Do you need cybersecurity, or cyber resilience?

Cybersecurity and cyber resilience have a lot in common: they both describe philosophies on protecting organisations from cyber disruption.

The key differences lie in how they accomplish that goal. Cybersecurity focuses on protecting and securing an organisation’s sensitive data from external threats. Generally, that means keeping away scammers and hackers, ensuring confidential data stays confidential.

Cyber resilience, however, is the measure of a company's ability to minimise damage and continue operations even during a cyberattack or technical failure.

With the wide variety of risks, threats and liabilities modern companies are facing, most organisations would be well-served by having both a cybersecurity strategy and a cyber resilience strategy in place. In practice however, a given organisation may prioritise one strategy over the other, given their business goals and their risk tolerance.

While both cybersecurity and cyber resilience encompass adversarial threats, cyber resilience also takes into account other risks like system failure, natural disasters and human error.

With a firmer understanding of both concepts, it’s possible to plan a comprehensive approach that aligns with your organisation’s objectives. Let’s take a deeper dive to better illustrate how the two disciplines can complement and influence each other in hardening the overall cyber readiness of your business.

Cybersecurity keeps out the baddies

Primarily concerned with preventing access to networks and systems, cybersecurity covers a range of technologies and practices aimed at pre-empting external, targeted threats. The threat landscape is evolving at breakneck speed, and new threats are popping up literally every day.

The most common attacks launched by cyber threat actors—hacking, phishing, denial-of-service, malware and ransomware—can easily compromise business data or take entire offline. Data leaks are serious business: hackers are routinely demanding million-dollar ransoms for stolen data, so it’s not a threat to be taken lightly.

Even so, the cybersecurity industry has had plenty of experience dealing with these threats, and cybersecurity service providers have some proven strategies and best practices to minimise the risk.

Some of the most common of these include:

• Updating firmware, OS, and security patches regularly

• Configuring firewalls, VPNs, and antivirus or malware protection tools

• Email security

• Educating employees on common threats and best practices
   

Implementing an industry-standard set of cybersecurity practices will prevent the majority of attacks, but even the most hardened networks aren’t airtight. That’s where cyber resilience comes into play.

Cyber resilience keeps you in business

Cyber resilience is founded on a single assumption: no matter how tight your cybersecurity, your organisation will be compromised at some point. Concerned more broadly with ensuring business continuity, cyber resilience focuses on building your organisation’s capability to keep functioning even in the event of a disruptive cyber incident.

The concept includes disaster recovery processes like redundancies and offsite backups, archiving, response and recovery planning and continuity of operations. For some critical sectors, cyber resilience may also be a compliance requirement, where the measures involved must meet certain regulatory standards.

One of the core tenets of cyber resilience is that it’s impossible to guarantee that systems and their data are ever truly safe, even when backup and protection plans are optimal. Data should always be backed up in more than one place, and systems secured by multiple types of protection.

This also means that if, say, a hacker was to encrypt your data and tried to hold it for ransom, you would have the data backed up anyway.

But cyber resilience covers more than just the technology involved. It also describes the policies to follow in the event of an incident. What needs to happen in the event of a failure or breach? Who should be notified? Who should do the notifying? Who bears responsibility for restoring services, notifying business stakeholders, staff, or shareholders? How much should you tell them? These questions make cyber resilience an essential part of any risk management policy.

Cyber resilience standards and practices will vary from business to business, but there are a few key points that a comprehensive cyber resilience strategy should address:

• How a business comes back online following a cyber disruption

• Who has responsibility for taking the necessary steps to respond to a disruption

• How the organisation will communicate the incident—when, and to who

• How and when disruptions will be reported to regulators, shareholders, other stakeholders

• Assessment and reporting of ongoing resilience measures

• Moving from triage to normal operations as quickly as possible

• Recovering data—the process and timeline to restore it

• Cyber insurance coverage

An initial assessment for cyber resilience will document how your organisation’s processes tie in with the technology you use, as well as how sensitive and valuable data is stored and accessed. This assessment will take cybersecurity considerations into account but will also encompass more general business process and logistics tied to technology risk.

Ultimately your cybersecurity strategy will be about mitigating the risk of any attack getting through. But when it inevitably does, a cyber resilience strategy will minimise the impact, and help you get the business back on its feet.