Cyber security and cyber resilience are often used interchangeably but there is a major distinction between the two.
Simply put, cyber security is about keeping hackers from penetrating your organisation's IT systems. This is best achieved by adopting what's known as a 'defence in depth' strategy – adopting an array of defences to prevent unauthorised individuals gaining access.
Cyber resilience, on the other hand, is all about planning what should happen when an attacker eventually gets through. While this may sound defeatist, it is simply pragmatic: while implementing basic cyber security best practice will prevent the majority of attacks, the likelihood is that a determined hacker will still be able to find vulnerabilities. It is now commonly accepted that it's no longer a matter of 'if' but 'when' an organisation will suffer a cyberattack.
This means that instead of focusing your efforts solely on keeping criminals out of your network, it's better to assume they will eventually break through your defences, and start working on a strategy to reduce the impact.
Verizon's latest Data Breaches Investigations Report
bears this out. It analysed 3,950 of the 157,425 security breaches reported in 2020 and found that:
- 70% were caused by outsiders - organised crime groups were behind 55% of attacks
- 30% of attacks were by internal actors
- 86% were financially motivated attacks
- 45% of breaches were made by hackers
- 27% of malware was attributed to ransomware - 18% of organisations blocked at least one piece
- 72% of breaches targeted large businesses while 28% involved small businesses
- 22% were social attacks
This is why cyber resilience is so critical. It's about ensuring your organisation can remain operational when (not if) a security breach occurs. Accepting that no method of prevention can ever be 100% effective, that the worst may happen at some point and being able to respond is more effective than assuming that your cyber security measures will hold. They might but, if they don't, what then? That's why organisations need to focus on being cyber resilient.
Whereas cyber security is primarily concerned with access control, cyber resilience involves taking a more strategic, long-term approach. The US National Institute for Standards and Technologies' (NIST) Cyber Security Framework
sets out five key stages to achieve cyber resilience: Identify, Protect, Detect, Respond and Recover.
Cyber resilience should be seen as part of an organisation's wider risk management and business resilience activities.
For individuals, attaining an internationally-recognised cyber resilience certification, such as DRI International's Certified Cyber Resilience Professional
, will give you strong foundations on which to build. Organisations wanting to give customers, suppliers and other stakeholders the assurance that they will bounce back from any interruption, could consider working towards gaining CRMP accreditation.
Resilience Guard's expert cyber resilience consultants will guide you methodically through the process, helping you find and fix any gaps.Contact us
to discuss how we could help your organisation.