An introduction to and definition of cyber resilience, which offers a more holistic – and evolving – way for digital business continuity despite cyber attacks and other impactful cyber incidents in times that cybersecurity alone isn’t enough anymore.
In business, as in life, there is always something that can go wrong. Knowing threats, risks, or potential disruptions if you prefer that term, is a first step to be able to take measures to prevent and mitigate them while minimizing the impact if they do happen.
Cyber resilience is the alignment of prevention, detection and response capabilities to manage, mitigate and move on from cyberattacks (Ponemon Institute)
Analysts, insurance companies, and other firms have been mapping the main – perceived – threats and risks for businesses each year for a long time now. Among all the potential perils for organizations, cyber incidents gradually were seen as more important risks over the years as digital technologies became critical: from data breaches and cyberattacks to unexpected outages of critical systems.
Sometimes their perceived risk to business continuity and business overall moved up or down a bit in annual overviews of such perceived dangers and threats. Still, in general, the impact of cyber incidents has grown, as has their ranking in these lists of – perceived – risks.
Digital transformation inherently brings with it new risks that may have been previously unforeseen or that may have complicated the risk profile of well-established business processes (IDC)
Cyber resilience – cyberattacks and the growing importance of IT systems in business
And today, business executives often rank cyber incidents as the main threats to their business. By way of an example: in 2015, participants to the annual Allianz Risk Barometer ranked cyber incidents (cybercrime, data breaches, IT failures) as the third main global business risk; in the 2020 edition, cyber incidents ranked first with 39 percent of responses.
And this is where cyber resiliency comes in (on top of other reasons). Since digitization and digitalization have become crucial for business and the impact of incidents becomes much higher (also, for example, in a context of regulation and lawsuits), organizations approach if all more from a risk management and business continuity perspective. Business continuity planning plays an essential role in cyber resilience.
Cyber resilience is a relatively recent term and field that is still evolving, so you might see differing views and vendor/analyst approaches. Often cyber resilience is limited to cybercrime and cyberattacks, but you can look at it from the cyber incident perspective in a broader sense since what matters most are the critical (business) processes and essential IT services they need and must enable resilience.
The rising recognition of the importance of cyber resilience is related to the impact of attacks and breaches in the context of the digital evolutions we’ve been witnessing in business in recent years.
For starters, there is the mentioned fact that digitization and digital transformation have put ‘cyber’ in core business functions and processes in close to all industries. Organizations can literally be paralyzed in case of severe cyber incidents that affect digital infrastructure and/or IT systems.
At least as important is the rise of big data and the evolution towards data-driven business models with data being a core business asset that doesn’t just need to be protected but also is vital for future growth. This evolution, and we’re really still at the beginning, has led to more regulations to protect specific types of data, mainly personal data. The attractiveness of data has also increased for cybercriminals along with the value of it. And, again, data sometimes has become so essential that severe cyber attacks can lead to impactful disruptions.
Another important factor is, of course, as mentioned, the increase of cyber attacks and the growing sophistication of cybercrime. If cyber incidents are perceived as such a high risk, there must be several reasons for it, and as you know and we’ve covered in several blogs, the stakes are higher, and the incidents, certainly from the cyber attack perspective, increase.
There is much more that explains the increasing attention for cyber resilience and approaches beyond traditional cybersecurity (including, for instance, ‘Zero Trust’). Think about the ongoing efforts to bridge physical and digital environments as we see in Industry 4.0 and how we keep connecting things to our digital business environment with the Internet of Things. Or the emergence of digital ecosystems that go beyond the boundaries of the organization whereby value chains can be disrupted in case of incidents. The list goes on, the attack surface grows, and the consequences of attacks are potentially more significant.
Cyber resilience is the ability to prepare for and adapt to changing threat conditions while withstanding and rapidly recovering from attacks to infrastructure availability (Cisco)
So, it’s pretty evident that in such a world that relies more and more on digital networks, data, developments enabled by the Internet of Things, and so forth, cyber incidents can impact business continuity. And there will always be cases where core IT systems are not available. Perfect security doesn’t exist, and the more you digitize and digitalize in essential areas of business and society, the more impactful attacks and outages can be in theory. Obviously, this is precisely the reason why cybersecurity and IT approaches evolve and why cyber resilience is of strategic importance, to begin with.
Cyber resilience in context – a definition and questions to address
Impact is a keyword here, and the impact of incidents depends on several factors. How long are systems unavailable? How mission-critical are they? Which data are stolen in case of a data breach? How critical is the infrastructure that might go down? What is the nature of the incident? Who is behind it if it concerns a cyberattack or even form of cyberwarfare?
There are several other elements of the impact as such that are important. Is the effect mainly financial? Could it pose a challenge on, let’s say, the daily lives of citizens or even national security? What are the different groups of people that are impacted, and how is the effect on one group affecting the other and the organization?
It could, for instance, be that the incident mainly has an impact on the availability of a digital platform used by millions who are also part of this digital world and demand that platforms are always available. And if it’s not available for some time, even if it’s not a matter of life and death, you know what can happen on a level on, for instance, brand reputation. Simply put: it doesn’t have to be a cyber incident that one could categorize as a ‘disaster.’
There isn’t a universally accepted definition of cyber resilience. You’ll find ample views on the ‘differences’ between cyber resilience and cybersecurity, but 1) it’s not a matter of cybersecurity versus cyber resilience (holistic, remember), and 2) often the attempts to differentiate between both show the different views on what cybersecurity today really means.
The fact that there is no universally agreed definition of cyber resilience doesn’t mean that there have been no attempts to define them, as is always the case in our digital business and technology world. Yet, just looking at the two words already is a good indicator of the domains that are covered by cyber resilience.
Cyber resiliency is the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources. Cyber resiliency is intended to enable mission or business objectives that depend on cyber resources to be achieved in a contested cyber environment. (NIST Special Publication 800-160, Volume 2, Developing Cyber-Resilient Systems: A Systems Security Engineering Approach)
Cyber is simply a prefix that we’ve been using for decades for anything that is computer- or Internet-related. Resilience means the ability to recover quickly from incidents and disruptions; in other words: how fast you get back on your foot or return to the shape before the event.
Since the ‘bad event’ doesn’t mean that the organization ceases to exist, the definition of cyber resilience is the capability of an organization to optimally continue running its essential business/operations and core IT systems despite a cyber incident and to solve the problem and its impact quickly. This isn’t a matter of reacting after the facts. Cyber resilience also means preparing for cyber attacks and other cyber incidents, mitigate them when they do happen (assuming they will) and, indeed, recover, while making sure that the organization survives the incident.
Preparation (identifying risks and taking measures to try to prevent them), detection (of cyber threats and anomalies), response, and recovery are often cited as the main steps to develop a cyber resilience plan. Others (see image above) identify five steps or elements, and others detail it further.
One of the most often used definitions of cyber resilience comes from a short paper from three experts, where the authors define ‘cyber resilience as the ability to continuously deliver the intended outcome despite adverse cyber events.’
The paper also provides building blocks of cyber resilience and makes a good effort in contrasting cyber resilience against cybersecurity with regards to five central characteristics.
It’s available via SpringerLink (Björck F., Henkel M., Stirna J., Zdravkovic J. (2015) Cyber Resilience – Fundamentals for a Definition. In: Rocha A., Correia A., Costanzo S., Reis L. (eds) New Contributions in Information Systems and Technologies. Advances in Intelligent Systems and Computing, vol 353. Springer, Cham).