In the last few years, the number and volume of cybersecurity incidents have increased dramatically. Within the last few months, some of the biggest and most impactful hacks of all time have been uncovered, including SolarWinds, Microsoft Exchange, and Colonial Pipeline. These incidents have had major impacts on affected parties, including reputational damage, financial losses, and the inability to provide products and services to customers.
In a recent webinar, MorganFranklin’s Matt DeFrain, Michael Spiotta, and Eric Chan discuss how to improve cyber resilience to better prevent and manage these types of incidents. The key points are around cyber risk scenario planning, integrated resilience, incident recovery, and crisis management.
Cyber Risk Scenario Planning
When discussing risk management, starting with cybersecurity frameworks is a good starting point. These frameworks describe the cybersecurity best practices and security controls that organizations should put in place.
However, looking at security frameworks is not enough. According to Eric Chan, “One of the key components that I see some of our clients and organizations are somewhat deficient at is truly understanding the whole scope of risk.”
Achieving cyber resilience requires a full understanding of risk to the organization. Chan says, “We really need to understand the full landscape from a planning perspective. And that includes all the technologies, information assets, and IT assets that need to be incorporated in a cyber resilience scenario in an adverse event.”
Integrated Resilience and GRC
According to Michael Spiotta, the most important part of cyber resilience is to “Find what matters. Secure what matters. Measure what matters.”
He goes on to say, “Without an accurate asset list of hardware, software, facilities, and personnel, your risk and your GRC efforts could be for naught. Because you might just have wholesale aspects of your operations that are missing that are key, and they could be extremely small, or they can be, you know, very widespread. Once you understand how the business is operating, that tells you how you can streamline your governance process.”
Identifying assets, compliance obligations, and risks are an important first step for cyber resilience. From there, the next question is to determine that what an organization is doing to manage these threats is correct. Accomplishing this requires developing scenarios to identify what an organization’s threats are and how effective the organization is at managing them.
Incident Recovery and Advanced Recovery
Many organizations believe that, if they are not receiving alerts from cybersecurity tools, that they are working and everything is fine. According to Spiotta, “That’s really not true as we’ve seen on numerous occasions where we all think things are in place. And there’s another avenue that somebody is taking advantage of, and we don’t have any idea how they did it, how they got through our perimeters where our security features are.”
In response to these incidents, many organizations embrace threat hunting, proactively looking for potential security issues or indicators of compromise (IoCs) in their environments. In the webinar, Spiotta discusses how to use MITRE ATT&CK for threat hunting and incident response.
Threat hunting and proactive defense can prevent some security incidents but not all of them. For successful incidents, taking proactive steps is essential to effective recovery. According to Matt DeFrain, “It’s really the creation of a cyber vault or having some place outside the normal operating environment to provide for a place to house critical data sets that will be immutable to change, and will serve as a recovery vault if the primary and disaster recovery sites are affected.”
The final topic of the webinar is crisis management. This addresses the incidents that exceed certain thresholds regarding their impact to the organization.
Every organization should have a dedicated crisis management team. According to DeFrain, “The crisis management team really represents a cross functional mix of people and they’re typically very high up in the organization. It’s C-Suite and business leads that form this with good representation down into each area of the business.”
He goes on to say, “The key takeaway here is not only defining the team, but exercising the crisis management plan. And that really is getting this team together on a regular basis, whether that’s annually or bi annually, to run some simulations and scenarios.”
Taking the Next Step Toward Cyber Resilience
The past year has demonstrated the importance of resilience in every aspect of the business. In many cases, the steps that companies take to solve some problems – like growing support for remote work – create new security challenges. Check out the conversation between DeFrain, Spiotta, and Chan to learn how to develop cyber resilience in your organization.