Cyber Resilience Policy At The Corporate Board Level Sample Assignment
Cyber resilience policy at the corporate board level
Cyber Resilience
Cyber risk has entered a new era. Its management is no longer the sole responsibility of the IT department. Supply chains, infrastructures, sites or data: risk managers are now confronted with cyber-threats that could affect a company as a whole. And the more a company is dependent on data services and technology, the more it is exposed to the risk of business interruption caused by a cyber attack. Currently, the profit motive of cybercriminals and the rapid evolution of malwares make it increasingly difficult to guarantee the security of companies - regardless of their size and sector - thus emerging a new concept: cyber-resilience. Being cyber-resilient helps companies become aware and acquire a proactive attitude in the face of vulnerabilities, risks and attacks.
It is estimated that the economic impact of cyber attacks in 2017 has been more than 2.9 trillion dollars, a figure that, in 5 years, will double exceeding 6 trillion. We must assume that it is impossible to completely stop risks and cyber attacks. Adopting a resilient attitude towards vulnerabilities is essential to be able to manage the existing risk and overcome it with minimal impact for the organization. Cyber-resilience is the ability of a company to adapt and continue with its functions and its work in situations of risk.
Essential differences
Cyber security entails dropping the risks of attacks, intrusion or the impacts of man-made or natural disasters in the framework of the utilization of communication and computer means, while Cyber Resilience is the capability to organize for and adjust to ever-changing circumstances as well as to swiftly recover capabilities as a consequence of accidents, intentional attacks, incidents inside the structure of utilization of communication and computer means. As an outcome of the above provided definitions, the decrease in risks and the restoration of information in any security lapse is covered in cyber security perimeter while cyber resilience is more wide and entails the inception of cyber security along with resilience to prevent such attacks along with providing the ability to resume and continue the normal business functioning as soon as possible following such attack, incident or any natural disaster associated with the information security protocols (Mowbray and Shimonski, 2014).
How to be cyber-resilient?
In order to follow a cyber-resilience strategy, the first step is for your company to have the appropriate security technology solutions to comply with the necessary levels of protection and ensure its proper functioning. But it is not the only requirement, within an organization it is needed that the infrastructure is continuously monitored and it should be known at all times the protection available within the organization and the potential risks that are being posed towards organization both internal and external. On the other hand, it is necessary to create and promote a culture of business security and educate all members of the company in good practices to avoid risks and know how to act in case of infection.
Continuity Plan and Cyber-Resilience
In short, being cyber-resilient is knowing that some attacks cannot be stopped and have an action plan that allow that the activity of the organization could be resumed as soon as possible if there is any problem. A cyber-resilient attitude will help in the preparation in case of attack, and to ensure that the economic impact on the business is as low as possible. With a backup system and data restoration (backup or site recovery), the organization is equipped with all the information and data. Thus, in case of infection, organizational activity does not stop, reducing the impact of the attack and allowing recovering all the information (Shrobe, Shrier and Pentland, 2018).
Risks in the field of IT security
Every business is potentially at risk of cyber-attacks and must implement business-specific IT security measures. The objectives of attacks on companies are very diverse. As a rule, these are connected with financial interests, sabotage, information or political interests. In the process, critical data (R & D data, bank data, customer information, source code, etc.) can be the target of an attack, and these data can also be used as a tool to carry out further cyber attacks. For companies, concrete damage is caused, for example, by system failures or incorrect / forged information.
Similarly, the infrastructure may be the target of attacks, whether targeted sabotage of a company or certain facilities of logistics or public utilities. In addition, the Internet of Things offers new ways of attacking, for example, hacking IoT devices and then misusing them for further cyber attacks on third parties. Of crucial importance is the awareness that cyber attacks are (in certain cases) not recognized at all or only months later. Although basic measures such as virus scanners, firewalls and regular software updates are widespread. However, these primarily offer protection against widespread or already known attacks or malware variants. A tech-savvy attack that is individually tailored to a single business may not be prevented or detected by such means.
In its management reports, the Federal Office for Information Security has identified, among other things, the following threats as particularly threatening and relevant:
- Targeted hacking of web servers
- Infiltration of computers while surfing
- Targeted infiltration via e-mail attachments
- Denial of Service Attacks
- Unmatched distribution of malicious software e.g. through spam emails
- Multi-level attacks
Sensitization of employees
According to various surveys, unintentional employee misconduct is one of the most common causes of successful cyber attacks. Regular employee empowerment and ongoing information on new risks and methods of attack are therefore of particular importance. The simplest example is emails with infected attachments. If these were relatively easy to recognize in the past (e.g. due to automatic translations or non-plausible content), now hardly any recognizable attempts at attack are made. Often these are associated with social engineering, for example, by targeted information about the company and its employees sought and then individual employees with specifically generated messages to be contacted - for example, with alleged applications (Human Resources), bills (accounting), etc. In terms of a basic measure, it may make sense to "think along" IT security in the definition of any new or changed process. Specifically, for example, attack scenarios could be identified and necessary security measures could be derived within the framework of a discussion of the individual process steps.
Security of mobile devices
The widespread use of mobile devices poses further risks in the area of IT security. While proprietary tablets or smart phones tend to be well-protected, the risks associated with using end-user devices by employees should also be considered. For example, pre-filled access data for the corporate mail account can be found on smart phones without access control when the screen saver is switched on or off. In the event of loss or theft, third-party access to the business e-mails would be readily possible.
Among other things, the following possibilities for the protection of mobile devices are considered:
- Access control (PIN / password: computer for determining the security of passwords )
- Encryption of the data
- Protection against viruses and Trojans (overview of virus software e.g. at www.av-test.org )
- Make a note of the electronic device number in order to be able to quickly lock the device in case of loss (display by entering * # 06 #)
- Use of mobile device management software
Cyber Resilience
To reinforce your cyber resilience, you need new cutting-edge tools, and a proactive strategy. In line with our approach to loss prevention combining science, engineering and research, we envision cyber security in a global and innovative way. It is in this context that we have created, internally, research, engineering and underwriting entities dedicated to cyber risks, each headed by an expert in the field.
Examples: An organization named Sell U Goods’ has created a risk department that ensures compliance with the several pertinent regulations, functioning with the business stability plans and the IT department to execute procedural controls. (Singer and Friedman, 2015).
Cyber-resilience: a major challenge for organizations
Cyber security intends to supervise security by taking a holistic move toward concerning individuals, technologies and processes. It compels a strong and growing line of attack for analyzing, managing and optimizing risks. It occurs as the greatest sponsor of the informational resources of organizations, companies, individuals and states. Cyber security is entailed on five pillars including identification/ preparation, detection, security, problem solving and revitalization. It is hence, in this approach, necessary to inquire the right queries, to assume the right actions and to reassess them on a pragmatic and regular and pragmatic foundation, in order to enhance the management of cyber-risks (Rothrock, 2018).
Once it is understood by the organization that they will be affected by cyber attacks sooner or later, without considering the preventive measures that have been implemented, then they can proceed to the later stage of designing and development and enforcement of a Cyber-Resilience Program (PCR). Such resilience program entails the notion of security and deterrence, but moves ahead of these actions to focus on the reaction and toughness of the organization in the instances of crisis.
A vigorous PCR entails:
A proper and comprehensive explanation of business risks.
It includes that instead of complying and relying on compliance policies, the focus should be given to the outcome and the aftermaths of any cyber attack. It helps in evaluating the most important aspects of the organization and then focusing on these aspects for the investment of resources and time.
The formulation of a security strategy.
As its mentioned a cyber resilient entails cyber security but here security is very precisely focused on the intimidations to the key assets of an organization including processes, people and technology that are linked to, or have contact to, those assets, and the procedural controls that can moderate those intimidations.
Outline a cyber-recovery plan.
It includes ensuring the agility, prioritization and flexibility to an unbeaten cyber attack. For this purpose the plan should be complete, accurate and rigorous. It would have been too late to plan when a cyber attack has already been taken place.
The development of a standard test agenda.
This practice ensures perfection as periodically putting the cyber-recovery plan to examination will help in the evaluation of the setup and can rely on the cyber resilience plan that might be needed. It also tests the security mechanisms as the environment progresses to ensure they align with the evolution of environment (Piggin, 2018).
Organization must completely recognize this model shift to cyber resilience from cyber security and its strategic benefits. It involves focusing resources and energy on the cyber threats that truly could have an affected the organization, and on the events that will offer warnings and insights about those risks (Accenture.com. 2018).
The impact of implementing a cyber resilience plan
Shifting from an entirely cyber security motive to a cyber resilience plan necessitates three major transformations in the organization. These include perspective, budget and expectations. Perspective includes shifting focus from how and what to ensuring the formation of a proper security plan. It involves that the leadership is needed to acknowledge their assets and the way they are confined. Second important aspect involves budget. This includes that a proper balance should be ensured between risks and costs since a uniform treatment of all risks and all assets is not always profitable. The leadership hence needs to treat all assets and all risks equally are never profitable. Business leaders need to shelter their most essential assets while balancing them with the limited budget of Information technology department. The third aspect includes expectations. It involves that the leadership requires being always prepared to anticipate attacks and flaws and to have a mechanism to restrict its impact on the finances, reputation and the operational processes of an organization. Thus aligning cyber resilience expenditure to the organizational priorities will help in maximizing return on investment and decrease the targeted threats (Kreutz et al., 2016).
Conclusions and Recommendations
Acquiring successful cyber-risk supremacy on the whole is a complex and difficult task that eventually necessitates customization, attention, willingness, nimbleness to change. Whilst excellence in this area seems to be near to unachievable. It is essential for organizations and companies, no matter of their type (government, academic, profit or non profit) to take up proper cyber-risk supremacy as fraction of general cyber-resilience. In this era of technology associated turbo-change and hyper-transparency, cyber risk will always remain and would not only stay but evolve into a more potentially hazardous and complicated threat.
Now that the cyber resilience has been evaluated in a comprehensive manner, it is recommended that the organizational leadership to keep in consideration the key essential factors of this program. This framework involves a comprehensive and precise explanation of threats associated to a business organization, formulating a proper security framework, framing a recovery program in case of a cyber attack and formulation a proper standardized test agenda. The testing mechanism should be so intrusive that it penetrates in a way to continuously evaluate and enhance the safety of organizational systems and networks. Customary penetration testing performs a crucial role in any successful cyber security agenda.
The cyber resilience plan will formulate the foremost framework to assist in building a cyber resilient atmosphere within the organization. Action plans at high levels are set out which will eventually assist in evolution while keeping pace with the rapid and rising digital changing scenarios and risks associated with it. Apart from the need of a cyber resilience plan and its implementation, the most important way it will help an organization is by declining the amount of financial losses, helps in getting along with the regulatory and legal requirements for enhanced cyber attack response management and in certain circumstances it aids in management of business continuity, improvising in the internal processes and organizational culture along with protecting the reputation and brand worth of a business entity.
References
Accenture.com. (2018). [online] Available at: https://www.accenture.com/us-en/insights/cyber-security-index [Accessed 9 Sep. 2018].
Kreutz, D., Malichevskyy, O., Feitosa, E., Cunha, H., da Rosa Righi, R. and de Macedo, D. (2016). A cyber-resilient architecture for critical security services. Journal of Network and Computer Applications, 63, pp.173-189.
Mowbray, T. and Shimonski, R. (2014). Cybersecurity. Indianapolis, Ind.: John Wiley & Sons.
Piggin, R. (2018). Cyber Resilience 2035. ITNOW, 60(1), pp.30-31.
Rothrock, R. (2018). Digital Resilience: Is Your Company Ready for the Next Cyber Threat?. AMACOM.
Shrobe, H., Shrier, D. and Pentland, A. (2018). New solutions for cybersecurity.
Singer, P. and Friedman, A. (2015). Wang luo an quan. Beijing: Dian zi gong ye chu ban she.
Zongo, P. (2018). The Five Anchors of Cyber Resilience: Why Some Enterprises are Hacked Into Bankruptcy, While Others Easily Bounce Back. Broadcast Books