Resiliency in a business context is often closely associated with continuity. If something happens, or if there is an outage, businesses depend on the principles of failover and redundancy to keep systems up or get them running again quickly. But the equation changes when you shift the conversation to cyber resiliency. It encompasses recovery and, more importantly, the ability to repel and prevent attacks in real-time and establish flexible, responsive, and proactive operations.
Over three-quarters of corporations cite security and data breaches as the top cause of server, operating system, application, and network downtime.1 Your system architecture, while important, is only part of the cyber resiliency solution. Having a strategy that includes both your architecture and people is vital as well.
Cyber resiliency is a strategic approach that encompasses your system architecture, physical structures, and people. Cybersecurity is only part of the equation. Many people understand cybersecurity as it relates to breaches caused by hacks, configuration mistakes, or internal threats. Failure to secure or protect data and privacy after the fact is often where the focus settles. Instead, a resiliency-centric approach would include a proactive action plan to mitigate the damage caused by losing system access due to a cyberattack, for example.
With the recent shift to a more decentralized work environment, the need for a renewed focus on people-centric security measures has heightened. More often than not, resiliency (and cybersecurity) is really about people.
In the world of cybersecurity, there are three kinds of people:
We've all heard the story about that one good employee who made an honest mistake—like the bank employee who synced web browsers and unknowingly opened access to important bank passwords to bad actors. In this story, the employee was working from home on a work laptop connected to the home network. At some point, Google sent a notification about a new feature that synchronizes web browsers across multiple devices. Sounds nice, right? The employee proceeded but failed to realize that by syncing browsers, all personal passwords were now stored on the work browser. And more crucially, all work passwords were now stored on the personal browser.
"... human error is a major contributor to 95% of breaches.
When the bad guys broke into the employee's home network and accessed the personal browser, they discovered a treasure trove of bank information. The hackers used this access to break into the financial institution. Thankfully, architecture helps protect against malicious actors, but what about simple mistakes by good people? (See above bank employee).
The truth is that engineers build safety nets within systems because of potential human error or attacks—not just for hardware failure. Human error is a major contributor to 95% of breaches.2 Unintentional errors happen, and understanding how to address mistakes is essential to cyber resiliency and security.
A successful cyber resiliency strategy incorporates humans and technology. Here are a few examples of how to prevent unintentional errors.
Limiting access helps establish and maintain control over an employee's access to systems or data that needs to remain secure. Giving selective access to restricted areas of IT systems that are off-limits to a standard user to one way privileged access protects organizations.
Multi-factor authentication requires users to provide at least two forms of identification to access resources and data. Employing another factor significantly increases the difficulty for hackers to gain unauthorized access. An example of MFA is when you are prompted to enter a one-time code sent to your mobile phone to log into your bank account. And it's not limited to consumers. Many enterprises require MFA for employees too.
Cyber resiliency is vital for every aspect of business and is much more than add-on security bells and whistles. It is strategy-worthy and critical for preventing significant operations, services, and reputation setbacks.
A successful cyber resiliency strategy focuses on cybersecurity, architecture, and people. Considering all three angles achieves flexible, responsive, and proactive operations to ensure business continuity, even when facing something as seemingly simple as syncing browsers.
If you'd like to discuss cyber resiliency strategy, please get in touch with me directly at Ravi.Patil@broadcom.com.