Not only conscious, but also resilient: An important building block in a cyber security strategy is employee awareness, the awareness that and which cyber threats exist. Coupled with the knowledge of where the dangers lurk, what they look like, how to behave in an emergency and how best to protect yourself, cyber resilience, the resistance of companies to cyber threats, can be significantly increased.

Cyber resilience is more than cyber security. The latter is only one component of a holistic strategy to strengthen IT’s resilience to cyberattacks. Cyber Resilience goes far beyond cyber security and takes a comprehensive approach to protecting IT and ensuring and resuming operations after attacks.

Goal: Permanent robustness of IT systems

The aim is to create a high level of robustness of a company’s or organization’s IT infrastructure against the various threats and to minimize the risk of operational failures. An important prerequisite for the success of a resilience program is the active promotion of all activities by the management. Cyber resilience must also be a top priority. At all levels, management should make it clear that a constant possible threat situation must be assumed.

While cyber security is suitable for protecting data, networks and IT systems from cyber attacks and thus reducing the risk of becoming a victim of an attack, resilience is not limited to risk minimization: it also provides measures, processes and methods to ensure operations during an attack or to resume operations quickly after an attack. It therefore ensures a high level of resilience and robustness of the entire organization and IT infrastructure. Resilience programs therefore require holistic thinking and fast, agile action in the event of attacks.

Only 36 percent of companies are highly resilient

However, according to a study by Greenbone Networks in cooperation with the market research institute Frost & Sullivan, only 36 percent of companies in the world’s five largest economies (Germany, China, Great Britain, USA, Japan) have achieved a high level of cyber resilience. The USA performs best: Here, 50 percent of the companies surveyed are already highly resilient. Europe is still lagging behind at 36 percent. Japan brings up the rear with 22 percent.

In an industry comparison across all countries, financial and telecommunications companies (46 percent) are best equipped against cyber attacks, followed by the water (36 percent), health (34 percent) and energy (32 percent) sectors. Transport companies see themselves in the worst position. Only 22 percent of them achieved a high level of resilience.

What distinguishes highly resilient companies and what can organizations do to become more resilient to cyber attacks themselves?

Awareness training: With the help of training, resilient companies prepare themselves in a targeted manner. In the event of a cyber incident, they are able to quickly implement new processes or adapt existing ones to close security gaps and recover quickly from attacks.

Identify vulnerabilities: 93 percent of highly resilient organizations are able to do this, but only 41 percent of those with low resilience. In this discipline, the study found the biggest difference between high and low cyber resilience. Only if an organization is aware of its weaknesses – whether technical or organizational – can it eliminate them and reduce its attack surface. 94 percent of highly resilient companies say they are very good at this, in contrast to only 43 percent of those with low resilience.

Agility of an organization to respond quickly to emerging threats and attacks: 96 percent of highly resilient organizations are also able to mitigate the impact of a cyber attack on critical business processes. What also sets them apart from organizations with low resilience is that they have aligned their cyber security architecture with their business processes.

Clear responsibilities and processes: They make it possible to quickly mobilize the right people in an emergency and to fend off attacks before major damage occurs. As a best practice, for example, it has emerged that the owner of a digital asset should also be responsible for its security. This is the case in 95 percent of highly resilient companies. Owner can be a single person as well as a department.

Support from external service providers: 97 percent of respondents seek external help in choosing the right technology.

Awareness for resilience

You could also say that cyber resilience is the future of IT security. It’s not just about taking technical and organizational measures to prevent cyber incidents. Because this can never be completely successful anyway. Rather, the goal is to remain operational and minimize damage even in the event of a successful attack. Cyber resilience takes the approach of creating security from the business processes instead of building a protective wall around them.