As Salesforce’s Chief Trust Officer, Jim Alkove put it in the World Economic Forum:
“Cyber resilience starts with nailing the cyber security basics. At Salesforce, we call it ´doing the common uncommonly well.´… Business resources are often still allocated to defensive cyber security, which is focused on protecting the confidentiality and integrity of data. But these defenses are proving insufficient in the face of attacks that grow more sophisticated by the day. We need cyber resilience in addition to cyber security and it’s important to understand the difference.”
There are two important takeaways from this quote that shed light on the true nature of cyber resilience.
“The common uncommonly well”
Cyber resilience can only be effective when built on a solid foundation. This is step number one. Yet, many businesses fail even at the easiest security measures, especially SMBs, who were heavily affected by the forced-paced digital transformation brought about by the pandemic. The lack of multi-factor authentication, end-point protection and unsupervised access rights magnifies the attack surface in a hybrid work environment.
So first, businesses need to understand the importance of cyber security!
Cyber awareness and system-wide transparency should be the starting points for any cyber resilience strategy. Cyber security for SMEs is all about the cycle, the routine: effective defense is not built in one day but day by day.
“Defensive cyber security is not enough”
Adaptation is key. As we compared cyber resilience to our immune system, let’s put it this way:
Cyber security is a company’s ability to protect against and avoid cyber attacks. It’s rather about preventive measures, just like we use vitamins, supplements and vaccines to protect our health.
Cyber resilience is not just about protection, but also about the ability to get back on your feet, once you’ve been hit by the attack, the ability to mitigate the damage and carry on. It is like rehabilitation or after-treatments in healthcare.
In brief, pre-incident and post-incident measures are equally crucial to build effective defense for your company, just like our immune system needs both preventive and rehabilitative care at the same time.
These two should go hand in hand. Only then can we speak about cyber resilience.
Time is money
The numbers speak for themselves: Cyber criminals can penetrate 93% of company networks and cybercrime cost U.S. businesses more than $6.9 billion in 2021. Yet, cyber fatigue or apathy is a common disease among business owners – as much as 42% of companies fail to proactively defend against cyberattacks.
In developing and improving enterprise cyber resilience plans, it is critical to reduce the mean time to know (MTTK); the time it takes for a company or organization to realize that security has been compromised. This also dramatically reduces the mean time to repair (“MTTR”). Why is this so important? Experience teaches that the longer a cyberattack or security breach goes unnoticed, the more successful it is – increasing the risk that it will leave irreparable damage in its wake. By using IT service management solutions, companies can detect an attack immediately, prevent damage, avoid costly repairs and avert a loss of customer confidence.
Let’s sum it up: Cybersecurity and cyber resilience are two strategies for protecting sensitive information. However, both approaches achieve their goal at different stages of a cyberattack. Firewalls and antivirus are cybersecurity tools that proactively monitor network traffic for threats. Cyber resilience, on the other hand, means strengthening existing defenses to protect the data asset against attacks already in progress.
To put it another way, cyber security is rather about what to do “if” a cyber attack happens. Cyber resilience is what to do “when” it happens. Because, yes, it will happen. You can’t avoid cyber attacks, and this is why you can’t avoid building a cyber resilience strategy either.
Key takeaways for SMBs
Get the right attitude:
Cyber resilience is a mindset. The greatest challenge is the misconception that cyber attacks are not targeted at SMBs. Another obstacle is cyber apathy: SMBs were struggling to keep up with the pace of digital transformation and shifting to a hybrid work environment when the pandemic hit, cyber resilience was not a top priority for them because of the lack of financial resources and human capacity.
But the right attitude is all about acknowledging the fact: a cyber attack will happen eventually. It’s not a supposition, it’s a fact. The only question is how hard it will hit. So again, vigilance, visibility and a proactive approach towards cyber resilience are essential.
Know the risks:
Cyber resilience acts rather as a shock absorber. When done right, it can mitigate financial loss, minimize your attack surface and gain customer trust. To get the best shock absorber, you need to be familiar with the nature of shocks and obstacles that can cross your way in the cyber landscape.
Cyber risk exists on the one hand due to the possibility of deliberate, targeted IT-based attacks on data and IT systems. These attacks are likely to cause the following consequences:
- Violation of the confidentiality of data (e.g., data loss, spying on data)
- violation of the integrity of the system or data (e.g., data corruption, possibly by means of malware)
- violation of the availability of the IT system or data (e.g., internal business interruptions, failure of communication channels with third parties).
The numbers speak for themselves: Cyber criminals can penetrate 93% of company networks and cybercrime cost U.S. businesses more than $6.9 billion in 2021. Yet, cyber fatigue or apathy is a common disease among business owners – as much as 42% of companies fail to proactively defend against cyberattacks.
Invest, but don’t overinvest
A dedicated security expert is a valuable investment for SMBs, especially because there’s a tendency of SMBs over-investing in a variety of cyber security tools. This hoarding disorder is also known as the “tool sprawl” that causes an unmanageable amount of data. The IT staff is lost in the details, they don’t know how to prioritize and manage risk factors. Tools need to strengthen each other, they have to be interoperative, but accumulating tools in silos with no well-defined strategy are counterproductive.
Invest in human capital as well, outsourced specialists and managed security solutions providers or, if you can afford it, in in-house expertise to find the best tools for your business.
Go for the quick wins:
Prioritize and identify quick wins. There are many – these are the security measures that require only a small amount of energy or money, but they greatly improve your security status.
- use multifactor authentication and secure passwords to protect credentials
- give cyber security awareness training to empower your workforce
- provide endpoint protection for devices to make home office more secure
- backup your data to assure business continuity in case of an attack
- automate access risk management to minimize human error
- track license usage to save money
Interested in a quick win with visible results? Check how much you can save by automating license monitoring or download our checklist of cyber security quick wins for SMBs:
License cost calculator Cyber security quick wins for SMBs
Communicate, learn, iterate, delegate:
Cyber resilience is a cycle, learning while doing. Make sure you document everything, you communicate constantly with your workforce, learn from the mistakes and iterate accordingly. How you delegate cyber security tasks is also crucial for SMBs, it allows for transparency and fast reaction time in case of an attack.
Overcome cyber apathy:
The main reason for cyber apathy is the plethora of challenges businesses face when it comes to cyber resilience.
First, there’s no one size fits all solution. Each business is different, with different needs, as we already mentioned it with the shock absorber – each of their paths come with different holes and bumps on the way.
Second, the basis of cyber resilience is cyber security, a foundation that is missing in many businesses. The lack of cyber security awareness and the real or perceived lack of financial resources push business owners to take up the ostrich mentality and put cyber security issues in the hands of blind fate.
Third, cyber apathy also feeds from a psychological attitude: “if you can’t do it perfectly, don’t do it at all.” Unfortunately in cyber security you have to let go of perfectionism.
Finally, another intimidating factor is its cyclic nature: cyber resilience is an ongoing process, it means constant vigilance and iteration, because it’s all about adaptation.
Before you turn to cyber apathy at the sight of these challenges, it’s time to talk about a useful set of guidelines that could help you tackle these obstacles. It’s called the cyber resilience framework.
The cyber resilience framework
There are several cyber resilience frameworks, but with more or less variations, there are five key areas, rooted in the National Institute of Standards and Technology’s (NIST) cyber security framework. It was designed to help businesses withstand attacks. Just like a good strategy, the cyber resilience framework consists of a set of interconnected layers that build upon each other to provide maximum vigilance and visibility over your business – two principles that are at the core of a good cyber security strategy.
The framework is basically an incident response strategy that consists of pre-incident and post-incident steps, preventive and rehabilitative measures.
The pre-incident steps are:
- Identify: This stage is about getting the basics right. You can only defend your business if you have identified all the critical assets and data and get a profound insight into what’s really at stake. You need to know what you have to protect it. Cyber awareness and system-wide transparency is crucial to get a clear understanding of the current state of your business. If we go back to our analogy with the immune system, it’s a medical checkup, scanning the current state of your health.
- Protect: Now, that you know what to protect, you need to know how to protect it as well. Knowing and doing should go together. Empower your workforce with company-wide cyber security training, identity management and access control, use automation and AI to reduce human error. Update security softwares and conduct regular backups of data to assure business continuity in case a cyber attack happens.
The post-incident steps are:
- Detect: Now that you know what and how to protect, it’s time to know the “when”. You need to spot the signs of an attack and put systems in place that monitor suspicious activity. It’s also crucial to act as if the security incident has already happened: the average delay in breach detection and containment is 280 days. Fast detection can definitely mitigate the effect of cyber attacks. A big challenge security teams face when detecting anomalies is the abundance of data and the lack of human capacity to look at each alert individually and evaluate the risk. Automated detection can, however, cut through the noise and save the day…and several working hours.
- Respond: Fast reaction time and your response strategy can make or break your cyber resilience strategy. You need to have a plan in place to respond fast and minimize the damage. Prepare for the worst with your team to make sure you won’t panic. Know who does what, who to notify and how to initiate the response plan – you need a well orchestrated deployment of your response strategy: set the priorities and be fully transparent in delegating tasks and responsibilities.
- Recover: It’s time to get back on your feet. A good recovery plan enables rapid rehabilitation after the attack, documents everything for further improvements and iterations and manages both internal and external communications of the restoration activities with stakeholders like internet service providers, coordinating centers, the victims, and especially the clients and partners. Transparency and clear communications are the only way to assure long-term customer trust after the incident.
The cyber resilience framework is a cycle that needs to be constantly iterated. That’s why an extra step is sometimes added such as “anticipate” “evolve” or “learn” to emphasize the fact that cyber resilience is about the constant adaptation to the changing cyber environment.
It’s easier to say or write about it than actually doing it, so we compiled some key takeaways and quick wins for SMBs to get started with building a cyber resilience framework.
Automated access control strengthens cyber resilience
Automated access control supports the pre-incident phase:
Step 1 – Identify for maximum visibility
Get an overview of company-wide access rights for transparency. Supervise employees’, third party members’ access rights, track inactive and unassigned licenses.
Step 2 – Protect with 24/7 vigilance
Automated risk detection sends alerts and notifications of access risk issues. Prevent phishing attacks and data theft by minimizing your attack surface
Effective measures in the pre-incident phase can grow your ability to cope with post-incident challenges as well. Strong preventative strategy can positively affect your rehabilitative capacity.
The importance of access rights management
Access rights management is an important component of cyber resilience. It belongs to the pre-incident part of the framework. Access rights are entry points to your data and confidential business information. The way your IT department assigns, revokes access rights and detects and manages potential access risk issues have a huge impact on your security status.
A small step for you, but a giant leap in your cyber resilience, if you get it right!
Access control best practices such as the segregation of duties or the principle of least privilege are not enough anymore: system-wide awareness and transparency in your access rights is key to secure your inner circle of data and confidential business information.
And it’s easier than you think! We compiled a checklist how to avoid the main mistakes in access risk managements:
The role of automated control in cyber resilience
Access risk management can make or break your business. With the right automation process, you’ll make it! Automated access control helps you maintain visibility and vigilance over your business, that’s the foundation for a strong cyber resilience strategy. It has three great advantages when compared to manual control:
First, it minimizes human error, the most common cause for cyber attacks. Manual control leaves open doors for cyber criminals and access risk issues such as privilege creep.
Second, it boosts productivity. Automated control allows for a faster reaction time if an access risk is detected and takes off the burden of manual control from the already overwhelmed IT and HR departments.
Third, it gives you system-wide transparency of your access rights and license usage, all in an easy-to-overview interface, that’s key to comply with security standards and to pass audits with ease.
We designed TheFence, our access rights and license management software to automate access control for SMBs. It also supports the cyber resilience framework in the pre-incident phases:
Step 1 – Identify – Automated access rights monitoring and our riskiest employees report give you a general overview of access risk issues, not only for employees but even for third party members, license usage monitoring helps you identify unassigned and inactive licenses to save money on license cost
Step 2 – Protect – Automated risk detection sends notifications and alerts that go directly to the person in charge in case of access risk issues. This helps you prevent phishing attacks and data theft, because mismanaged access rights and unsuspecting employees are the number one reasons for these cyber threats.
Post-incident steps (Detect – Respond – Recover) are also affected by automated control: Proper access rights management is a huge advancement in your cyber hygiene. Although it is a preventative measure, it can definitely improve your ability for a fast detection and response strategy and consequently, a speedy recovery.
The future of your business
Cyber resilience is the future of cyber security and it will also impact the future of your business. A dark future if you fail to prepare and a bright future if you allocate resources to get the right tools, the right training and the right attitude to build a cyber resilience strategy. So you can manage cyber security threats and defend what’s yours.
Check your current cyber security status to identify potential risk factors:
Play around in our software demo to see automated control in action: