As companies adopt more digital technologies, the attack surface has shot through the roof. Consequently, a greater attackable surface is available, which can make companies vulnerable to cyber threats.
The apparent goal of cyber security is to protect the business from cyberattacks and risks, but is there a solution that’s 100% effective? Realistically, no cyber security solution can do that, even if they promise. The attacker is just one vulnerability away from intruding into the company’s systems and launching an attack. What could change the story is an organization’s resilience.
If you look at a simple e-commerce website, it involves pieces of digital technologies working in tandem. E.g., a website is hosted on a server, then there’s a payment gateway, a merchant bank, a customer bank, and so on. Even if a single piece of this chain is affected, it paralyzes the entire business. When digital technologies are intertwined, an attack on either one of these pieces creates a spiralling effect and causes downtime.
Attacks have grown sophisticated, and the number of risks has increased.
Here are some statistics to give you a hint:
The world has witnessed some events previously which have forced organizations to close their business operations permanently. Let’s look at some.
An attack that brought an existential crisis
A US-based institute, Lincoln College, was a victim of a cyberattack in 2021. The institute was already struggling with Covid-19 and the ransomware attack led to a massive drop in enrolments. When the institute could no longer function (owing to cashflows), it announced the plan to close the institute permanently.
A classic supply-chain attack
In 2021, Swedish supermarket Coop’s POS (Point of Sale) and self-service checkouts were hit by a supply-chain attack. The supermarket was using compromised software. The attack prompted Coop to close about 400 stores. The hackers then put forth a demand of $70 million for data restoration. It took about six days to reopen all the stores.
Another attack that almost led to a war-like situation
In May 2021, a huge US-based energy supplier, Colonial Pipeline, shut operations for five consecutive days due to a cyber attack – forcing the company to pay about $4.4 million to hackers. This attack affected other industries like airlines too. It created a temporary energy crisis in the US.
Besides the loss of trust and reputation, there are financial consequences, as seen in the above examples. According to an article published by IBM, the average cost of a data breach in 2022 stood at $4.35 million. For small and medium organizations, the costs of an attack could be a huge blow. However, can an organization minimize the impact?
Cyber security is undoubtedly a must, but what about cyber resilience?
A company should focus on minimizing the disruption impact of a security incident. An organization’s ability to quickly get on its feet after an attack depends on its resilience. Is it able to recover faster? Can the attack be contained swiftly so that there is minimum disruption? How soon can the systems be up and running? Can you minimize the financial repercussions?
What if the supermarket Coop had just taken six hours instead of six days to reopen all the stores? The financial losses incurred would have been reduced significantly.
The need for more than a security solution
Around 90% of the attacks are attributed to phishing. Businesses rely on email communication; cybercriminals try to intrude into the systems through emails with malicious attachments or links - the easiest way to disrupt business operations.
An organization uses email security solutions to counter these phishing attempts. But as attacks get smarter, phishing emails can pass on without raising suspicion. As a result, it’s not uncommon for employees to fall into a cyber-trap. Even large companies sometimes cannot differentiate between a regular email and a carefully crafted malicious email.
Even tech giants can become victims
Between 2013 and 2015, Facebook & Google fell victim to a Business Email Compromise (BEC) attack. A group created a fake company and sent invoices to Google & Facebook. By the time the attack was uncovered, both companies had lost around $121 million. Defending the systems can never be enough, organizations need a resilient infrastructure.
The above example of the BEC attack looks more like a human error on the companies’ side. Could well-trained and aware teams have foiled the attack? Absolutely. Employee security awareness is one of the critical components in tackling socially engineered attacks and spear-phishing campaigns. People are important links (and could be the weakest links), and they need to be educated. Security culture or mindset becomes crucial for stronger cyber resilience. What else should you include in your cyber resilience strategy?
Create a response strategy
Business resilience is as good as your processes. How well have you designed your process to deal with a security incident? Communication plays a major role. When a breach is discovered, who do you rcontact? Is it the CEO or CISO, or a board member? Is this pre-defined? How do you communicate this information, and what level of information needs to be shared?
Instead of just reacting to a security event, the organization needs to rely on a pre-devised plan, which includes how you communicate with internal and external stakeholders. An organization needs to have simulation workshops. It’s not about just security teams – other teams like legal, communication, compliance, etc. need to be included in these workshops.
Check your IT infrastructure under stress
Some industries, like the banking and finance sector in Europe, are well-governed by regulatory institutions. This reinforces banking systems to have a stronger response to withstand disruptions. Basel III standards are applied to internationally active banks to avoid the build-up of systemic vulnerabilities. However, not all industries have such a regulatory framework. The question is can organizations manage to reduce risks without such regulations?
Test your resilience by simulating attacks on one or more systems to understand whether the system can withstand the incident. This concept is called Chaos Engineering. For instance, Netflix launches Chaos Monkey to attack its own code and check resilience, security, recoverability, etc. It checks your IT infrastructure under stress.
Create a security approach that ensures same levels of productivity
Prepare for extreme consequences like pandemics and natural disasters. Do you have a strong IT infrastructure to support a work-from-home setting? How secure is that setting? Can the company enforce the same levels of cybersecurity policies to the distributed workforce? Businesses need to look at a Zero Trust strategy where access to applications and data is granted once the identity is verified – regardless of whether the user is on-premise or not. Such solutions ensure minimum disruption and productivity levels are uncompromised.
Create a security culture
An organization needs to spend time and money to educate and upskill the teams. Unaware teams pose a huge risk, as we saw in the examples above, with phishing and socially engineered attacks.
Consider a cyber insurance
Of all ransomware attacks, about 58% pay up the ransom. With such a situation, it does make sense to have cyber insurance. Of course, cyber insurers assess the risk and would offer a policy as per their evaluation.
Specialized teams to monitor, analyze, and respond better
Businesses need specialised teams available to monitor threats and respond in real-time. A Security Operations Center (SOC) could be an ideal solution, but since not all businesses have enough resources to set up an in-house SOC team, they can opt for a managed SOC team.
[Learn more about what a SOC team does on this page]
Businesses need to be realistic regarding cyberattacks. Sooner or later, they will face a breach or an incident. It’s practically impossible for any digital organization to stay under the radar and not become a victim. There will be attempts to intrude your systems – what matters is how soon you’re back to normal functioning. On average, it takes about 280 days to contain a breach. The faster you contain it, the lower the costs that you incur – that’s what cyber resilience is about.
Cyber resilience may seem overwhelming today, but it’s a competitive advantage in the long run. There is data available today that points out that cyber-resilient organizations suffer lesser damage as compared to risk-takers.
The good news is that cybersecurity culture is growing as businesses are willing to invest time in building awareness. As a result, cyber security spending has increased. For example, a Hiscox report stated that German companies spent the most on cyber security at $5.5 million (2021). In addition, more companies intend to invest in staffing and training.
The trend to be resilient is set to continue. According to Gartner, 70% of CEOs want to build an organizational resilience culture which can cope with all types of disruptions, including cyberattacks and threats.
Cyber resilience and cyber security must be seen as growth enablers. For any business to serve customers better and faster, it’s imperative to become digital. But disruptions such as cyberattacks should not scare businesses from adopting digital technologies. Instead, strengthening security architecture, deploying resilient solutions, and cultivating a security mindset in the company will help an organization to become digital faster and more secure.
Transformation and resilience go hand in hand; resilient organizations have minimized data loss and downtime and avoided unnecessary costly lawsuits. As a result, cyber security and resilience have become the backbone of digitalization.
T-Systems offers a range of assessments and advisory services to help you determine your roadmap to becoming a more secure organization.
