600 words, Estimated reading time: about 4 minutes, 15 seconds
It is such a horrible way to start out with such a morbid title that includes the word “death”, but you may remember in our previous article, we covered the unfortunate murder of 27 year old Colombian footballer, Andres Escobar, for inadvertently aiming at the wrong goal in the 1994 FIFA World Cup and how your organisation is aiming at the wrong goal when it pursues cyber security.
Fortunately, for most organisations the price to be paid for aiming at cyber security is not death, but in a few cases the death of an organisation has occurred. One well known occurrence in Australia, was the rather sad incident involving Distribute.IT, a web services provider that sustained two targeted attacks in close proximity and ceased trading in June 2011, putting around 4,800 of Distribute.IT’s clients, many of which were small businesses that depended on having a web presence, out of operation virtually overnight. For the owners of Distribute.IT and its impacted clients, this was a truly shocking moment – to be thriving one day, and extinct the next. For medium to large businesses, the penalty is not likely to be so terminal, but operational, reputational and financial impacts could have a severe blow on both last year’s revenue and future revenue.
Furthermore, it is also demoralising to be aiming for the wrong goal. If the outcome can never be achieved, it will create a feeling of self-defeat and drive a lack of motivation to expend any effort on a problem that is gargantuan and unsolvable. Ultimately, this affects staff turnover.
So, it’s time to stop aiming for cyber security, but what should be the goal that your organisation should be chasing?
The goal is cyber resilience. Whilst this may seem more a nuance than a fundamental shift in thinking, it has a profound impact on the way an organisation manages cybercrime.
Resilience is the ability for an ecosystem to either not deviate from its current desirable state; or in circumstances where it has deviated from its current desirable state due to an undesirable event, it is the ability to quickly return to a desirable state. This is often dismissed as many to be business continuity, disaster recovery or crisis management, but that is just a small part of cyber resilience.
Since there are four focus areas on which cyber criminals rely upon to achieve success, this gives us four focus areas for cyber resilience:
- Vulnerabilities – can we prevent all vulnerabilities? No. If we waited for all vulnerabilities to be prevented, we still would not have seen the first piece of software released, nor would we exist. Humans are full of vulnerabilities!
- Threats – again, we can not prevent every threat, but we can be resilient to these by having strong controls in place to deter and prevent cyber criminals. Consider a non IT example such as influenza. To prevent it you would need to wipe out every strain of influenza in existence, but being resilient to it most likely means a balanced diet, exercise and regulated sleep.
- Attacks – like threats, we can not prevent every attack, but being able to quickly detect and respond to attacks is achieved through resilience
- Breaches – like threats, and attacks, we can not prevent every breach, but the ability to quickly confirm a breach has taken place and recover from it is a sign of resilience.
Cyber resilience is reducing the impact that vulnerabilities, threats, attacks, and breaches have on the information upon which your organisation relies and is an attainable goal, unlike cyber security which is predicated on prevention and is continually, and increasingly, failing us.