Cyber Resilience Can’t Remain A Tomorrow Priority Given The Cyber Threat Landscape of Today

The challenge and often less of a prioritisation exists in what is required to maintain business continuity. In today’s digital and technologically dependent business landscape, cyber resilience is the technology backbone for business continuity given business’ reliance on technology to operate and the ever-increasing threat of cyberattacks that 1 in 2 IT & Security professionals believe will increase by over 50% in 2024 compared to 2023 (according to Cohesity’s latest research).

Cohesity recently released a number of data insights from its Australian cohort of respondents, as part of the 2024 Cohesity Global Cyber Resilience Report, which polled 502 IT and Security decision-makers, split 50:50 as close as possible, and conducted by Censuswide in late June through to early July. This research revealed that 79% of respondents were ‘completely’ or ‘mostly’ confident that their ‘organisation’s cyber resilience strategy addresses today’s cyber challenges and threats’ and on the face of it this probably seems fair given the budgetary spend on cybersecurity and security postures that has occurred over the past decade or more.

However, the unfortunate reality for organisations is that we no longer live in the world or digital landscape of a decade ago, where cyberattacks and data breaches were an ‘if’ scenario; they are now a ‘when’ reality. This reality has been played out over the last few years with a growing list of household-name Australian and international companies succumbing to cyberattacks or data breaches, even though many have deployed best-in-class technology and/or adopted best practices when it comes to cybersecurity and data protection. This begs the simple question of why? The answer is more complex given the variables of each organisations’ size, technology infrastructure, the data they hold, their public profile, and the revenue they create. What is more simple is the solution: cyber resilience.

So what is cyber resilience? Put simply, it is the ability to continue to deliver organisational outcomes despite suffering an adverse cyber event. This means being able to continue serving customers, delivering citizen services if an organisation is government-run, and generate revenue despite suffering an adverse cyberattack or incident. Practically this may sound easy or difficult depending on your organisation’s capabilities and processes, but does not change the fact cyber resilience is one of the most significant, if not the most significant, influences on organisations continuity.

Cyber resilience should be thought of as a fluid state or modus operandi that requires establishment and constant maintenance because it is not a capability that can be bought ‘off the shelf’ or retro-fitted after a cyberattack or data breach. Organisations that deprioritise the establishment or maintenance of cyber resilience are setting themselves up for failure when a cyber incident occurs because malicious actors prey on the fact they have a greater incentive to innovate and act due to the immediate financial gains they can realise through ransom payments.

Recovery & Restoration Realities Challenge Cyber Resilience Efficacy

According to Australian respondents within Cohesity’s Global Cyber Resilience research (to be released in a few weeks time) not only did 93% say their company would or would consider paying a ransom depending on the amount, 1 in 3 (34%) said their company would be willing to pay over US$3 million. When asked if their organisation had paid a ransom in the last year over 1 in 2 (54%) said they had, with 30% having paid a ransom between $750,000 to over $15 million Australian dollars.

Worse still, the impact to organisations of successful ransomware attacks are not limited to ransom payouts alone, with reputational damage, loss in public trust, and remediation costs - that can be over ten times a ransom demand according to Gartner - also likely. While regulatory penalties and class action lawsuits for breaching data privacy laws are also a possibility.

Organisations often pay ransoms or are open to paying ransoms because they struggle to remediate, recover data, and restore business processes when they do suffer a cyberattack. The research findings revealed not only had 60% of respondents been a victim of a ransomware attack in the last six months, but only 5% said they could recover data and restore business processes within a 24 hours, 19% need 1-3 days, 36% need 4-6 days, 30% need 1-2 weeks, and 10% need 3 weeks to 2 months to recover and restore. This is despite 97% saying their ‘targeted optimum recovery time objectives (RTO) to minimise business impact in the event of a cyberattack or incident of compromise' was within one day.

Realistically, there are probably few organisations that can keep their customers happy, suffer no revenue loss or share price drop, if they are listed, or maintain their current reputation. However, for the majority of organisations recovery and restoration speeds unfortunately do not match what is required to be cyber resilient.

In fact, 93% of respondents said their organisation’s ‘tolerance to disruption of business continuity, including usual business or operational processes, and downtime due to a cyberattack or data breach’ was over a day, of this cohort 62% said between 4 days to 2 weeks. Again, there are few private or public organisations, if any, whose customers or constituents would accept or think such lengthy periods of disruption and downtime are acceptable.

Creating & Enhancing Cyber Resilience

So how can organisations assess, establish, or enhance their cyber resilience? Cyber resilience underpins an

effective cybersecurity strategy and security posture because when cyber resilience becomes the objective, instead of compliance to a specific framework, published standard, law, or regulation, the focus shifts to conducting business securely. This in turn redefines what an organisation’s intended security posture needs to address to ensure it can continue functioning during an adverse cyber event. Think of it like planning for a power outage. What operations can continue from a generator or battery? What must be done to restore power? Who is responsible for restoring it?

When it comes to cyber resilience, organisations need to establish where their data security, protection, and recovery gaps exist. Being able to answer the following questions is essential:

• Can specific data sets be restored individually, or is a full restore required? How long does this take?
• Do we have data backups that are time relevant and attackers can’t tamper with?
• Is data encrypted in transit and at rest? Do we fully know what types of data (such as PII) we hold?
• Do we test data backups against pre-defined recovery times and recovery points?

Cyber resilience may seem unattainable and incredibly challenging to create or maintain, however, in today’s digital business environment and cyber threat landscape there is no doubt it offers assurance and even a competitive advantage. The best place for organisations to start is by looking at their current state of cyber resilience, whether they truly understand and have visibility of their data estate, assess not just their cybersecurity capabilities but data security and data protection capabilities, and regularly simulate a ‘start to finish’ recovery of business critical data. Collectively, not only will this help create or enhance cyber resilience, it will create or strengthen the backbone of their business continuity.