Being not only aware, but also resilient: An important component of a cyber security strategy is employee awareness, i.e. the awareness that and what kind of cyber threat does exist. Coupled with knowledge of where the dangers lurk, what they look like, what to do in an emergency, and how best to protect oneself, this can significantly increase cyber resilience, the resistance of companies to cyber threats.
Cyber resilience is more than just cyber security. The latter is only one component of a holistic strategy to strengthen the resilience of IT against cyber attacks. Cyber resilience goes far beyond pure cyber security and takes a comprehensive approach to protecting IT and ensuring and resuming operations after attacks.
Goal: Lasting resilience of IT systems.
The goal is to create a high level of robustness in the IT infrastructure of a company or organization in the face of various threats and to minimize risks of operational failures. An important prerequisite for the success of a resilience program is that all activities are actively driven forward by management. Cyber resilience in general must be a matter for the top management. At all levels, management should make it clear that a constant potential threat situation must be assumed.
While cyber security is suitable for protecting data, networks and IT systems from cyber attacks and thereby reducing the risk of becoming a victim of an attack, resilience is not limited to risk minimization: it also provides for measures, processes and methods to ensure operations during an attack or to quickly resume operations after an attack. It therefore ensures high resilience and robustness of the complete organization and IT infrastructure. Therefore, programs to enforce resilience require holistic thinking and fast, agile action in the event of attacks.
Only 36 percent of companies are highly resilient
According to a study conducted by Greenbone Networks in collaboration with the market research institute Frost & Sullivan, however, only 36 percent of companies in the world’s five largest economies (Germany, China, the United Kingdom, the United States, and Japan) have achieved a high level of cyber resilience. The USA is the best performer: Here, 50 percent of the companies surveyed are already highly resilient. Europe is still lagging behind with 36 percent. Japan brings up the rear with 22 percent.
In a sector comparison across all countries, financial and telecommunications companies (46 percent) are best equipped against cyber attacks, followed by the water (36 percent), healthcare (34 percent) and energy (32 percent) sectors. Transportation companies see themselves as the worst positioned. Only 22 percent of them achieved a high level of resilience.
What characterizes highly resilient companies and what can organizations do to become more resistant to cyber attacks themselves?
Awareness training: With the help of training, resilient companies prepare themselves in a targeted manner. In the event of a cyber incident, they are able to quickly implement new processes or adapt existing ones to close security gaps and recover quickly from attacks.
Identify vulnerabilities: 93 percent of high-resilience organizations are able to do this, but only 41 percent of low-resilience organizations. It is in this discipline that the study found the biggest difference between high and low cyber resilience. Only when an organization is aware of its vulnerabilities – whether technical or organizational – it can address them and reduce its attack surface. Ninety-four percent of high-resilience organizations feel they are very good at this, compared to only 43 percent of low-resilience organizations.
agility of an organization to respond quickly to emerging threats and attacks: Ninety-six percent of highly resilient organizations are also able to mitigate the impact of a cyber attack on critical business processes. What further sets them apart from organizations with low resilience is that they have aligned their cyber security architecture with their business processes.
Clear responsibilities and processes: In the event of an emergency, they enable the right people to be mobilized quickly and attacks to be averted before major damage is done. Best practice has shown, for example, that the owner of a digital asset should also be responsible for its security. In 95 percent of highly resilient organizations, this is the case. The owner can be a single person or a department.
Support from external service providers: 97 percent of respondents take advantage of external help in choosing the appropriate technology.
Awareness leads to resilience
You could also say that cyber resilience is the future of IT security. It’s not just about taking technical and organizational measures to prevent cyber incidents. After all, this can never be achieved completely anyway. Rather, the goal is to remain operational and minimize damage even in the event of a successful attack. Cyber resilience takes the approach of creating security from within business processes rather than building a protective wall around them.