There is a well-known saying in cybersecurity: it’s not a matter of if you are attacked, but when. And a growing number of big firms are starting to discover how true this is. The last year has seen successful cyberassaults hit the likes of British Airways, Marriott Hotel Group and Facebook. As the frequency of attacks surges, cybersecurity is increasingly being viewed as a business problem. This is further fuelled by the growing cost of breaches. According to Accenture, companies globally could incur £4.1 trillion in additional costs and lost revenue over the next five years due to cyberattacks, as dependency on complex internet-enabled business models outpaces the ability to introduce adequate safeguards to protect critical assets.
Every person within the business, from the front desk, to customer service reps, all the way up to the board, must play their part
At a time when business competition is fierce and the European Union General Data Protection Regulation (GDPR) mandates that firms report breaches of personal data, customer trust now depends on a business’ ability to prove it is secure. This is putting a focus on resilience, a firm’s capacity to protect itself from breaches, and respond quickly and appropriately when an attack does inevitably happen.
More to cyber-resilience than simply building a wall around data
Yet cyber-resilience is not as straightforward as it seems. In the past, security was based on building a better “wall” around business data. But this approach no longer works in today’s perimeter-free world of multiple devices and cloud, says Chris Moses, senior operations manager at Blackstone Consultancy.
Instead, a multi-faceted strategy can help create a resilient-by-design company. First, an organisation needs to understand its business model fully, including its most valuable assets, says Jamal Elmellas, chief technology officer at Auriga Consulting. “Firms need to know which of their applications is most important to the day-to-day running of the company, and ensure this is resilient and can get back up and running should an incident happen.”
At the same time, it’s important that infrastructure is robust, says Dr Sandra Bell, head of resilience consulting at Sungard AS. “The more robust your IT is, the more options an organisation has,” she says.
When protecting infrastructure, perimeter walls should be strong enough to make it difficult for attackers to get in. “But if they do breach the perimeter, network segmentation will help to prevent an attacker from accessing business data,” says Elliot Rose, head of cybersecurity at PA Consulting.
Firms also need to ensure their data storage methods meet legal requirements. “It is all too easy to get caught up in digital silos that ignore the bigger picture and the need to be holistic where prevention is concerned,” says Helen Davenport, director and cybersecurity expert at Gowling WLG.
Businesses must understand risk to build cyber-resilience
Understanding risk is a key part of building resilience. Indeed, GDPR calls for firms to think about how they protect sensitive information. The regulation also encourages businesses to consider the risk added by third-party contractors, which might not be secure and could lead to a breach of a company’s data.
In some cases, an organisation’s process for procuring services will need to be rewritten, says Mr Elmellas. “Cybersecurity needs to be written into your procurement, even as part of the vetting process.”
There is no doubt that cyberattacks will continue to hit business, but technology can help to detect threats. For example, many firms are already using techniques that take advantage of artificial intelligence and machine-learning. Tools based on these technologies can monitor employees’ behavioural patterns and pick up abnormalities, such as a change in the time they log into systems, to alert firms that they may be under attack.
Employees are the key to building a cyber-resilient business
And, of course, employees are an integral part of a cyber resilient-by-design business. “The foundation of a security culture must be rooted in a sense of shared responsibility,” says Cath Goulding, head of cybersecurity at Nominet. “This means every person within the business, from the front desk, to customer service reps, all the way up to the board, must play their part. CEOs who feel security policies don’t apply to them are mistaken; if anything, they are far more likely to be targeted due to their profile and stature within the business.”
Nick Taylor, UK and Ireland security lead at Accenture, says “brilliant basics”, including training employees to spot and report suspicious activity, are the foundation of resilience.
Dr Bell agrees. “We often hear they are the weakest link, but the users of the information system are the first line of defence,” she says. “They need to be aware of procedures and processes, and what part they play. The system will be vulnerable and threat actors will try to manipulate employees, so give them coping mechanisms.”