Technology Overload 

Cyber Resilience – Managing Cyber Risk Through a Multi-Disciplined Approach

Cyber Resilience Overview

Cyber incidents and data breaches are occurring at an unprecedented rate. Cyber threats continue to evolve in scale and complexity and have led to the loss of intellectual property, customer data, and other sensitive information for many organizations.

Cyber incidents can result in major disruptions to core business services and operations and cause negative impacts including:

  • Severe Financial Impact 
  • Reputational and Brand Damage 
  • Product and Service Delivery
  • Negative Customer Experience 
  • Investor Confidence 
  • Regulatory Compliance 

Cyber Resilience is multi-disciplined approach to proactively managing cyber risk through a combination of traditionally siloed activities. Integrating these activities through Governance, Risk and Compliance (GRC) provides additional visibility into current risk postures and provides and vehicle for continuous improvement.

Screen Shot 2021-08-18 at 2.15.34 PM

CYBER RESILIENCE RISK PLANNING

Cyber resilience goals should be informed by realistic cyber risk scenarios that anticipate likely threats and attack vectors based on current trends and exploits. Multiple threat actors and cyber risk scenarios may affect an organization.

The goal of assessing cyber risk scenarios is to identify the most common threat actors, potential resilience techniques, attack vectors, targets, and impacts to the organization. Specific objectives include:

  • Identify and evaluate the potential impacts of cyber threats on digital/informational assets, including loss of availability, integrity, confidentiality; data destruction; and data leakage
  • To assist with business impact assessment scoring methods, risk-rank each scenario based on the likelihood of execution and impact on company assets
  • Identify areas where additional resilience techniques or advanced recovery strategies may successfully mitigate risks and implications
Screen Shot 2021-08-18 at 2.16.27 PM

AN INTEGRATED RESILIENCE NETWORK

Effective resilience programs must include an integrated and coordinated approach among all aspects of the incident management lifecycle, including site-level emergency response, technology and cyber incident response, executive-level crisis management, business or operational continuity and IT resilience and disaster recovery (DR).

Screen Shot 2021-08-18 at 2.17.00 PM

GOVERNANCE, RISK AND COMPLIANCE INTEGRATION

Governance, Risk and Compliance (GRC) is the integrated collection of capabilities that enable an organization to monitor risk and regulatory obligations, while providing oversight and governance to provide a sustainable capability that can proactively pivot as required to address an increasingly evolving and complex risk and regulatory landscape. 

Screen Shot 2021-08-18 at 2.17.25 PM

Your cyber risk appetite defines the amount of cybersecurity risk that’s acceptable to your organization as part of normal business operations. What is your risk appetite?

The goal of the cybersecurity program as well as GRC is resilience and begins at the asset level. Asset visibility is key to ensuring adequate security of information.

Find What Matters - Secure What Matters – Measure What Matters

Screen Shot 2021-08-18 at 2.17.53 PM

CYBER RISK MANAGEMENT

Proactive cyber risk management is necessary to stay ahead of the complex threat and risk environment we find ourselves in today. Traditional risk assessment processes can be applied to cyber, while integrating cyber resilience techniques can help companies proactively monitor and mitigate cyber risks.

Screen Shot 2021-08-18 at 2.19.04 PM

TRADITIONAL RECOVERY VS CYBER RECOVERY

With increased resilience and replication, the risk of propagating malware or malicious code across primary processing and recovery data centers also increases. Therefore, cyber resilience incorporates advanced recovery strategies including replication technologies and air-gapped cyber data vaults to protect critical data.

Screen Shot 2021-08-18 at 2.19.36 PM

Cyber vaulting solutions offer tools that facilitate the backup and storage of critical data sets in a separate (air-gapped) environment to maintain immutable copies of highly important and/or sensitive digital assets. Examples of critical data sets include:

  • Golden OS build images
  • Proprietary source code for mainframe and distributed applications
  • Active Directory and privileged user credentials
  • System configuration/virtual machine snapshot running for critical systems

CRISIS MANAGEMENT INTEGRATION

To strengthen overall resilience, it is important to integrate incident management into the crisis management function and the associated program which addresses physical and cyber incidents including:

  • Disruption to critical technology or data
  • Disruption to critical processes
  • Disruption to critical facilities
  • Disruptions to communications infrastructure
  • Disruptions to power or other critical services

 Example Crisis Management Team Structure

A Crisis Management Team (CMT) is comprised of a cross-functional mix of senior leadership and provides strategic direction and management for dealing with a crisis event. The CMT is responsible for high-level decision making while assisting the tactical response teams in determining the event impacts, providing resources to aid in the tactical recovery, and coordinating with the media, regulators, and public authorities, as applicable.

Screen Shot 2021-08-18 at 2.20.15 PM

IN SUMMARY

  • Increased cyber resilience is achieved through an integration of traditional siloed activities including risk management, cybersecurity, business and technology resilience/recovery and crisis management.
  • Proactive techniques such as cyber threat hunting can help organizations increase visibility into potential threats and attack vectors. The MITRE ATT&CK framework can be leveraged to facilitate threat hunting activities.
  • Technical techniques should be included in the cyber incident response process to analyze the attack and generate learnings to mitigate vulnerabilities and risk.
  • Traditional disaster recovery techniques are often not sufficient to protect critical digital assets against cyberattacks. Strategies to store air-gapped, immutable copies of critical assets should be considered to enhance recovery solutions.
  • Crisis management plans should be integrated into overall resilience processes to ensure escalations are appropriately handled and communications are effectively managed.
  • Risk and resilience processes should be measured and monitored through an effective Governance, Risk and Compliance (GRC) program.

Contact

Eric Chan- Director, Cybersecurity 

eric chan headshot

Eric is the Director of Strategy and Risk for MorganFranklin Consulting’s Cybersecurity Practice and the Practice Leader for Vaco Risk Advisory Services.  Eric has over 15 years of Risk Management leadership experience helping companies navigate complex regulatory environments while providing comprehensive operational, information technology, and information security risk management solutions. He offers extensive experience operating in all three lines of defense, including at several of the country’s largest financial institutions with significant subject matter expertise in IT Governance, Infrastructure, Information Security/Cybersecurity, Data Protection, Enterprise Risk Management and Vendor/Third Party Risk Management, Compliance (including AML/BSA/KYC Compliance), Finance & Accounting, and Capital Planning. Prior to joining Vaco/MorganFranklin, he spent over 10 years within at Fifth Third Bank and served as a Senior Audit Manager II, VP. 

Reach out today l LinkedIn l Email