Keeping Score with Digital Resilience
The Inevitability of CyberattacksWith the rash of cyber attacks that never seem to end and the crippling damage they can cause to business profits and consumer trust, enterprises have to start thinking, “It’s not a matter of planning for if we get attacked, but it’s a matter of planning for when we get attacked.” Cybersecurity professionals like RedSeal CEO Ray Rothrock share similar thoughts on this issue. In his book, Digital Resilience: Is Your Company Ready for the Next Cyber Threat?, Rothrock states that the nature of a security threat against the digital network of a business is summed up by two facts: Breaches are so highly probable that, in the long run, they can be considered inevitable, and these breaches come at the great expense of time, worry, and reputation.Adopting this type of perspective means that businesses have to expect the worst and that if any cyber attack were to happen, they would have to have designated measures and tools in place to realistically react to and counter the attack, to protect their information and livelihood. What this means is that the answer to defeating cyberattacks is not staying offline or having a flawless, fool-proof cybersecurity system that is impenetrable to attacks in place.
The Myth of “Bullet-Proof” CybersecurityThe answer, instead, is to have a security program that keeps a business or organization resilient in the event of an attack. Let’s face it; between the myriad of security weaknesses that exist on devices and software, the rapid rate at which cyber threats are adapting to security improvements, and the nature of probability, it’s not realistic to say that a cyber attack will never happen to a business, or that there’s a perfect security program that can defeat attacks with 100% certainty.Again, in his book, Rothrock explains that “no means of protection is bullet-proof,” since all security strategies are “inherently and inevitably flawed because the vulnerabilities of digital connection are inherent and inevitable.” Cyberattack risks come with having an online presence, which has become a necessity today for business and personal purposes.Businesses need to minimize the risk of attack and know how to effectively recover if a breach or loss occurs. Resilience is a quality that is necessary for a company, to perform well but also to survive, period. This statement could not be more accurate than in the world of cybersecurity, in which digital resilience is a must-have. Rothrock asserts in his book that “Once we accept the risk-reward trade-off of digital connectivity, our next step is to survive—and even thrive—under attack. Digital security is an incomplete answer. Digital resilience completes the answer.”
Understanding Digital ResilienceThe first step in helping an organization establish strong digital resilience is recognizing that managing cybersecurity risks is not a responsibility that solely belongs to an IT department. Because these risks pose dangers that can infiltrate a company through any number of ways or departments and impact the entire business, especially its bottom line, these cybersecurity risks should be considered business risks that every employee and department need to be aware of and work to fight against, especially the top management of a company. Reinforcing this point in Digital Resilience: Is Your Company Ready for the Next Cyber Threat?, security expert Rothrock explains that “Whereas digital security is about security, digital resilience is about how you do business in today’s intensively interconnected environment. It is not confined to the realm of IT specialists, but is a whole-business strategy.”
Keeping ScoreOnce all the team members understand what digital resilience is and what it is not, the next step is to implement a system or method that enables a company to measure and evaluate its level of digital resilience. It is also imperative that this system is one that all involved parties can use and understand to gain insight about cybersecurity for the company and the role they play in it. It would need to close any communication gaps between the IT department and other departments, particularly the C-suite, on digital resilience matters. One tool that many companies are utilizing to meet this need is a digital resilience score. Similar to the way a credit score is determined, a digital resilience score is calculated by compiling information about different aspects of a company’s cybersecurity, such as server configurations and software vulnerabilities, and quantifying the levels of those factors to calculate a single score that gives an overall gauge of the organization’s digital resilience, or ability to withstand and recover from a cyber attack. A good example of a digital resilience score system is the one developed by cybersecurity company RedSeal.
RedSeal Digital Resilience ScoreAccording to RedSeal, a company should concentrate on three areas for strong cyberattack resilience: how easy it is to attack the company, the company’s preparedness for an attack, and how well it is able to rebound from an attack. The RedSeal Digital Resilience Score focuses on three factors:
- Weaknesses – RedSeal assesses any defects present in improperly configured devices or third-party software that are easy for hackers to exploit.
- Structure – RedSeal also looks at how well an organization’s network is structured to see it if has pathways that are easy entry points through which attackers can steal valuable assets.
- Thorough Understanding – Lastly, RedSeal examines how well a company knows its digital infrastructure to help it better manage its network assets and be aware of accessible points for attackers. It does this by looking for previously unknown areas of the network.