Resilience is the practice of sleeping better at night and waking up refreshed, feeling like a champion. Seriously. Since Cyber Security is dead, the only valuable strategy is Resilience, which means being prepared and knowing exactly how to respond to getting hacked so you can protect your reputation, your clients, partners and the bottom line. We call this Resilience.
Here are some key considerations when designing your Resilience Strategy:
Understand, Define and Prioritize Your Organization’s Risks
Resilience doesn’t work as an afterthought. It must be a critical strategic component for the whole leadership team, rather than a sole member’s responsibility. What that means is taking personal, legal, ethical, and financial responsibility for the organization’s exposure to compromise of any kind by regularly addressing and assessing the risks of failure and ensuring that Resilience is built into all areas of your business and operating model.
Understand, Define + Anticipate Consequences
Prolonged cybersecurity events in sectors concerning key infrastructure, such as communications, banking or transportation are disruptive on a massive scale. Cyber disruptions of small and medium-sized businesses are equally disastrous both for the organization and their clients, partners and customers who trusted them. For any organization, regardless of size and scope, the failure or disruption of your complex systems, compromise of intellectual property, sensitive information (including commercial data, employee information and more), or data held in trust on behalf of partners and customers, is directly reflected in your reputation, credibility and, ultimately, your profitability.
Understand, Define + Document Your Systems + Data
The better your understanding and assessment of how your business uses technology, the better you will be able to define and prioritize your risk and the consequences of failure. You have to think like the bad guys in order to understand the value of your data to those who would compromise it. When you know exactly where that data is, how it is protected, who has access to it (including external sub-contractors) and what the risks are, then you are in a stronger position than your competitors and can better design a business model with Resilience in mind, for the long term.
Be mindful. There are providers out there who would suggest more complexity than you require. WIMZKL starts with the Resilience Diagnostic to determine what your business needs and what it doesn’t. Wherever you are in your planning, be careful and sure to consider this. No one wants to bring a tank to a knife fight.
There are dozens of ways to enhance your overall Resilience. Some are complex but even integrating some basic good practices helps minimize your organization’s risk to a majority of attacks. These include regular patching of software and operating systems, limiting privileged access to the most valuable information across the organization and proper configuration of existing technology infrastructure, such as routers, firewalls, and other defensive technologies. WIMZKL recommends not adding complexity but rather simplifying by better understanding what you already have and making it deliver more value for your organization.
Refine Good Practices in Redundancy + Response
Unless you’ve been living under a rock, you’ve read plenty about cyber attacks on businesses and government organizations of all shapes and sizes. From malicious destruction of data, or DDoS attacks (Distributed Denial of Service), ransomware and countless other human errors that lead to system failures and data loss. It is critical that you build in redundancy and regular, tested backups of your business data. Redundancy is essential to recovery after a successful cyber attack. For example, most people have no idea how often these backups fail when needed the most due to negligence by allowing those strategies to fall into neglect.
Find a Long-Term Partner
Cybersecurity technology is more complex and expensive than ever. Most companies cannot afford the expertise and resources to achieve Resilience on their own, in-house. Find an external partner committed to helping your organization diagnose your resilience, define and prioritize your risks, implement a Resilience Strategy + stick around for the long term to sustain its value.
As attacks evolve in depth and breadth, awareness in your people becomes more and more important. Fostering a culture of awareness isn’t easy and is an internal responsibility. A solid, long-term partner is the difference between success and repeat failure.
Continue to Invest in Resilience
Resilience, awareness and the good practices that foster it isn’t a single project. It’s an ongoing process that includes more than a single perspective in your learning. Done in a thoughtful and intentional way to build awareness in your people, this practice gains momentum and value the more true to the cause you are. Effective Resilience requires acknowledging the value of a regular investment of time, education, and resources to further the overall awareness of people within your organization.
Foster a Culture of Awareness
We could have discussed this first because it is arguably the most important part of Resilience. While the vast majority of cyber attacks emanate from outside an organization, human error within the organization, caused by a lack of awareness and training, is the single largest contributor to security incidents that impact your business. Resilience requires active participation of an entire culture, meaning not only the technical staff but everyone who accesses information systems and who, as regular, error-prone human beings, are often tempted to click on things they shouldn’t. Without regular awareness training and a culture that supports active learning, company spending, even on the most expensive and sophisticated Cybersecurity solutions, are not effective. A strong culture of Resilience, however, including an informed and committed staff, creates an environment that reinforces and rewards positive security practices.
People react positively to friendly, examples-based Cybersecurity training that gives them value they can use right away in their personal lives to protect their family, friends, and the ones they care about most. Empowering people to use technology in new and more secure ways at home will encourage them to bring those habits and tools to work, which shapes the kinds of decisions they make at work. It doesn’t work the other way around.
Being transparent and sharing your own stories is valuable, too. Sharing our failures and triumphs adds value to our own cultures as we continue to pursue what we are all trying to achieve: an Internet that is safer for doing business today, tomorrow and into the future.