility for cyber-resilience with their supply chain.
> Promote information sharing
Finally, it is essential to think about communication beyond what is legally required in the event of a cyberattack. It is not merely a matter of following the latest information from experts (like ANSSI and CERT in France), but also of engaging in exchanges with one’s peers. Talking about these topics within one’s ecosystem, investors and even customers helps to build trust. Today, being a well prepared company that invests in its cybersecurity and cyber-resilience is of real value.
As with any crisis management process, cyber-resilience must be implemented before the incidents it is intended to address occur. In line with a digital environment where more and more data is being exchanged every day, this new vision is based on a systemic approach, involving general awareness, information sharing between stakeholders and the selection of the right cybersecurity tools, which are essential as the first line of protection.