It’s a question we get asked at Ascentor and a Google search will often see returns for ‘cyber security vs cyber resilience’ – as if there’s some contest between the two. Perhaps the curiosity is because ‘cyber security’ has been around for a few years now but ‘cyber resilience’ is a relatively new term.
There is a major distinction to be made and, in this article, we’ll explain which types of organisation in particular need to achieve cyber resilience – and how they should go about getting there.
So, what is the difference?
Cyber security – keeping them out
Imagine a country that wants to build a wall to keep out unwelcome visitors (where did we get this from?). They might first build a wall – it might be a very high wall and certainly very robust – but would one wall be enough? An alternative might involve numerous walls, some higher than others and maybe a few ditches too. This is a ‘defence in depth’ approach to security. But, even with more than one barrier involved, there’s still no guarantee it will completely stop people getting through. This is a little like cyber security.
Cyber security is a series of measures focused on preventing hackers penetrating your IT systems. Whilst implementing basic cyber security best practice will prevent the great majority of attacks, even with your defences up (or your walls), hackers can find holes when the landscape changes. For, as much as any organisation can try, 100% prevention isn’t possible. Which leads us to…
Cyber resilience – responding when they get in (because they probably will)
If we work on the basis of ‘not if, but when’ with a cyber attack, the importance of cyber resilience comes into play.
Definitions tend to describe a cyber resilient organisation as one that will be able to respond and recover from a cyber attack, keep operating through it (very important) and eventually get back on track and be more capable of withstanding future disruption. Cyber resilience also involves things like business continuity management – and Google search results often include cyber resilience and business continuity together.
One of the reasons for the emergence of ‘cyber resilience’ lies with the realistic view that for all the defences an organisation might have in place (remember that wall), there is still a likelihood that they’ll suffer some kind of attack. And the latest UK Cyber Breaches Report (April 2019) would support this. The report found that 60% of medium firms and 61% of large firms have identified a major breach in the past 12 months.
However, what makes cyber resilience so mission critical is the ability to remain operational during such an event.
But is the distinction that simple?
Is cyber security a stand-alone process with cyber resilience following (as if they are two separate things), or does cyber resilience include cyber security? Opinions differ. If you research coverage of the link between the topics, you’ll mainly find a linear relationship. Many articles start by discussing cyber security, and then move on to cyber resilience.
The World Economic Forum, in their post ‘Cyber resilience: everything you (really) need to know’ talk about cyber security as ‘binary’ – ‘either something is secure or it isn’t’. They also say that there is a difference between the access control of cyber security and the more strategic, long-term thinking that cyber resilience should evoke.
However, if we look at the the US National Institute for Standards and Technology (NIST) Cyber Security Framework, an internationally recognised and respected framework of activities, outcomes and references that detail approaches to aspects of cyber security, cyber resilience covers five stages – Identify, Protect, Detect, Respond and Recover.
The ‘Identify’ stage is described as to “Develop the organisational understanding to manage cyber security risk to systems, assets, data, and capabilities.” So, in the NIST context, cyber security is a stage of the wider process of cyber resilience.
What’s more, the National Cyber Security Centre (NCSC), in its discussion ‘Cyber resilience, nothing to sneeze at’ talks about a ‘resilient system’ in four stages, Similar to the NIST framework, their first stage is called ‘Prepare’. Their view is that preventative security is still essential. Defences that protect from known attacks (whether they be technical, like firewalls or non-technical, such as cyber policies) will help improve your resilience. However, it’s not enough to rely solely on prevention.
It would appear that the weight of opinion – and we’ll take NIST and the NCSC as pretty weighty, would say that cyber resilience is a broader process which includes cyber security. Both terms start with ‘cyber’ but, in terms of scope, cyber resilience would seem to ‘Trump’ cyber security (and you thought we’d finished with that wall analogy)!
So, why does cyber resilience matter?
A severe cyber attack can have consequences in terms of delivery of services should systems be put out of operation. If your organisation is involved in national security, critical national infrastructure, the NHS or public safety the impact of a security breach could be huge. The same applies to an internet or technology reliant business – such as an online retailer, a bank or streaming provider. An attack might pose a threat to your entire business operation, the economy or even life.
In essence then, cyber resilience matters because reliance on cyber security measures alone (as effective as they might be) isn’t enough to prevent the most severe of consequences following an attack.
By accepting that the worst may happen at some point, and being able to respond, is going to be more effective than assuming that your cyber security measures will hold. They might, but if they don’t, what then? That’s why you need to be cyber resilient.
It’s also why, due to the consequences of a serious cyber attack, that the output of cyber resilience should be seen as part of an organisation’s wider risk management and business resilience activities.
Steps towards cyber resilience
So, how do you get there? Your cyber security resilience activities will almost certainly encompass one or more standards, schemes or models with which you need to be certified or comply. Details of many of these can be found here. Ascentor can help you achieve certification and compliance.
The comprehensive path to cyber resilience comes through a cyber security programme which includes an assessment of your existing resilience. We also look at your security governance, policies, standards, processes and procedures, and appropriate levels of awareness training for staff and users.
We use well established cyber risk management principles guided by widely accepted best practice to help you design and implement your programme. This includes the NIST Cyber Security Framework, SANS Critical Security Controls and the Cybersecurity Capability Maturity Model (C2M2). For full details, see our Cyber Security Programme page.
We’ve covered the seven steps to designing a resilient cyber security programme in an earlier blog article and produced a more detailed white paper available for download from our resources page.
Cyber security and cyber resilience are related by more than the word ‘cyber’. They are both forms of protection against cyber threats but cyber resilience recognises that the first line of defence may not work and so enables the organisation to remain up and running should cyber security measures fail. As such, they work best in tandem but need to be appropriate to the level of risk to be able to reduce any damage caused.
Ultimately, cyber resilience matters because there are organisations operating in critical environments that make them of greater interest to threat actors precisely because of the nature of their work. The risks are high and can affect more than the organisation itself. If such work is disrupted and taken offline, it could have the gravest of consequences. That’s why the ‘WannaCry’ ransomware attacks on the NHS received so much coverage. The risk to human life makes cyber resilience something we should all care about.
For further information
If you have found this article of interest, the Ascentor blog regularly carries articles about a range of topical cyber security issues. You might also like to receive our quarterly newsletter. Sign-up details below.
If you want to evaluate where security risks lie within your organisation, why not take our free online risk assessment and receive feedback and suggestions.
If you’d like to discuss any aspect of IA and cyber security, please get in touch, using the contact details below.