Five steps to cyber resilience
– a cyber resilience plan for every SME and mid-market sized organization
Cyber advice is easy to come by for every business, but it’s harder to decipher what aspects of that advice are relevant for you as an SME or mid-market sized company.
That’s why we have developed this five-part special series to offer much more than a list of arbitrary tips that might or might not be relevant.
Over the next five blog posts, we will look at the bigger picture for your organization and detail key actions rooted in the National Institute of Standards and Technology’s (NIST) cyber security framework.
By working through these key areas, we believe that by drawing on both our own experience in helping businesses build their own cyber resilience and the expertise of some of the leading cyber security practitioners, we can help you work towards achieving cyber resilience for your business.
The five areas of focus for Five Steps to cyber resilience for SME’s and mid-markets are:
- Identify – Understand your environment and overall cyber risk
- Protect– Implement appropriate safeguards to contain a cyber security event
- Detect– Maintain visibility into your network so you can detect intrusions
- Respond – Assume a breach will happen and have a plan in place
- Recover – Business interruption is the greatest risk; access experts to recover quickly
Step 5: Recover | Business interruption is the greatest risk; access experts to recover quickly
In earlier posts in this series ‘Five steps to cyber resilience’, we advised all businesses to assume that they would be breached, to prepare for the expected and realize it’s a matter of when, not if, such an attack could take place. In this post, the final one on NIST’s five steps1, we focus on the Recover function, and look at how business interruption is the greatest risk, emphasizing the need for timely recovery and the critical importance of guaranteeing access to the right expertise.
The interruption and potential unavailability of critical business processes following a hack can cause disastrous consequences for any business and unless you can recover quickly and mitigate the potentially long-lasting damage, the incident will play out in full view of customers causing additional reputational risk. In that context, NIST describes the Recover function as identifying the appropriate activities to maintain plans for resilience, restoring any capabilities or services that were impaired due to a cyber security incident and ensuring that recovery planning is properly implemented.
Picking up the pieces with a Recovery Plan
The growing severity and frequency of cyber-attacks show no sign of letting up which means true cyber resilience must include comprehensive recovery planning. Formalized and tested plans enable rapid recovery from incidents, helping to minimize the impact and ensuring effective communication to both internal and external audiences – a vital element of the long-term protection of a business’s reputation.
NIST states that recovery needs to address three critical outcomes2:
- Recovery planning: recovery processes and procedures are executed and maintained to ensure timely restoration of systems or assets affected by cyber security events.
- Improvements: recovery planning and processes are improved by incorporating lessons learned into future activities.
- Communications: restoration activities are coordinated with internal and external parties, such as coordinating centers, Internet Service Providers, owners of attacked systems, victims, other Computer Security Incident Response Teams, and vendors.
Preparing for the expected requires detailed planning for the recovery from a cyber-attack and having that plan as part of your information security program. The plan should document system dependencies and identify key personnel including their specific roles in incident management. The plan should also provide for back-up to regular communication services and tie into your organization’s overall Business Continuity Plan (BCP).
Building the playbook to restore business function
Having a documented playbook allows you to consider various scenarios that evaluate impacts, responses and recovery processes before an actual cyber-attack takes place. Remember that many such attacks are launched and remain undetected for an average of 206 days,3 underscoring the need to build playbooks that quickly restore critical business functions after detection and response.
NIST provides helpful advice in terms of developing playbooks in its “Guide for Cybersecurity Event Recovery” including recovery scenarios and checklists for what should be included. The playbook is divided into three sections: pre-conditions required for effective recovery; tactical recovery phase; and strategic recovery phase. For example, NIST recommends in the tactical recovery phase that there is an ‘initiation’ step that includes receiving a “briefing from the incident response team to understand the extent of the cyber event” and informing “all parties that the recovery activities have been initiated.”4
Scenario planning also plays an important role in the testing of current incident recovery capabilities. This aspect usually requires outside assistance from Incident Response (IR) experts who have experience in responding to real world incidents and can advise on the necessary recovery process to have in place. They can help simulate a real breach and stress test your response plan. Reality-based tabletop exercises are also invaluable in getting ahead of impending attacks especially when conducted with an after-action debrief document, helping to identify gaps and delivering reports that prioritize results and recommendations for improvement.
Protect your balance sheet and recover more quickly
The evolution of digitization means the risks from cyber are only going to increase as hackers find new ways to exploit system vulnerabilities and disrupt organizations. Consequently, cyber insurance has a central role to play in how a business manages and mitigates the risk. Cyber insurance can protect an organization’s balance sheet by providing a financial pay-out after things have gone wrong, but it also offers expert consultancy to improve security and on-the-ground incident response support during a crisis. Two of the key benefits of cyber insurance are pre-loss prevention to try and stop an incident from happening in the first place and post-loss services to help organizations recover more quickly.
Evolving cyber risks and privacy laws and regulations such as the EU General Data Protection Regulation (GDPR) have created a greater awareness of the financial impact of cyber risks and emphasized the need for organizations to increase their understanding of cyber insurance. Recent increased business interruption losses following a cyber-attack have also heightened awareness. However, many mid-market organizations remain under-insured and can benefit from Aon’s approach to cyber risk management. Carrying out a cyber risk scenario analysis for example can be particularly useful in helping companies better understand their exposure. After that process they might decide to strengthen their own internal IT security and incident response preparedness before they consider buying cyber insurance cover. Over the last five years, more internal stakeholders have become involved in helping to recognize cyber risk within a business which has helped to develop better knowledge around cyber threats and, in turn, increased the understanding of the value of cyber insurance.
 NIST (National Institute of Standards and Technology) Cyber Security Framework / https://www.nist.gov/cyberframework/framework
 https://www.ibm.com/security/data-breach / citing 2019 Cost of a Data Breach
CyQu (Cyber Quotient Evaluation) from Aon is an award-winning cyber risk assessment platform. Learn more.
This material has been prepared for informational purposes only and should not be relied on for any other purpose. You should consult with your own legal and information security advisors or IT Department before implementing any recommendation or guidance provided herein.