We face a time where our adversaries will have the power to read all of our secrets, masquerade as any of us, and shift the realities in our minds to their bidding. Malicious actors will do this by leveraging new technologies that are designed to help us connect, identify and communicate in vastly different ways.
Today’s times are anything but business as usual – it’s become clear that corporate goals on cybersecurity, which revolve around stopping an attack in its tracks, are unsustainable in this unpredictable and uncertain world, and need rethinking.
From cybersecurity to resilience
Today’s cybersecurity focus needs to shift to cyber resilience. Leading reports from the Cyberspace Solarium chartered by the U.S. Congress, the National Security Telecommunications Advisory Committee’s Cybersecurity Moonshot reports, the National Infrastructure Advisory Council’s recommendations submitted to the U.S. President, and The Future of Digital Economy and Society report led by the World Economic Forum, call on businesses and leaders across the globe to focus on resiliency as their top cyber goal.
Current cybersecurity strategies tend to center around stopping potential threats from getting into your computing and communications infrastructure at all. To be successful, it requires that no employee ever click on a bad link, download the wrong file or work from an unsecured Wi-Fi network.
However, this approach is not realistic nor sufficient enough in today’s world, and impossible in our collective future. That is why business leaders need to rethink their cyber strategy to adapt to our constantly changing world.
In practice, the concept of cyber resilience is based on a bend-but-not-break philosophy. It understands that despite significant defensive investments and best efforts, cyber-criminals will occasionally get in. The cyber resilience approach is based on the premise that if you organize your defenses to prioritize resiliency over just computer security, you keep what’s most important going – your business.
No matter what your business might be – whether it is churning out widgets or keeping the lights on – what’s key is to keep your most valuable assets unaffected and operational. Implementing this new goal, from the boardroom down, helps save money and improve results.
To make the process easier to implement, companies can begin with these five core steps common to most cyber resilience frameworks:
- Operational redundancy – Designing out single points of failure in within operations, be it electronic, human, or supplier, is a critical step toward cyber resilience. Planning for geographically diverse backup centers, multiple suppliers of core services such as power and cloud, and facilitating trusted remote workers provides for lower costs and higher uptime in the face of a disaster.
- Micro-segmentation – Protects a network by breaking it into smaller chunks down to the packet level, creating multiple unique closed user groups. Networks are segmented based on the criticality of information they house and the level of risk to them. Because it is software-based, micro-segmentation makes this easy and very practical without requiring major changes to the network or application infrastructure itself, in which security becomes extensible and adapts to changes.
- Trusted ecosystem – Trust in digital business is earned during every digital interaction with the enterprise, this means establishing strong bonds of trust throughout their ecosystems of employees, partners, suppliers and customers. By operating resistant and resilient systems, establishing trusted identities, and focusing passionately on client success, it is possible to make trust a critical success factor.
- Active defense – It’s now possible to better understand the tricks and tools that adversaries are using against businesses, and use that knowledge to degrade their attack capability. An active defense leverages the wide spectrum of proactive cybersecurity measures that fall between traditional passive defense and offense. Technology, intelligence, policy (i.e. sanctions and indictments) and consequence can all be used to modify the behavior of malicious actors. So, while businesses aren’t “hacking back”, they’re also not just being a victim.
- Cyber insurance – With the rapid pace of digital transformation, cybersecurity has become a top concern of government and business executives, their leadership and their boards of directors. Implementing a solution that draws on the strength of an analytics model, used in the cyber insurance industry, to quickly and easily assess the potential financial impact of cyber risks is vital.
Thinking ahead
Our cyber future needs be one of resilience in the face of unprecedented challenges. Although the process is neither easy or automatic to get this right as a society, there is room for optimism.
Starting at the top, as everyone is re-imagining their business in the post-pandemic world, boards will continue to face challenging decisions every day. Ensuring that their company is cyber resilient should be at the top of every board agenda today.
Despite the increased risks and impacts caused by current events, there is real reason to be excited about our future. By focusing on cyber entrepreneurship, innovation and education again in the 2020’s, working on building life-changing products and services, and getting all of this into the hands of the public, technology gives us the power to make all of our lives better.