Simply put, cyber resilience is a measure of how well an organization can operate its business during a data breach or cyber attack. Security teams have measures in place to detect and stop attacks, and they have recovery plans for the inevitable breach, but can they, along with IT, keep critical business processes such as order fulfillment, customer service, or accounting operating during a crisis?
Not everyone has to be a security pro, but those in development or in other technical roles must understand security’s importance to the larger organization. If they don’t do their part to safeguard operations, breaches and attacks can demobilize an entire business.
Take NotPetya, for example, which Rob Juncker, senior vice-president of product development at software provider Code42, says shut down “supermarkets and ATMs all throughout the Ukraine.” Or WannaCry, which he says left hospitals unable to access patient information. Just as “the biggest organizations fail and … go bankrupt because they’ve failed to innovate,” Juncker says a lack of security readiness has similar potential to bring a company down. When everyone understands the vital nature of security, devops is free to build buffers into the business that keep it resilient enough to survive.
Understand the business to better protect it
For starters, says Don Aliberti, head of information security for financial services group Nomura Holdings America, “If you want to protect the enterprise, protect the firm, you have to understand your firm.” Take a good look at every company process that uses tech. Sure, code is being developed, but so are marketing campaigns. Maybe sales is in the middle of drafting an important proposal. Accounting is filing quarterly taxes while email and Slack send every message imaginable back and forth.
If it has value and is happening on your systems, it needs to be protected. Determining value, Alberti says, requires “understanding what are the main functions that keep the business going and what are the main risks to the business as far as availability, confidentiality, and integrity that potentially could hurt the business.”
Approach your backup systems with a business mindset
If a malware attack meant development could no longer access their work, what would happen? Could the business keep going? With backups, maybe. They’re not just there in case someone deletes something, after all. Ben Cabrera, CIO for Covanta, says backups are part of the environmental company’s plan for dealing with ransomware: “Disaster recovery and backups have become really important thing for us.”
If hackers attack, he explains, “We just shut down that environment and move to the next environment, which is a warm backup. From a disaster recovery perspective, we can be back up and running within a relatively short period of time.”
The trick to backups is to approach them with a business – not just security – mindset. In deciding whether to repair or ditch an infected system, Cabrera says, “You really have to make a decision in terms of what was compromised, what was damaged, and then – at the same time – what’s the cost of information that’s actually transpired since that point? If the breach was two months ago, for example, backing up to that point in time would be a loss of information and value to your business, right?”
Look beyond security for help building in resiliency
Cabrera mentions data consultants can help with this work, but Aliberti disagrees. He says security teams hire outside consultants too often. These third parties, he explains, “look at a specific application; they do an application assessment. They’re looking at bits and pieces, but they never understand necessarily … the end-to-end business processes.”
You know your data best, he continues, you know which “systems … are most important, what is the downtime that you can afford to have, what is the data move, where does the data exist.” Outside parties aren’t in your company every day. The only way they understand your priorities is through you.
That doesn’t mean you shouldn’t look beyond yourself for advice. Building resiliency across the entire organization takes everyone. Non-security colleagues may have better ideas than you think. Accounting, for example, knows about controls, and they understand the forensic process when something isn’t right in the transaction logs. The people responsible for protecting a company’s most valuable secrets will have ideas about mitigating the risk of that information getting out.
Juncker says, “Our business used to be that everything we needed to run our business was within the four walls of our monitor. But right now, we’ve embraced cloud in so many different ways. We’ve embraced trading partners; we’ve embraced technologies that speed our innovation forward.” Companies embrace new technologies because they help the business grow. Security, he says, is “oxygen.” If your company wants to continue breathing, the entire body needs a contingency plan.
Attacks will come, but with this plan in place, you can survive them. In 2014, Iranian hackers attacked Sands Casino. Aliberti says, “They took down all parts of their environment. It took quite a while for them to recover, but they were still able to get people booked into the hotels.”
You have to keep critical operations going. Insuring the entire business is “a broad attack surface,” Aliberti says, but if you break operations into smaller pieces, you can manage it.