It’s your reaction to adversity, not adversity itself, that determines how your life’s story will develop.
–Dieter F. Uchtdorf
(Per the Oxford Dictionary)—noun: resilience; noun: resiliency; plural noun: resiliencies
- the capacity to recover quickly from difficulties; toughness.
- the ability of a substance or object to spring back into shape; elasticity.
Last February, just eleven months ago, my blog topic was cyber resiliency for defense contractors. The theme of resilience resonates even more clearly today across all critical economic industry sectors, of which critical manufacturing is one of the 16 identified by the US Department of Homeland Security. In the Covid era, we have become trained in what is classified as “critical”. The manufacturing workforce figures prominently in this graphic from the Cybersecurity and Infrastructure Security Agency (CISA).[i]
Before looking forward and considering the aptness of resolving to be more resilient going forward, let’s look back to where we were in February 2020, according to the World Health Organization’s Situation Report 31:
- The United States confirmed one more case in California, bringing the total number to 16.
- Hong Kong confirmed four more cases, bringing the total number to 69.
- Iran confirmed three more cases, bringing the total number to five.
- Japan confirmed ten more domestic cases, bringing the total number to 94.
- Singapore confirmed one more case, bringing the total number to 85.
- South Korea confirmed 53 more cases, bringing the total number to 104. The first death from the virus was also confirmed.
- Taiwan confirmed one more case, bringing the total number to 24.
- Two deaths were confirmed aboard the cruise ship Diamond Princess along with 13 more cases, bringing the total number to 634.
We were unmasked, socially close, but becoming mindful — one of the skills associated with resilience from an individual/psychological perspective. Those skills translate well into organizational/cybersecurity terms:
Cybersecurity resilience is just one aspect of overall business resilience through effective risk management, as illustrated in the modified NIST graphic pictured below. (Thank you to Jeffrey From, deputy director at Nevada Industry Excellence, for pointing out to me that product safety is another piece of the business risk pie. The 1982 Tylenol-tampering-poisoning spree is just one reminder of the importance of product security, safety, and integrity.)
Need for Resilience
The statistics with respect to business exposure to attacks against information assets are, although not always life-threatening as with Covid, shocking[ii]:
- Per University of Maryland: Hackers attack every 39 seconds, an average of 2,244 times per day
- Per MacAfee: Hackers steal 75 records every second and create 300,000 new pieces of malware daily
- Cybercrime ($600B/year) is more profitable than the global illegal drug trade ($400B/year)
- More than 6,000 online criminal marketplaces sell ransomware products and services
- Estimated $1 billion annually in ransom payments and $11.5 billion in damages from ransomware attacks
- 65% of cyber-attacks are aimed at small mid-sized businesses
Compounding the problems created due to the activity level of professional criminals whose business is breaking into, stealing, and otherwise compromising high-value business (and personal) information assets, are the vulnerabilities introduced by our business colleagues—and even ourselves.
On the system administration side, gaps in training, implementation, and focus create opportunities for cybercrime. Here are a few of the gaps that business leaders should resolve to address with their internal or external IT team members:
- Unclear or absent policies
- Obsolete IT asset inventory (including rogue systems and ghost accounts)
- Misconfigured hardware/software/accounts (not “fit for purpose”)
- Flat networks, in which all network resources are visible to anyone who has access to the network, whether or not that individual has a “need to know” all of that information
- Role/responsibility confusion viz a viz cloud service providers
- Alert fatigue and troubleshooting/reporting overload
From a technology user perspective, the tension between convenience (ubiquitous connectivity wherever and whenever desired) and security often resolves in favor of convenience. This leads users, especially those who work remotely and outside the more structured corporate environment, to rely on shortcuts like the following:
- Predictable, guessable, preferred, and shared passwords
- Default configurations for flash drives and portable storage media like smartphones (which frequently do not use encryption or follow rigorous privacy settings)
- Unprotected communications channels (e.g., open WiFi networks, no virtual private network or VPN)
Resolve to Resilience
Pursuing a New Year’s resolution to incorporate business resiliency as part of a more general organizational business strategy does not need to painful. By making incremental changes—disconnect resolutions rather than disruptive revolutions—organizations can build their capacity to recover from adverse events, similar to how we as individuals develop antibodies to recognize and fight disease. Recommended next steps align with NIST’s cybersecurity framework: identify, protect, detect, respond, recover.
- Identify. Create an information asset register. Inventory organizational assets, who owns (or controls) those assets, who has access to those assets, what permissions those with access have (i.e., permission to create, add, delete, modify, share), where the assets are located, locations from which those assets are expected to be accessed, and how those assets are protected today. Remember that third parties might have access to—or even control over (in the case of cloud service providers)—those assets.
- Protect. Evaluate the information assets you’ve identified in terms of their sensitivity (both in terms of proprietary nature as well as impact to the business if unavailable, compromised, or revealed outside the organization), dynamism (how frequently the content changes), and availability (how frequently the content is needed for critical business processes). Use the most highly recommended protective mechanisms: network architecture, secure configuration, robust passwords, multifactor authentication, encryption, backup (with regular testing), safe decommissioning of devices and documents.
- Detect. Use antivirus software, review system activity logs regularly for anomalies, tune firewall rules to reflect normal network traffic expectations, train employees to report irregular system performance—or their own inadvertent errors.
- Respond. Develop, implement, and practice an incident response plan that reflects the organization’s recovery time and recovery point objectives. Include a communications plan with contact information for updating stakeholders and third-party service providers.
- Recover. After systems are returned to normal (or the new normal, depending on the incident), collect lessons learned and refine system security controls, employee training materials, and incident response plan. Prepare for the next time!
With determination, intention, and some measure of good fortune, we can build organizational resiliency.