Senior Research Associate,
National Security and Public Safety
On March 1 and 2, The Conference Board of Canada hosted a cyber security conference, bringing together experts and practitioners to discuss the theme of “Building Resilience Now and For the Future.” Building cyber resilience is about more than preventing attacks; it’s about being able to limit the impact of attacks that do occur, and being able to resume regular business faster. This requires a fundamental change in how we think about and plan for cyber incidents, including data breaches. Our expert speakers and panellists shared their insights and recommendations for building resilience across organizations.
Address Cyber Security’s Place Within Organizational Culture
One theme that was repeated over the course of the conference was that cyber security experts are not seen as enablers. Rather, they are seen as “no” people, who impede progress on the organization’s business goals. This aspect of the organizational culture needs to change to facilitate better collaboration between cyber security and all other business areas, and to encourage positive partnerships rather than adversarial relationships. One expert suggested that cyber security practitioners stop defaulting to the “if there’s a security feature, enable it” mindset and instead start working with others to see how safe cyber practices can be integrated into their work.
Build a Cyber Resilience Program
Achieving resilience in every organization starts at the top. Executive-level support and buy-in is needed to develop a program that can help the organization achieve its desired level of cyber capabilities—whether it be 24/7/365 monitoring and response; the ability to conduct advanced cyber analytics, advanced hacking, and malware protection; or initiating a complete enterprise-wide cyber defence strategy. The needs and cyber security goals of each organization should be identified, and a plan implemented on how to get there.
An important part of that plan should be regular training across the entire organization. Training and experience are the building block elements that an organization requires to become more resilient. Every lesson learned or skill developed during a training exercise, and each time an organization survives a real cyber incident, adds to the building block—helping to enhance resilience. Organizations should test their technology and responsiveness regularly through exercises, and stay informed on emerging threats or patterns of concerning activities.
Have the Right People in Place
Having the right advisors in place in the event of a crisis can help strategize a response that will mitigate damage and help an organization return to business as usual. It is important to have frank conversations with the board of directors as well as cyber insurers to determine who to reach out to for a variety of scenarios. For example, establishing legal privilege under which to carry out certain conversations may be essential, as is knowing who will manage communications when news of an incident is made public.
When dealing with a criminal element, such as during a ransomware attack, it’s also important to use an experienced incident responder, such as a breach coach, who can provide advice on the best course of action that needs to be taken and ensure that all precautions are taken if negotiations are entered into to unlock the ransomed data. While these measures are meant to be back-up options—and should do not replace preventative cyber security practices—they are necessary to have in place before a crisis hits.
Enable Collaboration and Information-Sharing
Internal collaboration and information-sharing across the organization can help to detect, prevent, and mitigate the severity of cyber security incidents. Collaboration can help to break down silos within the organization, which can be a persistent problem for cyber security. A better understanding of cyber security by all employees can not only improve the implementation of security practices, but also generate better understanding of how cyber security can support business goals.
Opportunities for information-sharing across the organization can help maximize research resources, provide sharable and actionable information, and identify patterns of attacks already experienced. By sharing resources, organizations have the chance to make attacking them (or their area) as difficult and expensive as possible, dis-incentivizing criminal actions. In fact, one presenter believed that almost 40 per cent of cyber attacks could have been avoided had internal, multi-area information-sharing been in place. Some organizations are already establishing networks, such as sharing hubs and multi-area collaboration centres, to facilitate data exchange—thus, building a better picture of the threat landscape.
Building cyber resiliency is not a single-solution strategy. It involves buy-in from the executive level, establishing comprehensive plans and policies, providing ongoing training, and thinking outside of the traditional constraints of the organization. We will continue to explore this shift in dealing with cyber threats with a more in-depth research briefing at the end of 2018.
Understanding Cyber and Physical Security Convergence
The Conference Board of Canada, June 7, 2018 at 02:00 PM EDT