To Achieve Cyber Resilience a Holistic Approach is Needed

The problem with achieving cyber resilience is finding those with the qualifications to institute it in an organization. I am pretty technology literate, have built my own computers, set up networks, planned the development of the architecture to support telecommunications and mobile networks, and with all that experience under my belt, I am not comfortable with cybersecurity.

In an article appearing today on Govtech.com, Dan Lohrmann writes about qualifications for becoming a cybersecurity expert. His rule of thumb is you need people with 10,000-hours of experience and CISSP (Certified Information Systems Security Professional), CISM (Certified Information Security Manager), and a Master’s Degree in Information Assurance credentials. And maybe that will be enough.

Cyber resilience requires a holistic approach to the management of digital information. The U.S. military during World War II was among the first to recognize this need. But those were simpler times before the advent of computers, networks, and the Internet. Today, the means and methods of achieving information assurance and resilience, as a result, require a more sophisticated toolset than codebooks and manual encryption and decryption devices.

Opentext, in a June 2021 blog, estimates that by 2025, cybercriminals will be inflicting as much as $10.5 trillion US in damages annually to the global economy. That’s up from this year’s $6 trillion estimate with ransomware attacks happening every 11 seconds, and the average data breach unrecognized for 196 days. That means lots of businesses, NGOs, government operations, and personal computer users don’t know if they have already been hacked, or if and when they are under attack. The average data breach of which 60% happen in North America, is costing $150 million US. That calculation includes lost productivity, the pilfering of intellectual property, and, of course, ransom payouts.

For cyber resilience, an organization needs to anticipate where risks are coming from. It’s not just limited to networks, PCs, and Internet exposure. A thumb drive or laptop, taken to and from work, is a potential cyber threat.

Cybersecurity according to the U.S. National Institute of Standards and Technology (NIST) is defined as the protection and defence of cyberspace from cyber attacks. At its simplest, it includes implementing firewalls, VPNs, anti-malware software, and good computer practices such as patching software and updating firmware. It also includes the training of employees to become security conscious.

Cyber resilience is the ability for an organization to remain whole after cybersecurity measures fail, hacks, extreme weather events, power failures, and human errors. Cyber resilience is about data resilience and the minimizing of disruptions. It’s about quick recoveries and assurance to the organization’s many partners from suppliers to customers.

Resiliency requires an organization to accept there will be attackers and that measures in place will help to prevent, respond to, and recover from such attacks. That means organizations need greater digital agility. That agility includes the ability to:

• Identify vital information and security vulnerabilities.
• Develop and implement safeguards to protect critical infrastructure and services.
• Develop detection systems for identifying attacks, assessing affected systems, and implementing timely responses.
• Create plans that include clearly identified responder roles and responsibilities.
• Develop plans for the restoration of any data or services affected.

NIST provides a fact sheet to implement cyber resilience. It includes resources and tools for enacting cryptography, privacy frameworks for managing risk, and practical cybersecurity best practice standards. It looks beyond the human aspects to include connected devices, the Internet of Things (IoT), Industrial Control Systems (ICS) and provides baseline tools for both manufacturers and also end-users. It includes a curriculum providing data for employers, policymakers, and trainers in the field.

A cyber resilient power grid covering both generation and distribution is mission-critical. That’s why NIST singles out this sector looking specifically at cyberattack vulnerabilities and resilience strategies between and among energy producers, distributed energy resource systems, and electric power distribution facilities.