Level Up Your Security Strategy with Cyber Resilience

Even with strong cybersecurity programs in place, companies can still become victims of a security breach. While it may seem unfair or frustrating, especially if you’ve spent time, money, and energy working to reduce your risk, unfortunately it’s impossible to completely eliminate the risk altogether. So, you might be asking, “What’s the best way to move forward with my company’s security strategy?” We recently sat down with BARR’s own Kyle Helles, partner and attest practice leader, to learn more about a concept called cyber resilience.

Why is it important to consider cyber resilience?

“Even with best practice cybersecurity controls in place, organizations can, and do, experience system compromise and lost data to cyber criminals. That’s why it’s no longer enough to have an effective cybersecurity program without considering cyber resilience—that is, the readiness to bounce back and recover when adverse events happen.”

Is cyber resilience essential to a cybersecurity program?

“Cyber resilience is essential because adverse events can and do happen, even when organizations invest in modern systems and strong cybersecurity controls. No cybersecurity program is capable of reducing the risk of system compromise to zero.”

How do I create a powerful cyber resilience strategy?

“To build a powerful cyber resilience strategy, start with a strong cybersecurity program. This is the foundation, but it’s not the finish line. From this foundation, you’ll have controls in place to detect and prevent security breaches, including a risk assessment program to help your organization maintain its cybersecurity program.

Next, you’ll need to layer in resiliency—which is to say, you’ll plan ahead for adverse events. You won’t stop at simply detecting and preventing system breaches, but you’ll prepare your organization to respond and recover quickly from system breaches, including by:

Establishing partnerships with external parties such as MS-ISAC and the FBI that can help your organization prevent, respond, and recover from security breaches;
Developing and periodically testing a continuity plan against every critical system in your inventory; and,
Ensuring ongoing upkeep and improvement of your resiliency program. This is not a set-it-and-forget-it plan. This is a program that should be revisited at least annually, and more often when your organization experiences key people, system, data, or process changes.”

Do cybersecurity and cyber resilience complement each other?

“Let’s take the 2018 cyber attack on the city of Atlanta as an example. Prior to the attack, the city had invested resources in cybersecurity including an information management department and office of information security to oversee their cybersecurity programs. System backups and data recovery controls were part of the program, but despite governance and controls in place to mitigate and respond to a cyber attack, dozens of critical systems and data were compromised by a virus that took millions of dollars and weeks to recover from.

The issues with Atlanta’s cybersecurity program were, in many ways, weaknesses in their resiliency. There was no centralized management of systems and controls, opening the city up to unnecessary risk related to old or redundant technology. Partnerships with external parties who could proactively collaborate with the city on timely and effective response and recovery efforts were lacking. And many systems required modernization and a transition to more resilient, cloud-hosted environments. Atlanta has since invested more in the resiliency of its cybersecurity programs, strengthening the city’s ability to respond and recover more quickly in the future.”

Are there any common misconceptions about cyber resilience?

“It’s a misconception that implementing strong cybersecurity controls and having a clean IT audit history equates to having strong cyber resilience. The quality and scope of cybersecurity controls and IT audits can have a vast degree of variance between organizations, and if they are focused on detective and preventive controls, they may miss key areas of recovery and resilience that test how your organization would respond in the event of a breach.”