16 May 2019
The ability of an organisation to maintain essential functions during, as well as after, a disaster created the emergence for Business Continuity. In todays connected world, Cyber Threats is now one of the top sources of disaster for the business world. The risk of cyber attack is increasing in both frequency and severity. Businesses should no longer think about the 'if,' but rather about the 'when.'; cyber attacks will occur at some point. Protection remains critical, of course, but it is equally important to know how to respond in order to minimise damage and get back to normal operating conditions as soon as possible. This capability refers to Cyber Resilience.
Customers, business partners and regulators are all increasingly intolerant of both information systems downtime and data losses. The Mauritius Data Protection Act 2017 and the European Union’s General Data Protection Regulation (GDPR) impose heavy penalties for data breaches.
Hence, it is imperative that companies integrate cyber resilience into the broader business continuity strategy. This includes the ability to not only identify and protect against cyber attacks, but also to detect any attacks and recover from it. To achieve this integration, we recommend the following five steps:
- Align IT and business to a cyber-resilience strategy. A critical element will be to use a common approach to enable this alignment effectively.
- Get top management buy-in. As with most business initiatives, having executive sponsorship is critical to gain traction and receive budget. Given the importance of business continuity as a whole, inclusive of cyber resilience, this sponsorship should be at board level.
- Get the balance between cyber risk appetite and resilience right. There is no one-size-fits-all approach. Companies must take the time to understand their particular threat landscape, and establish the appropriate response plan. Mitigating and/or remediating risks costs money.
- Develop a comprehensive cyber strategy incorporating people, processes and technology. As with business continuity, a multi-pronged approach is required. This involves aligning of people, process and technology.
- Create a holistic resilience culture of identify, protect, detect, respond and recover. Protection is vital but, as noted above, is unlikely to be infallible, so the ability to detect that an attack has even occurred is vital in order to trigger a suitable recovery.