In 2012, Robert Mueller, FBI Director famously said that he was “convinced that there are only two types of companies: those that have been hacked and those that will be.” The statement’s relevance in 2017 is evident – it is inevitable that your organisation will experience a cyber incident, however the focus has shifted. The question for organisations is no longer what they will do IF they experience a cyber incident, but rather, what they will do WHEN they experience a cyber incident. Based on the cyber security trends of 2016 (and 2017 so far), the cyber security strategies of organisations should no longer be constrained to protecting itself from, and preventing, a cyber incident. Rather, organisations need accept the inevitability of a cyber incident and focus on how to effectively respond to and recover from a cyber incident.
There are two types of businesses – those who have experienced a cyber incident and those who don’t know they have.
Responding effectively to the inherent vulnerability of technology and doing business in the digital age is critical. An organisation traditionally relies on its Cyber Security Strategy to protect itself from cyber attacks. Cyber Security Strategies are generally defensive in nature with the aim of preventing an attack from occurring. However, responding with technology alone is unlikely to be enough. Organisations need to approach cyber security with a ‘whole-of-business’ approach that addresses risk and embeds a cyber resilient culture within the organisation.
Addressing cyber security with a ‘whole-of-business’ approach requires a business to classify cyber security as a strategic business issue and to increase its cyber resilience. Cyber resilience refers to an organisation’s ability to prepare for, respond to and recover from a cyber incident. Cyber Resilience is more than just preventing or responding to an attack – it also takes into account an organisation’s ability to adapt to, and recover from, a cyber incident.
Tips for Cyber Resilience
- Make cyber resilience a strategic business issue and a priority of executive management and the board.
- Identify and understand the regulatory, legislative and any industry standards your organisation needs to adhere to.
- Identify your organisation’s data assets, their value and where they are located
- Understand your organisation’s business risks in relation to its key data assets.
- Develop and implement a cyber resilience framework that addresses your organisation’s business risks in relation to those data assets, including people, processes and information and systems security.
- Develop a rigorous Cyber Incidents Response Plan that outlines the priorities and risk mitigation strategies that will ensure organisational agility and adaptability during a cyber incident.
- Undertake a regular review of your Cyber Resilience Framework and conduct regular testing of your Cyber Incidents Response Plan (after all – practice makes perfect!).
- Regularly educate and train all your employees on cyber security to create a cyber-aware organisational culture (remember – most cyber incidents will occur because of a lack of employee awareness).
Organisational inertia in addressing cyber resilience is not only costly but will impact on your organisation’s ability to survive cyber incidents, its ability to thrive in the digital market place and its long term competitiveness in the market.
Sainty Law can undertake a comprehensive Cyber Resilience Heath Check on your organisation, design and implement an appropriate Cyber Resilience Framework and assist with Cyber Incidents Response Plans and Business-as-Usual (BAU) risks. Contact us today for more information on our Cyber Resilience Services or advice on how your organisation can comply with its legal and regulatory requirements.
 Robert Mueller, RSA Cyber Security Conference, San Francisco, CA, 1 March 2012. https://archives.fbi.gov/archives/news/speeches/combating-threats-in-the-cyber-world-outsmarting-terrorists-hackers-and-spies