Simply put, cyber resilience is a measure of how well an organization can operate its business during a data breach or cyber attack. Security teams have measures in place to detect and stop attacks, and they have recovery plans for the inevitable breach, but can they, along with IT, keep critical business processes such as order fulfillment, customer service, or accounting operating during a crisis?
Take NotPetya, for example, which Rob Juncker, senior vice-president of product development at software provider Code42, says shut down “supermarkets and ATMs all throughout the Ukraine.” Or WannaCry, which he says left hospitals unable to access patient information. Just as “the biggest organizations fail and...go bankrupt because they've failed to innovate,” Junker says a lack of security readiness has similar potential to bring a company down. When everyone understands the vital nature of security, devops is free to build buffers into the business that keep it resilient enough to survive.
Understand the business to better protect it
For starters, Don Aliberti, head of information security for financial services group Nomura Holdings America, says, “If you want to protect the enterprise, protect the firm, you have to understand your firm.” Take a good look at every company process that uses tech. Sure, code is being developed, but so are marketing campaigns. Maybe sales is in the middle of drafting an important proposal. Accounting is filing quarterly taxes while email and Slack send every message imaginable back and forth.
If it has value and is happening on your systems, it needs to be protected. Determining value, Alberti says, requires “understanding what are the main functions that keep the business going and what are the main risks to the business as far as availability, confidentiality, and integrity that potentially could hurt the business.”
Approach your backup systems with a business mindset
If a malware attack meant development could no longer access their work, what would happen? Could the business keep going? With backups, maybe. They’re not just there in case someone deletes something, after all. Ben Cabrera, CIO for Covanta, says backups are part of the environmental company’s plan for dealing with ransomware: “Disaster recovery and backups have become really important thing for us.”
If hackers attack, he explains, “We just shut down that environment and move to the next environment, which is a warm backup. From a disaster recovery perspective, we can be back up and running within a relatively short period of time.”
The trick to backups is to approach them with a business -- not just security -- mindset. In deciding whether to repair or ditch an infected system, Cabrera says, “You really have to make a decision in terms of what was compromised, what was damaged, and then -- at the same time -- what's the cost of information that's actually transpired since that point? If the breach was two months ago, for example, backing up to that point in time would be a loss of information and value to your business, right?”
Look beyond security for help building in resiliency
Cabrera mentions data consultants can help with this work, but Aliberti disagrees. He says security teams hire outside consultants too often. These third parties, he explains, “look at a specific application; they do an application assessment. They're looking at bits and pieces, but they never understand necessarily...the end-to-end business processes.”
You know your data best, he continues, you know which “systems...are most important, what is the downtime that you can afford to have, what is the data move, where does the data exist.” Outside parties aren’t in your company every day. The only way they understand your priorities is through you.
That doesn’t mean you shouldn’t look beyond yourself for advice. Building resiliency across the entire organization takes everyone. Non-security colleagues may have better ideas than you think.
Mignona Cote, global head of identity and access management for insurance company AIG, notes that there’s a department in every business that’s mitigated risk much longer than infosec: accounting. “The finance people have been control people for years, way before we were,” she explains. “When I was an IT person and tried to do something with numbers or whatever, it always knocked the general ledger out of balance and people would come looking for me. They actually knew how to look at the logs -- the transaction logs -- which [security] never really embraced. There's a level of control that we need to focus on outside of what we typically do as IT professionals.” After all, finance, she continues, has “been audited for years.”
Don’t stop there. Cote reminds us other departments have kept secrets for longer than cybersecurity has even existed. Take Pepsi, she explains, which opened in 1898: “We're not gonna get that PepsiCo formula. It has a thought process around it on how to protect it.” Should that early Pepsi recipe have been stolen, you better bet the company had an action plan.
The people in charge of proprietary data today may have ideas that could help keep tech ops running after an attack as well. At AIG, Cote says, “There's certain data that they don't let us -- the security people -- touch. The business wants to protect it, keep us away from it.” It sounds extreme, but spreading secrets among multiple parties does keep one department from overseeing everything, meaning no one worker can take the business down.
Junker says, “Our business used to be that everything we needed to run our business was within the four walls of our monitor. But right now, we've embraced cloud in so many different ways. We've embraced trading partners; we've embraced technologies that speed our innovation forward.” Companies embrace new technologies because they help the business grow. Security, he says, is “oxygen.” If your company wants to continue breathing, the entire body needs a contingency plan.
Attacks will come, but with this plan in place, you can survive them. In 2014, Iranian hackers attacked Sands Casino. Aliberti says, “They took down all parts of their environment. It took quite a while for them to recover, but they were still able to get people booked into the hotels.”
You have to keep critical operations going. Insuring the entire business is “a broad attack surface,” Aliberti says, but if you break operations into smaller pieces, you can manage it.