A recent post on cybersecurity got me thinking about the nature of the approach of many organizations to protecting their networks. Citing the old terrorism adage (adapted for cybersecurity) that "[t]he attacker only has to be right once, we have to be right every time," the author accurately asserts that cybersecurity is part of the responsibility of everyone in the organization. It is definitely valid to conclude that an active, engaged training program connecting cybersecurity to the everyday responsibilities prevents successful attacks.
I have a significant concern with one premise of the argument, however: that the story is over once an attacker is in your network. Instead, organizations need to adopt an approach to cybersecurity in which an incident is never the end of the story. While every cybersecurity professional will agree with the goal of keeping attackers out of our systems entirely, in reality, no matter how good your measures of protection and the training of your staff, some attacks will succeed. The time to take action is before the successful attack happens. Planning for the successful attack isn't defeatist, it is essential.
So what does planning for a successful attack actually mean? One oft-discussed aspect is known as defense-in-depth––building a network in which one stolen set of credentials will not open the entire system to compromise. Such a defensive set of procedures is part of the answer. But the defense-in-depth approach merely deepens the the perimeter defense mechanisms that we're already assuming have failed.
Turning the paradigm on its head, how do you handle an attack that has circumvented the full scope of network defense that your organization has put in place? At that point, the resilience of your information systems will determine the success or failure of your cybersecurity policy. Here are some building blocks for increasing resilience:
- Encryption for data that would allow you not only to prevent the release of such information in readable form but also to allow you to verify that the copy on your servers or in your backup has not been changed.
- Backup systems that allow you to roll systems back to pre-attack status combined with the imaging of endpoints to ensure that you can move to replacement equipment with minimum time off-line.
- Conducting drills on these efforts to make sure you know how to use them and that your personnel can operate in a compromised environment and use the recovery tools that you have put in place.
When implementing resilient cybersecurity practices, the devil is in the details because adopting approaches like these require time and expense:
- Perhaps your organization has already put some of these processes in place with mixed results.
- One or more of these approaches may hamper your organizational workflow by restricting your employees' efficiency.
- Regulatory constraints may limit your organization's ability to implement certain types of security practices.
Can you determine the resilience of your current cybersecurity approach? How can your current cybersecurity budget best be deployed to ensure a quick recovery from a successful attack? The Foresight Information Audit is one way of starting the planning process for a more resilient system. Click here to learn more about the Foresight Information Audit.
Do you have examples of how your organization has improved its cyber resilience? Share your stories and questions in the comments below.