Strategy 3 of 5: Resilience
Strategies for passive preventive controls and threat-informed controls will go a long way to reducing the likelihood of a successful cyber attack. However, prevention can never be considered 100%; your organization needs to be prepared for an eventual breach of your defenses. This is where resilience comes in to play.
What is resilience?
In the book Cybersecurity First Principles, resilience is defined as "the ability to continuously deliver the intended outcome despite adverse cyber events."
In plain English: Resilience is making sure your organization can still do its main job, even while it is under attack or dealing with a technical failure.
Think of a boxer. A boxer who only knows how to block is a good defender. But a resilient boxer is one who can take a punch, stay on their feet, and keep fighting until the round ends. In cybersecurity, resilience means your business doesn't stop just because a system or application does.
Resilience, disaster recovery, and business continuity: What’s the difference?
People often confuse the three important terms of disaster recovery, business continuity, and resilience. While they overlap, they have different goals:
Disaster Recovery (DR): This is your "fix-it" plan. It focuses on how to get your technology back online after it breaks or gets hacked. DR is a reactive practice, executed once a disaster event has been declared.
Business Continuity (BC): This is your "keep working" plan. It focuses on how the whole organization stays productive. If the computers go down, do you have a way to take orders over the phone? Like DR, BC is a reactive practice.
Resilience: This is your "stay strong" design. It is built into your systems from the start. A resilient system is designed so that if one part fails, the rest of the system keeps running.
Disaster recovery and business continuity are often about what you do after a problem starts and focus on reducing the duration of downtime. Resilience is about how you reduce the probability of downtime.
Resilience tactics
Building a resilient organization requires a mix of planning, rules, and technology. Here are some tactics to consider (which we’ll cover in depth in future articles):
Crisis planning
You don’t want to wait until an emergency happens to figure how who is in charge of what. A crisis plan lists exactly who needs to be in the room (physical or virtual), who talks to the public/media, and who makes the key decisions while addressing the emergency. This goes beyond IT and likely includes executives, legal team, and public relations.
Backup and restore practices
Backups are your safety net. If an adversary locks up your data or systems, you need to be able to rewind to a time before the attack. A resilient strategy ensures backup schedules are regular, backup data is kept in a safe, separate repository, and that you have practiced restoring them via documented procedures.
Encryption (at rest and in transit)
If an adversary steals your data, encryption makes sure they can’t read it or use it.
Encryption at rest means data is protected while it sits in storage, whether it’s in a file system or in a database.
Encryption in transit means it is protected while it travels between applications and systems.
Incident response planning
Incident response planning goes hand in hand with crisis planning. Think of this as a fire drill procedure for your IT team. You need a clear set of steps to follow the moment you suspect a cyberattack. The faster you respond, the less damage the adversary can do.
Compliance regulations
Many industries have laws about how they must protect data. Following these compliance rules provides a solid foundation for resilience. These regulations are often based on lessons learned from other companies that suffered attacks.
Why resilience matters
Probability says you cannot stop every single cyberattack. Technology is too complex, and adversaries are too persistent.
However by focusing on resilience, you change the goal. You stop trying to be unhackable and put emphasis on being unbreakable. When you build resilience into your strategy, you ensure that no matter what happens, your organization can keep delivering on its promises.
If you have any comments or feedback, just respond to this email!
Thanks for reading and stay secure,
Aaron