Make Your Organization Cyber Resilient in Five Simple Steps

This blog is a guest blog from Matthew Stern of TechFools.  It is a companion to the interview on Innovating Leadership, Co-creating Our Future titled A Dozen Lessons Learned Running Dunkin’ Donuts that aired on Tuesday, March 16th, 2021

 

Cybersecurity refers to a series of measures put in place to prevent threat actors from penetrating IT infrastructure. But implementing such measures merely reduces the risk of a major attack. Today, organizations have to use a wide range of IT equipment, the internet, and mobile devices to conduct business. The ever-expanding attack surfaces make 100% prevention impossible, and that’s where cyber resilience comes in.

Cyber resilience refers to the measure of how well an organization can continue operating regardless of technical failures, downtime, and other disruptions that could stem from a successful cyberattack. Cyber resilience takes a holistic approach to cybersecurity. Having a cyber resilience strategy will help you manage risks and protect your business.

Different Cyber Risks Faced by Companies

Every day, businesses fend off thousands of attacks targeted at their IT infrastructure. Attackers can launch attacks using a wide variety of techniques and technologies with minimal effort and expenditures. Eventually, one of these attempts will end up in a successful breach. It’s a question of ‘when’ not ‘if,’ and your business needs to be ready. This section looks at some of the most common types of cyber risks faced by organizations.

Ransomware

One of the most common attacks targeting businesses, ransomware is a form of malware that blocks the victim from accessing their systems. The cybercriminal demands a ransom to restore access, and if you don’t pay, you risk losing your system files permanently.

Distributed Denial of Service (DDoS)

Attackers will initiate a DDoS attack to overwhelm your network with a high volume of unwanted traffic. The goal is to exhaust bandwidth and render the victim unable to respond to legitimate queries. If you get overwhelming traffic on your website, your organization may be facing a DDoS attack.

Phishing 

Cybercriminals will use all kinds of clever tricks to steal sensitive information from individuals and organizations. Phishing is one of them. It’s one of the most common types of attacks amply conducted by cybercriminals. Fraudulent emails aimed at tricking recipients into divulging sensitive data such as passwords, banking credentials, credit card numbers, etc., are common. Make sure members of your organization know how to detect potential phishing scams.

 

5 Ways to Create a Strong Cyber Resilience Program

Cybersecurity is primarily about protecting your organization against a wide range of cyber threats. But as stated earlier in the article, 100% prevention is not possible.

Therefore, apart from having security tools like antivirus software to detect and remove malware, firewalls to keep external threats at bay, and encryption tools such as a Virtual Private Network (VPN) to protect your data online, you also need to make sure that your business survives and thrives even when that protection fails.

You can do that by building a robust cyber resilience strategy. Here are five ways to build a strong cyber resilience program for your business.

Formulate a Plan

To be cyber resilient, you need to have an adequate business continuity plan. Create a formal plan to deal with successful cyberattacks and other threats while maintaining key business operations. What critical resources do you have and what would be the business impact if they were to malfunction in the aftermath of the attack?

Get Insurance Cover

Financial loss is part and parcel of the aftermath of a cyberattack. Also, a successful data breach will almost always end up in a lawsuit. Organizations must protect themselves from financial loss resulting from a cyberattack by getting insurance cover. This type of coverage will typically include liability cover.

Create a Risk and Incident Management Plan

In case of an attack, having a proper risk and incident management strategy will help your organization react swiftly to neutralize the threat and restore operations. Establish an incident response and disaster recovery plan and work on improving it through regular testing.

Maintain a Proper Backup

Backups help organizations retain and retrieve critical information in the event of a cyberattack or data breach. Creating a backup for all the important company files, data, and bandwidth capabilities is one of the most successful ways to bounce back from a cyberattack and ensure cyber resilience.

Get Leadership Buy-In

For your cyber resilience strategy implementation to be effective, you need your leaders on board. You can achieve this through executive and board engagement. This level of involvement in your cyber resilience program delivers a strong message to your employees, partners, vendors, etc., about the company’s commitment to the fight against cybercrime.

Cybersecurity tools can’t fend off all cyberattacks. Even if your defenses prevent 99% of attacks, you still need to deal with the 1% that get through. Cyber resilience principles are centered around reacting to successful attacks, implementing secure redundancy for critical business processes, and business continuity planning.

 

To become a more innovative leader, you can begin by taking our free leadership assessments and then enrolling in our online leadership development program.

Check out the companion interview and past episodes of Innovating Leadership, Co-creating Our Future, via iTunes, TuneIn, Stitcher, Spotify, Amazon Music, Audible,  iHeartRADIO, and NPR One.  Stay up-to-date on new shows airing by following the Innovative Leadership Institute LinkedIn.

 

About the Author

Matthew Stern is a technology content strategist at TechFools, a tech blog aiming at informing readers about the potential dangers of technology and introducing them to the best ways to protect themselves online.

As a tech enthusiast and an advocate for digital freedom, Matthew is dedicated to introducing his readers to the latest technology trends and teaching them how to gain control over their digital lives.

 

Cybersecurity – Thriving in a High-threat Environment: Five Key Tenents

CybersecurityThis post reflects a collaboration between Dr. Dale Meyerrose, major general, U.S. Air Force (retired), president of the MeyerRose Group and Maureen Metcalf, founder and CEO of Innovative Leadership Institute, and is written in conjunction with an interview on Voice America aired on May 24, “Cybersecurity: Thriving in a High Threat Environment.”

Dale sees “cyber” as much a language as the medium over which data flows. In turn, cybersecurity is about ensuring trust in virtual functions and services.

One often thinks cybersecurity is the job of specialists working in an information technology (IT) services organization, or of analysts in the security shop. Yet, when something goes wrong, it cannot only affect the very health and reputation of an entire organization, but possibly its existence.

Over the past five years, the headlines have been replete of examples of high-profile organizations and individuals who have had their data, records, and identity compromised by criminals, terrorists, governments, and “evil doers.” As a consequence, many have formed opinions based on impressions created by the media—many of those impressions may not be grounded in fact. So, what is the proper context?

There’s a tendency to focus on the large number of compromised records in some of the more infamous cases, particularly involving retail and entertainment firms, and the U.S. government. Yet, these sensational cases aren’t necessarily the largest in numeric terms. We are familiar with these cases for reasons other than strictly the number of compromised records and/or identities. The publicity of these crises were likely for other reasons, such as participant notoriety, shock value, timing, potential liability, among other aspects. We tend to forget that cybersecurity issues exist in the context of the outside world and the human experience in general. Inserting “cyber,” or “e,” or “I” in front of a criminal act, doesn’t change the motivations behind the theft, espionage, or destruction.

“Evil doers” act in their own self-interests and are, by-and-large, rational.  However, they aren’t necessarily more intelligent or infallible. Just like in other forms of crime, they take the path of least resistance in committing cyber attacks. Like other manner of crime and conduct, whether cyber is involved or not, the perpetrator’s motivations are the same. And, increasingly it’s difficult for any crime not to have some kind of cyber facet or implication as we, as a society, have become more dependent on cyber capabilities in both our professional and personal lives.

Additionally, specialists spend most of their “security cycles” worrying about not becoming the next “poster child” for a breach. They build layers of detection aimed at penetration alerts so that the culprits can be ousted and the vulnerability that permits the breach repaired. This reactive approach spawns much of the current computer security industry and network-centric thinking. It persists today under the rubric of cybersecurity—in the language that we hear in the media and from the security industry.  In fact, by all appearances most of these previous policies were updated using a universal word search of “network” and “computer,” and merely replaced what are now considered passé terms with the more modern word “cyber.”  They did so without adjusting their thinking to take into account a vastly changed, dynamic environment.

To better understand some key facets of cybersecurity, we compiled five foundational tenants that organizational leaders should know when learning about cybersecurity. This understanding prepares you to be driven by the “art-of-the-possible” than be paralyzed by the “fear-of-the-inevitable.”

Five key cybersecurity tenents   

  1. “Evil doers” and “good guys” value the same things. The former looking to gain access to, and the latter trying to protect the same. What you’re proudest of, criminals covet most. The value of the information architecture now supporting the global economy likely runs into the trillions of dollars—if you are not protecting your organization, an infiltration could threaten your data, your reputation, and even your existence. For most businesses and organizations, if not all, critical information is created, manipulated, accessed, transmitted, and stored electronically—and subject to infiltration, exposure, and exploitation.
  2. Cybersecurity is a people issue, not a technical one. Cybersecurity strategy is more about organizational resolve than devising a great plan for the future. Cybersecurity is inseparably linked with every strategy and investment. Human talent is the only true competitive differentiator in business or any walk-of-life. This applies not only to your technical staff, but the trainability of the entire organization. Security is what you do, not something you have, buy, or install.
  3. The workforce has largely moved outside the firewall to do their jobs. An enterprise is only as secure as its least protected device or point of access. If we think about someone trying to hack into a home computer, an intruder would likely choose to gain access through another device that is connected to the computer, thus circumventing the traditional security measures. As the “Internet of Things” becomes more of a reality, backdoor access to that home computer will most likely come through a networked appliance like a thermostat, refrigerator, baby monitor, or alarm system. In a similar fashion, a mobile and agile workforce will expose organizations to similar risks and potential exploitation.
  4. Organizations need to first look inward. Most cyber attacks come from careless employee actions and gaps in security protocols rather than brilliant data thieves. Most, maybe as high as 90 percent of cyber attackers, gain their initial infiltration through insider behavior such as phishing e-mail, social engineering, or employee carelessness. So, irrespective of intent, most modern-day compromises, even the biggest ones, start out “low tech” in other domains and then migrate to “high tech” cyber once behind the firewall or inside an organization’s network. In essence, modern cybersecurity is an “inside-out” proposition, not the “outside-in” that we are led to believe.
  5. Cybersecurity is a leadership responsibility. Board directors and senior executives across the leadership team should recognize that all cybersecurity compromises constitute an organizational crisis—the resolution of which needs to be led by the most senior echelons. Top-level leadership is accountable for every aspect of an organization, particularly a crisis. And, there should be no such thing as a security or cybersecurity response—it is a crisis response. The reputation and future operation of the entire organization is at stake. This is a non-delegable responsibility that requires not only a complete remediation of the current situation, but—especially in the case of cybersecurity—constructing the “new normal” for future operations.

To date, many in leadership have ignored the potential impact of cybersecurity. We proceed with our key business processes and pay little attention to cybersecurity as an organizational priority. We are often focused on operating the business, while relying on IT or cybersecurity specialists to take care of the rest. It is time to update how we think about cybersecurity—and specifically what we do about it.

AUTHOR INFORMATION

Dr. Dale MeyerroseDr. Dale Meyerrose, major general, U.S. Air Force (retired) is president of the MeyerRose Group—a cybersecurity, executive training/coaching, and eHealth technology consulting company. He is an adjunct instructor at Carnegie Mellon University, Institute for Software Research running their Cybersecurity Leadership Certificate program. General Meyerrose, a Southwest Asia veteran, was the first Senate-confirmed, President-appointed Chief Information Officer for the Intelligence Community after over three decades of military service.

Maureen Metcalf

Maureen Metcalf, founder and CEO of Metcalf & Associates, Inc., is a renowned executive advisor, author, speaker, and coach who brings thirty years of business experience to provide high-impact, practical solutions that support her clients’ leadership development and organizational transformations. She is recognized as an innovative, principled thought leader who combines intellectual rigor and discipline with an ability to translate theory into practice. Her operational skills are coupled with the strategic ability to analyze, develop, and implement successful strategies for profitability, growth, and sustainability.

In addition to working as an executive advisor, Maureen designs and teaches MBA classes in Leadership and Organizational Transformation. She is also the host of an international radio show focusing on innovative leadership, and the author of an award-winning book series on Innovative Leadership, including the Innovative Leaders Guide to Transforming Organizations, winner of a 2014 International Book Award.