Confronted with inevitable cyber attacks, organizations should go beyond cyber security to focus on achieving cyber resilience.
In some respects, experts say, the risk management approach is like that taken by many companies in catastrophe-exposed areas crafting business continuity plans and seeking to strengthen business resilience in the face of a natural disaster.
“The Internet is probably one of the greatest achievements of our lifetime, but it was based on trust,” said Daniel W. Riordan, CEO global corporate of North America at Zurich in New York. “Now we're confronted with the issue of how do we build resilience to protect that value that's there.”
With a resilience approach to a cyber breach, companies can get the business up and running, communicate effectively and immediately start a forensic investigation, said Steve Durbin, managing director of the Information Security Forum Ltd. in London.
“The fundamental issue is that there is no way that you ever create 100% security,” Mr. Durbin said. “As we look forward, the unexpected is going to become more frequent. So the challenge for organizations is how do we plan for the unexpected. That's where you get into a resilience approach.”
Matthew Goche, director of security consulting at SunGard Availability Services Ltd. in Wayne, Pennsylvania, said, “We think that disaster recovery events are going to be more and more caused by cyber security issues ... as the Internet of all things starts rolling out in a greater way.”
Typically, no matter how much is spent on cyber security infrastructure, “events still happen,” Mr. Goche said. “Looking at the business risks that you absolutely can't afford to have happen,” the solution is to develop resilience to cyber attacks, “much as you would with a general business continuity or disaster recovery plan.”
The risk goes beyond an individual company's walls to cyber attacks affecting suppliers, financial institutions, business partners and others. In fact, widespread reliance on the Internet creates systemic risks with the possibility of “cyber-shock,” according to an April report by Zurich and the Washington-based think tank Atlantic Council.
“Risk managers, regulators and organizations with systemwide responsibility all need to focus more on resilience and agility rather than simply prevention,” according to the report. “In an increasingly interconnected world, risks can strike quickly and from any direction — so, too, it is equally critical that those affected are able to respond rapidly to ride out the shocks.”
Mr. Riordan said companies “need to be thinking outside of their four walls.'' While a company might protect its own operations, how does it guarantee that its suppliers are addressing cyber exposures? With cloud computing growing, how are companies “looking at the rest of the providers in the cloud?” he said.
“You may have the best defenses within your enterprise, but that doesn't mean that some of the entities that you do business with” have equally strong defenses, Mr. Durbin said.
With security and prevention, historically the way that's been approached has been from a readiness and a compliance perspective. “If I've got the best bells and whistles in place, I'm protected,” said Randy Hayes, vice president and leader of the predictive intelligence business at Booz Allen Hamilton Inc. in McLean, Virginia.
“The cyber resilience mindset includes all of that, but it goes further,” Mr. Hayes said. “Cyber resilience makes the assumption that you can't prevent” cyber attacks.
“The goal is to be able to operate in an environment of these persistent attacks without having your data stolen, without having your trade secrets stolen, without having your money stolen,” he said. “What you need with cyber resilience is a war fighting mindset.”
William Gouveia, vice president of consulting services at SunGard A.S. in Jersey City, New Jersey, said one important element of achieving cyber resilience is aligning security measures with business objectives.
Chief information security officers focus on protecting organizations against technology risk, but he said it's “very unclear'' who should focus on the business risk.
“Too often, we've talked with CISOs and other security leaders who take sort of a one-size-fits-all approach,” Mr. Gouveia said. “What we see is technology driving the conversation, not risk driving the conversation.”
Mr. Hayes of Booz Allen offered several key steps for companies and organizations to build cyber resilience.
“Understand and know your adversary,” he said. “This is really human intelligence. Who are these people, these nation states, these hacktavists and what are they planning to do? What are their objectives and what methods have they used?” Knowing the answers to those questions provides “actionable threat intelligence.”
It's also necessary to know what assets a company has and where they are located, like 24-hour network monitoring “with actual trained intelligence analysts and cyber security experts,” Mr. Hayes said. “What's needed is a statistics-based approach where you're looking for anomalies across the enterprise vs. a baseline which is normal.”
When incidents do occur, “what most incident-response teams do is they go in blind,” he said.