People power is the lost key to cyber resilience

Corporate and personal reputations are hard won, but they can be ruined in an instant. As countless examples have shown, businesses large and small are being successfully attacked by cyber criminals with often catastrophic impacts.

The fact that so many organisations, of all sizes and in all sectors, have had their most valuable and commercially sensitive information compromised reflects the scale of the problem. It also highlights that no one is safe. All organisations are at risk and there are no silver bullets.

Cyber resilience can be described as the ability of any organisation to prevent, detect, respond and recover from the impacts of an attack with minimal damage to their reputation and competitive advantage.

Cyber resilience comes down to having an organisation of people who are cyber aware, curious, ask the right questions and who are not just ticking the box

Gary Warzala, senior vice president and chief information security officer, PNC Bank

But organisations can manage their cyber risks more effectively by adopting an organisation-wide strategy, led from the top, which effectively balances business opportunities and risks. Until this collaboration happens they will remain as vulnerable as anyone else.

So how resilient are organisations? Recent research by Ponemon, among 450 security and IT professionals, reported that only 29 per cent of organisations rate their cyber resilience as high. Only 15 per cent of respondents reported collaboration in the organisation as excellent and nearly one third said collaboration was poor or non-existent.

In a resilient organisation, protecting your most precious information is as much about preparing for an attack and agreeing response plans and responsibilities to deal with one when it happens as it is about detecting and defending against attacks.

It’s often reported that approximately 90 per cent of all cyber attacks succeed as a result of human error – all of us are targets. Cyber criminals, like those in the real world, are opportunists and they are adept and persistent at exploiting these “unlocked doors” into any organisation.

Your people can be your best defence against the risk of a data breach. Leave them to their own devices (literally) and they may become your greatest vulnerability, but spread awareness via engaging, adaptive, regular and fun learning, and they will help to protect the organisation from within.

As phishing attacks and social engineering continue to account for the large majority of successful cyber attacks, influencing and improving human behaviours must sit at the heart of any effective organisation-wide strategy. Future success depends on all of us recognising our part in the operational health of the organisation and feeling valued in that responsibility.

Boards are ultimately responsible for the security of client data, commercially sensitive information and critical systems, and they need to lead the required collaboration across the organisation. They have to set the right tone from the top. Do they see themselves as responsible and accountable? Do they talk about security in their staff communications? Are they interested in latest attacks? Do they ask for and discuss regular intelligence on cyber risks and vulnerabilities? Your information security team might know what constitutes effective resilience, but are all departments, including human resources, legal, marketing and communications, on the same page?

This is just as true of small and medium-sized businesses as it is for the global corporates. The FTSE 100 might be the big prize, but small and medium-sized enterprises are equally at risk, often representing an easier route into larger organisations providing fertile ground for hacking groups to exploit.

AXELOS has developed RESILIA, a portfolio of cyber resilience best-practice publications, certified training, all staff awareness learning, leadership engagement tools and a tool to help assess your current cyber resilience posture. It is designed to put people at the centre of an organisation’s cyber resilience strategy, enabling them to recognise effectively, respond to and recover from cyber attacks.

The critical thing to remember is that if you are a business and you are connected to the internet, then you are a target and you will be attacked. Cyber criminals can target you from anywhere in the world. It’s a low-risk crime and once they get what they came for they can melt away leaving little or no trace.

Becoming the victim of such an intrusive crime can be devastating and many companies never properly recover. Without adopting an organisation-wide strategy that understands your critical cyber risks, and which involves and engages all your people to be your champions in protecting what’s most critical and valuable to you, it is just a matter of time before you’ll be expected to respond to a successful attack or significant data breach.

For more information visit



1. Understand the business strategy and what the most valuable information and critical systems are. Assess the cyber security capabilities company-wide and question whether it supports the business priorities, and establish that the right information security people and skills are in place to support the cyber strategy.

2. Ensure the board sets the right tone from the top, addressing the importance of security when talking to employees, by seeking regular updates on how their organisation is affected, and by asking relevant and informed questions.

3. Focus on identifying and managing information risk. Ensure there’s a robust process for communicating risks across the enterprise.

4. Ensure there’s a clear, honest and accurate assessment of the effectiveness of the security controls environment. Are controls consistently deployed across the organisation and regularly reviewed to ensure efficiency

5. Seek out available best-practice guidance such as RESILIA, the Cabinet Office’s 10 Steps to Cyber Security and the UK government-backed Cyber Essentials scheme. Adopting the principles outlined will help reduce the risk of cyber attack.

6. Consider certified training in cyber resilience and identify “cyber champions” within the various teams across the organisation.

7. Build the willing collaboration between the business, security teams and IT because no one can do it alone or without effective co-operation across the organisation.Create proactive, engaging, regular awareness learning programmes for all employees, regardless of role or responsibility. To be effective these should be short modules with refresher sessions incorporating the latest threats and providing simple pragmatic tips for employees.

8. Create proactive, engaging, regular awareness learning programmes for all employees, regardless of role or responsibility. To be effective these should be short modules with refresher sessions incorporating the latest threats and providing simple pragmatic tips for employees.

9. Appreciate that your organisation is as much a target as any other. Identify what an effective and robust incident response plan looks like when a crisis occurs, and ensure this is tested.

10. Demonstrate the business value of all the above. Ensure buy-in from all departments and make clear the risks of failure to take the issue seriously.


“Out of nowhere, hard won reputations are at risk,” says Jim Baines, chief executive of Baines Packaging, Peekskill, New York

He says: “Cybercrime wasn’t on my radar. It was just an item way down on the agenda. Something I expected my IT Department to handle. My CIO had it covered. I thought. I expected.

“It never occurred to me that I might be a target. The stories you read in the press are usually about an employee who’s walked off with a valuable bit of IP on a USB stick, or criminals after credit card numbers. But board members… CEOs? They’re immune. Right?

“Wrong. They’re actually the best targets. The biggest targets. They’re ‘whales’ that smart hackers want to harpoon. We know all the secrets. We have privileged access to all the lucrative parts of our organisations.

“It makes perfect sense. Why start at the back door when you can go in right through the front? And board directors are just as human as anyone else. They make mistakes. They’re careless. In fact, they’re vulnerable because they think they’re immune.

“That’s what I thought. My company, which I built from nothing over 30 long, hard years when I put everything on the line, is now losing clients, losing money and, most crucially, has lost credibility. My reputation has been damaged with my peers, my friends… even my family. I’m fighting back, but it’s hard.

“You need to know that you are a target. Everyone on your board is a target. No one is immune; everyone is vulnerable, however powerful or successful they may be.

“You need to know that and act. Now.”

Extract taken from Whaling for Beginners published by AXELOS, which follows Jim Baines’s story as he realises just how close to home cyber attacks can strike and that his company’s very survival now hangs in the balance. To read more please go to