With high profile cyber hacks and attacks consistently making headlines in recent times, most businesses know the importance of being cyber secure. But what does it mean to be cyber resilient?
SoGlos speaks to digital expert Jack Marley of Cheltenham-based cyber consultancy, P3M Works, to find out the differences between being cyber secure versus cyber resilient – and what it means for SMEs.
Many people use 'cyber security' and 'cyber resilience' interchangeably. In your view, what’s the difference?
Cyber security focuses on protecting systems, networks and data from cyber-attacks through measures like firewalls, encryption and access controls.
On the other hand, cyber resilience encompasses cyber security but also ensures an organisation can continue to operate during and after a cyber attack whilst recovering efficiently.
Why is cyber resilience becoming a bigger priority than traditional cyber security in today's threat environment?
The evolving threat landscape has made cyber threats more sophisticated and frequent, making it hard to prevent all attacks. Cyber resilience ensures critical functions continue during and after incidents, maintaining operations and minimising downtime.
Additionally, increasing regulations emphasise a comprehensive approach to managing cyber risks, including resilience. A flexible approach to resilience can also be more cost-effective in the long run and helps in protecting an organisation's reputation.
How do you and your team help clients build cyber resilience, rather than just hardening defences?
We deploy a technical and consultative
approach to understand a client's cyber risk. This comprises a digital
perimeter scan to understand the integrity of a clients digital footprint,
followed up by a consultation to explore the clients approach to cyber
recovery, policies and training etc.
Once we’ve achieved this ‘understand phase’, we then work with a client to identify some key objectives and then roadmap our way to achieving those objectives with our support.
We take all our high-assurance
cyber project experience and bottle that for SMBs to benefit from, all whilst
keeping the service genuinely affordable.
We do tend to spend a lot of our time looking at training,
people and processes – to us this is the heart of resilience, getting the
organisation ready for disruption and ensuring everyone knows the plan for
keeping the business operational.
Can you walk us through what a cyber-resilient organisation looks like in practise?
A cyber-resilient organisation proactively manages risks by identifying critical services and assets, defining roles and having a structured risk management process. Staff are trained and confident in handling cyber events such as phishing emails and the organisation uses controls, such as multi-factor authentication, least privilege access control and data encryption.
Regular backups are performed and secured off-site; and continuous monitoring tools like security information and event management (SIEM) are used for real-time threat detection and response. The organisation has a well-defined incident response plan which is integrated with other business continuity plans and regularly tested.
Resilience looks different to each organisation and not everyone needs the coolest tools, but all organisations must have a resilience plan.
The organisation is confident when it comes to cyber risk – that is the key one for us.
What are the most common gaps or misconceptions you see in companies' cyber security strategies?
Ineffective communication of security measures to staff and not incorporating staff feedback on security systems are common gaps.
Many companies lack a structured risk management process and have undefined roles and responsibilities, leading to confusion and gaps in security coverage.
Inadequate training in cyber awareness and phishing defence, as well
as poor access control measures, are also prevalent issues.
I would really boil this down to firms being reactive when
it comes to cyber resilience. Our Resilience as a Service objective is to get our customers to a planned state of cyber
resilience, which reduces staff burnout and awareness fatigue and also increases confidence when reacting to a cyber incident.
Are there any innovations or technologies you are excited about in improving cyber resilience?
For me, I really like the gradual phasing
out of passwords. One of the most common cyber issues today is password reuse.
We’re also working with organisations that are getting really good with
tabletop exercises that use real company data to create the scenarios. This
makes the exercising real for the participants and really helps them immerse in the scenarios.
If you could change one thing about how organisations approach digital threats today, what would it be?
Take them seriously. All organisations
have a responsibility to protect their staff and customer details online, not
to mention business integrity. I would recommend everyone adopt a cyber
resilience plan – don’t just react to threats as they impact you.
Where do you see the future of cyber security and resilience going over the next five to 10 years?
The future will see an increased focus on identity security, managing human and machine identities securely. AI will, of course, play a major role in offensive and defensive cyber security and resilience.
Most importantly, I think we will continue to see a real shift to resilience over security, with more small and medium businesses adopting a planned approach to resilience as we, unfortunately, see more high-profile hacks.
I see incidents like weak passwords allowing hackers to sink long-established companies occurring more often than
they rightly should.
