In an era of complex, hybrid infrastructures, strengthening a company’s defences is crucial for IT security. But what does cyber resilience mean and how can companies become cyber resilient?
Text: Andreas Heer, Pictures: Swisscom
May 15, 2023, updated on 05.09.2024
In the ‘old’ world, the primary job of IT security was to protect the local infrastructure within the perimeter from attacks. Developments in technology and society, such as the cloud and home working, mean that these boundaries no longer exist. Hybrid environments and IoT devices increase complexity, thus expanding the potential area of attack for cybercriminals, due to configuration errors or security vulnerabilities for instance. As Swisscom’s Cyber Security Threat Radar establishes, this increases the risk. At the same time, the number of cyberattacks is rising all the time, particularly those using ransomware. However, in some industries, espionage and sabotage are also (cyber) issues.
In light of the above, IT security has undergone a paradigm shift. “Assume breach” is today considered a probable scenario. And if the attacker has already infiltrated, then a different defence scenario is needed. Business-critical systems require defences to safeguard their ongoing functioning in the event of a successful cyberattack. The corresponding risk management and IT security measures are referred to collectively as cyber resilience.
“Cyber resilience covers all phases of the NIST Framework,” says Duilio Hochstrasser, Cybersecurity Specialist at Swisscom. “But it goes beyond purely technical measures and extends to a company’s organisation and culture.” If you’re experiencing a sense of déjà-vu reading this, you should know that cyber resilience is not a novel concept for IT security. Rather, it is a strategic, focussed approach that incorporates the current realities and best practice. The growing complexity and increasing threat level have strengthened the importance of this approach and resulted in the term “cyber resilience”.
Business operation needs form the basis for strengthening a company’s cyber resilience. “Companies must identify in advance the processes and systems that need to continue to run following a cyberattack, from which the security measures can be derived,” says Duilio Hochstrasser. This corresponds to the first phase of the NIST Framework (“Identify”).
Risk management is also integrated into these considerations. How can I mitigate risks? Which technical and organisational measures need including in the Business Continuity Plan (BCP) in order to maintain operations? What are the alternatives if business-critical infrastructures fail?
“Security has become a selling point for applications.”
Duilio Hochstrasser
This is used as a basis to determine the necessary protection measures. There is now a greater focus on security within lifecycle management. “Security by design” describes measures implemented during the early phases of software development or procurement. “Shift left” and DevSecOps are key concepts or approaches for incorporating security aspects at an early stage of software development.
Since “log4shell” and “xy”, there has been a greater focus on the supply chain. According to Duilio Hochstrasser, there needs to be transparency about the libraries used in order to reduce the risk of supply chain attacks. He adds, “Companies are demanding greater transparency from suppliers. Security has become a selling point.” Knowing whether your own software is affected by a newly discovered vulnerability in a library will significantly simplify the decisions around protective measures.
While technical measures primarily reduce the extent of the attack area or facilitate a rapid, targeted incident response thanks to transparency, employees can also prevent cyberattacks. This is particularly true in the case of attacks that start with phishing emails. Employees with an awareness of cybersecurity are less likely to fall into the trap. “Communication and regular, targeted awareness training are essential to improve resilience,” notes Duilio Hochstrasser.
But on its own, phishing training is not enough. Employees also need to know where to report security incidents. This requires appropriate communication. And a corporate culture that makes security an important issue and discusses it. It is not simply about recognising phishing emails but also about the proper handling of data.
It is particularly important to understand the right way to handle sensitive information in cloud storage, such as SharePoint. For instance, document classification rules can serve to ensure that confidential information is automatically encrypted and access to it restricted. Provided that employees have handled the information correctly, cybercriminals will then be prevented from exfiltrating confidential data.
Technical protective measures, risk management tailored to business needs and observant employees are the ingredients for successful cyber resilience. However, this is not new. Instead, it is an important logical and strategic further development of cybersecurity that is designed to increase the maturity of cyber defence.