How To Assess Your Company's Cyber Resiliency
With the increase in ransomware attacks and the loss of enterprise data causing long-term disruptions for many businesses, cyber resiliency has become a top priority.
It’s also a term that can be used so broadly that its meaning can become unclear. Without a specific definition and a plan for assessing cyber resiliency, it can become just another buzzword.
Here’s a closer look at the tenants of cyber resiliency and how to evaluate your company’s technology, policies and practices.
What is cyber resiliency?
Cyber resiliency is defined by the National Institute of Standards and Technology (NIST) as the ability to “anticipate, withstand, recover from and adapt to adverse conditions, stresses, attacks or compromises on systems that use or are enabled by cyber resources.”
To have cyber resiliency, your company’s network and resources must be able to continue to carry out essential functions even in a “degraded or debilitated state.”
Cyber resilient systems can detect advanced persistent threats, including attackers who breach a system and stay there until they have obtained sensitive data, or issues within the supply chain. This could include attacks on third-party vendors who have access to your enterprise data or systems.
NIST compares cyber-resilient systems to the human body, which has a powerful immune system that continuously fights illnesses and infections and adapts to maintain its most important functions. These systems are built with the knowledge that attacks are inevitable and focus on recovery in addition to prevention.
Implementing firewalls, two-factor authentication and educating employees on cyber risks are all important steps to try to prevent system or data breaches.
But with ransomware attacks becoming more sophisticated, including double and even triple extortion tactics, standard perimeter defenses are no longer sufficient to keep attackers out.
“Even with ‘the right’ safeguards and countermeasures in place, some attacks will be successful,” said Ron Ross, a fellow at the National Institute of Standards and Technology.
How can you assess cyber resiliency?
Just as your body requires ongoing maintenance to keep its immune system strong, true cyber resiliency requires an ongoing strategy.
How cyber resilient is your organization? NIST has developed a 229-page guidance document that offers best practices for cyber resiliency, including the systems, practices and controls world-class security professionals should consider implementing.
We’ve summarized a few key takeaways here.
What is your risk?
The stories we hear about ransomware are of major companies and projects being held captive — including the Colonial Pipeline ransomware attack. Sinclair Broadcasting and even the Metropolitan Police in Washington D.C.
But the risk is particularly acute for small and mid-sized businesses. It’s estimated that nearly three-quarters of ransomware attacks target small businesses. Part of that is due to percentages. After all, there are more small businesses than big ones. But part of that is exposure. You may not think you’re at risk – which can put you at greater risk.
Self-awareness is not only an important part of company culture, but assessing your own potential exposure puts you in a better place to ensure you’re enacting plans to minimize risk. Better yet, you’re enacting the right plan. Cyber resiliency isn’t one size fits all.
What are your cyber resiliency goals and objectives?
While survival goals are mainly related to survival, objectives are more specific and are stated as a way to achieve survival. They can be used to describe how you will achieve survival, as well as a way to measure your success.
If your objective is to avoid an attack, you need criteria for identifying vulnerabilities and determining when an attack has happened. Your objectives should align with your risks. For instance, what sensitive data do you have? Where does it live, and how is it managed?
What cybersecurity techniques and design principles do you have in place?
Your cybersecurity techniques are the way you monitor threats, prioritize them and ensure your systems are working properly in a coordinated manner. They also relate to the way you distribute resources, minimize common failures, restrict privileges, and ensure you have redundancy in your critical resources.
Cyber resiliency design principles are how you apply those techniques. For instance, what are the mechanisms that restrict access to certain types of data? What backup and recovery systems do you have in place to ensure data resiliency?
How do you maintain cyber resiliency in daily operations?
Consider how your systems work to protect your network, cloud resources, and your enterprise data.
Have you implemented a zero trust security model?
Do you authenticate each user, device, application and data flow?
Are you monitoring, inspecting and logging all activity, including network traffic and requests for access to data?
Are you granting the least amount of access each user, device or application needs to perform essential work?
This is your chance to channel Robert DeNiro in Heat when he says, “Assume they got us, right here, right now, as we sit, everything. Assume it all.”
Zero trust assumes everyone is a threat, including people within your own organization.
How do you manage your enterprise data?
The pandemic has led to more work at home, leading to “data sprawl,” or employees disseminating potentially sensitive — and valuable — information through a variety of sources, from messaging apps to thumb drives. It’s estimated that 80% of data is unstructured — making it a potentially ripe target for cybercriminals.
Willie Sutton famously said he robbed banks because that’s where the money is. A centralized system can make a more inviting target. Do you have one?
What cloud storage platforms do you use, and what data protections do they have?
Are you encrypting data at rest and in transit to make it immutable to attackers?
What type of data redundancies do you have in place?
Are you sharding and dispersing that data in a way that allows you to easily recover it later?
Do you have several layers of enterprise data security? Are they up to date?
Do you have a plan?
Develop an incident response plan to ensure that if (or when) the unthinkable happens, you’ll know what to do. That means regularly communicating with customers, executives and other stakeholders in the event of a data breach.
Additionally, what safeguards do you have in place to maintain continuity of service if you experience a loss of data or critical systems due to a cyberattack or a natural disaster?
Myota enables organizations to withstand and recover from attacks with technology you can easily apply to any data storage environment.
Myota’s Converged Data Protection Platform transforms unstructured data into immutable files capable of withstanding attacks. It combines Zero Trust access controls, data encryption, sharding and dispersion and backup and recovery into a single solution your team can implement in minutes. Administrators can manage data access by user, device or storage location, and employees can easily protect sensitive data right from their desktops.
Myota is easy to apply to any storage environment so you can protect both structured and unstructured data consistently and completely. Discover how Myota improves cyber resilience. Learn more about how it works.