There are many definitions online – most of which are just too complex to understand. We prefer simplicity. At BackupAssist, we define cyber-resilience as “an organization’s ability to recover from an adverse cyber-event”.
Put simply… You get cyber-punched. You can get back up on your feet.
Why is it so important? Almost every organization in the world relies on computer systems to function. And today, there are more ways these systems can be hacked, sabotaged, and otherwise “knocked offline” in ways that threaten our survival.
Every business owner must have a plan for cyber-resilience, or risk one of the following outcomes:
- Being forced out of business.
- Having to pay a hefty ransom to cyber criminals.
- Breaking regulatory requirements, which in turn may result in financial penalties which threaten the viability of the company, or turn into personal liabilities against the company directors.
In this blog, I’ll cover Part 1 of this topic in plain English so anyone can understand it: the basics of cyber-resilience in plain English, what it is, and why it’s important.
Then in a future blog, I’ll explain the “how to”.
Resilience in people – and how it relates to cyber
“Tough times never last, but tough people do!” – Robert H. Schuller
I’m sure we all know resilient people. It’s a sports person who suffered an injury, only to come back. It’s a friend who got cancer, beat it and enjoys life more than ever before. A person who got crushed by a divorce, only to find love and fulfilment later in life.
There’s one thing in common amongst all:
- They suffered an adverse event.
- They bounced back – often stronger.
Cyber-resilience is the same… but different. Both involve being able to recover from an adverse event, but the how to is different. Personal resilience is all about how we deal with the situation after the event, focusing on personal attributes and how we react to the situation. In contrast, cyber-resilience depends largely on forward planning before the event, and following the plan during the emergency.
|Personal resilience – how?||Cyber-resilience – how?|
| Positive attitude|
Will power and mental fortitude
| Risk identification and mitigation planning|
The right backup system
Response plan and practice runs
What are the risks – the adverse cyber events?
Let’s be clear about the risks. There are many ways that your I.T. infrastructure or data can be sabotaged or knocked offline. Here are some common ones:
- Hacking, ransomware and other forms of cyber attack.
- Physical destruction – such as fire, flood, earthquake.
- Theft of equipment.
- Hardware failures.
- User deletions – whether accidentally, or intentionally (sabotage).
In our experience, the most common causes are accidental user deletions, ransomware and (in the last few years especially), hacking.
Cyber-resilience measures the outcome – not the method
I personally love the term “cyber-resilience” because it’s so richly descriptive and self-evident. It focuses you on the outcome, not the method.
- Can you recover?
- How quickly will you recover?
- What will your loss be?
The consequences and costs of not being cyber-resilient
Here are three examples of the ramifications of not being cyber-resilient.
1. Ransom paid to cyber criminals
An engineering consulting company suffers a hacking penetration, where the hackers installed ransomware on the file server, which encrypts all data files and backups. The ransom is $180,000. With many projects currently in-progress, and payments from customers contingent on achieving future milestones, the company faces a cashflow crunch. If work is delayed, incoming cash will be delayed, while outgoings remain constant. The company will become insolvent within 2 weeks. To avoid this, the company pays the ransom as the “lessor of two evils”.
2. Financial losses due to legal non-compliance
A private medical research firm takes advantage of tax concessions offered by the country’s taxation office for performing Research and Development. As part of the company directors’ obligations, stipulated records must be kept for 7 years to substantiate the company’s concession claims. Records were kept on an on-premise file server, largely for security reasons as the I.T. director did not want to put patentable technologies in the cloud. Due to a fire, the on-premise servers are destroyed, and offsite backups were not performed so data was lost permanently. Two years later, the tax office issues a crackdown on claims, demanding supporting evidence, which the company is not able to provide. The claims are denied by the tax office, and back payments of tax are demanded. Unable to pay, the company is shut down. The tax office then takes legal action against the directors for the outstanding tax liability.
3. Forced out of business
A marketing company makes money from its list, which it built organically over 5 years. A disgruntled employee resigns and on his last day at work, deletes the list from the various cloud services and purges them. The cloud provider is unable to restore the data and denies responsibility because the action was performed by an authorized employee of the company. Now, unable to make incoming cashflow, but with payroll and fixed outgoings, the company is forced out of business. Although the employee is criminally prosecuted, the company nonetheless itself ceases to trade, all employees are laid off and 5 years of hard work by the founding entrepreneur goes to waste.
Other consequences – stress, loss of reputation, breaking of trust, consequential damages
Of course we haven’t considered the emotional anguish associated with the prospect of being wiped out due to a cyber event. Who can quantify the health issues due to stress that result – or the flow-on effects like broken businesses and broken relationships?
Loss of reputation and the shattering of trust with customers may cause future lost business. In the worst case, if the business is unable to deliver previously promised services or products due to poor cyber-resilience, it may be liable for consequential damages, which adds insult to injury.
Stay tuned for Part 2 of this discussion on cyber resilience…
Now that I’ve covered the basics of cyber-resilience, we can move onto the nuts and bolts of how to be cyber-resilient. Please stay tuned for my next blog post on this subject!