Cyber resilience is an organisation’s capability to withstand the effects of unexpected threats from activities in cyber space.
While technically distinct from business resilience, the sheer connectivity demanded by customers and employees means no business resilience assessment is complete without understanding the potential impact of cyber attacks.
In assessing business resilience, there are many methods organisations can implement, such as following the UK government’s Business Continuity Toolkit, performing an assessment exercise using ISO 22301 or speaking to resilience experts. No matter the business resilience method followed, there should always be three key outcomes for cyber resilience.
Organisations should be aware of the dangers of the constantly evolving cyber landscape and incorporate effective situational awareness into their resilience plan.
By gathering cyber threat intelligence, organisations should plan the appropriate responses to cyber attacks. Exercises to identify critical assets and services will also assist organisations in creating effective cyber-resilience plans.
Resilience capability confirmation
Based on asset discovery and the cyber threat intelligence gathered, organisations should assess and improve their cyber resilience.
Using cyber threat intelligence, organisations should evaluate their key threats and manage the risks posed by them. Threat identification is key to an effective cyber resilience plan – not only can an organisation mitigate persistent threats, but it can also identify gaps new threats can exploit.
No cyber resilience plan is complete without the ability to respond to incidents and minimise their effects.
Using effective cyber intelligence and asset discovery, resilience plans can be maintained and improved, mitigating threats before incidents occur. Crisis planning and simulation can also help organisations understand and respond effectively to cyber risks and confirm the strength of preventative and reactive cyber resilience approaches.
Alex Jordan is a research analyst with the Information Security Forum.
This was first published in September 2015