We’ve all heard the saying “survival of the fittest”, although this can quite accurately be translated to “survival of the most resilient”. This applies to everything that we are, and everything we create.
As humans, we will be attacked throughout our lifetimes, whether that be a cold or virus, physical injuries from a collision with a car, mental illness, or being mugged while walking through the park. It’s an unfortunate fact of life – there is no magic bullet to avoid it, situations like this are inevitable. Any doctor, practician, or otherwise claiming that they possess the key to protecting yourself against 100% of attacks is either lying or fooling themselves. It’s just not possible.
As humans, what do we do about it? The only logical choice is to build resilience. We must be able to weather these attacks and recover from them. To do this, we (try to) eat the right things, reduce harmful activities (smoking, drinking etc), and exercise both our bodies and our minds. Building mental and physical resilience in this way will not stop you getting sick or attacked, although it will increase your ability to withstand (and recover from) these situations. However, even when you take every precaution – life happens! Therefore, we have police, a medical system, insurance, and other measures to assist when things go wrong – and they always do. This is our fallback plan, or way to recover when the inevitable happens. It highlights the fact that however strong your defences, however resilient you are, situations will occur that require you to lean on a purposefully designed third party person or service to recover.
Similar issues affect all that we create: businesses, buildings, transportation systems, software and electronic hardware. Each includes systemic risk – although as intelligent beings, we attempt to include (or improve) resilience so they can weather the storm (literally and figuratively). In the case of a business, we understand things will not always go to plan – we will encounter unforeseen changes to the market, changes to economic or political policy, or even attacks from our competition (or other groups that would seek to do us harm). What do we do about it? A good business owner/operator will not try and prevent all of these (it’s impossible), but will take steps to improve their ability to detect current or future issues, reduce the likelihood of them happening, increase tolerance for when they do, and have plans in place to sustain or recover when things go drastically wrong – this is resilience.
The same applies to technology, it is critical to remember that we (humans) created it, and therefore it will include flaws and vulnerabilities. This could include erroneous code, electrical or mechanical issues – each of which has the potential to disrupt or destroy the system it is supporting, either through natural wear and tear or as a result of being attacked by a human or another system. In addition to technology/infrastructure, our businesses are made up of humans – all including their own faults and vulnerabilities. Many individuals and groups around the world also seek to exploit these vulnerabilities for their own gain, be it financial, political, or just because they can – and some of them are VERY good at it.
In today’s world of hyper connectivity and reliance on technology for so many aspects of our lives (i.e. agriculture, transport, education or business), we must manage, protect and secure each of these to reduce the risk of our livelihoods, or our lives, being negatively impacted (or prematurely ended). Each must include an appropriate level of tolerance (from failure or attack), and the ability to recover from disaster – they must be resilient.
In terms of Cyber Crime or Cyber Warfare specifically, which is today one of the biggest risks to business and society, resilience is crucual. In this context, it’s imperative that we implement the right hardware, software and processes – having understood the risks of each, and configure these to withstand attacks (as much as possible/appropriate under the circumstances), and create processes or plans to be followed when our defences fail to stop an attack. We must become resilient.
Defences may include a firewall, traffic monitoring, anti-virus, encryption, strong passwords, multi factor authentication, staff awareness training and more. Assuming the correct choice of hardware, software and systems, with configuration or implementation by an expert, these undertakings will provide a certain level of protection – however, as with the case of humans getting sick, it’s impossible to protect your business or it’s systems against all forms of attack. Some will be successful and therefore it’s imperative that resilience is included by design – this may include a secondary firewall, internet connection, data backups, cyber insurance and more.
It is critical that carefully thought out and comprehensive step by step plans to follow are also in place, including Disaster Recovery and Incident Response plans, yet so many businesses do not have these - which will ultimately increase panic/chaos in the event of an attack/failure, and reduce the businesses ability to recover.
Consider these three points when contemplating the Cyber resilience of your organisation:
We value our business and that of our clients – so this is what we do, all day, every day. We take every step to provide protection, detection and mitigation services, however we know situations will occur regardless of the measures we take, so the consideration and implementation of resilience is part of our daily practice.
Consider a scenario: If an attacker compromised or destroyed your financial system, what would happen? Could you recover from backups – and how long would this take? If backups were not available, what would you do? What would be the impact to your organisation?
Cyber Criminals are after YOU and your business. We all face a persistent threat from these groups and individuals, and here at Evisent, we don’t plan on letting them win.
Thought for the day: How resilient is your business?
Founder and Cyber Security Advisor