“Organisations should have a clear and well understood incident response plan within their business continuity plan,” he says.
“Isolation of backups, as an example, with no access from production networks at any time in the backup process is critical, as is immutability of backup data and comprehensive intelligence into the backup data sets.”
They also need to test the recovery of those systems and data during simulated attack exercises.
Backup and recovery is just one aspect of cyber resilience and organisations shouldn’t overlook training employees on cyber safety, because people remain the weakest link.
The federal government is also changing its requirements of businesses in terms of cyber security to a greater focus on cyber resilience. Examples of this are the Ransomware Action Plan and the Critical Infrastructure Bill, which sets out how providers of transport, healthcare, food, electricity and other essentials should defend themselves against cyber threats.
Salter says cyber resilience is proving to be a competitive advantage for businesses.
“We’re seeing organisations be able to drive their digital strategies further because they know they can respond and recover,” he says.
“As organisations look to evolve their cyber resilience posture, if you like, they actually end up identifying data management practices that can be evolved which often reduce operational costs. They also get clear on their critical systems and what is truly important to their organisation’s operation.”
Having a close look at where and how their data is housed and protected can also improve the organisation’s overall data strategy and help it make better use of data.
“Organisations are collecting more data on their customers today. And so how that data is being treated, how long it’s being kept for, how it’s being used starts to be identified better as organisations work through what cyber resilience looks like for them,” Salter says.
“It enables them to determine are they keeping the data for long enough or are they keeping the data for too long.”
Chris Watson, a partner in risk consulting at Grant Thornton says having specific cyber resilience certification will likely prove a competitive advantage for companies.
These include the Australian Prudential Regulation Authority’s Prudential Standard CPS 234 which ensures an entity takes measures to be resilient against information security incidents and SOX cybersecurity compliance, he says.
“If organisations can demonstrate that they’re complying with best practice guidelines or even going above and beyond getting the license, I can see that being a competitive advantage to go from poor XYZ company over the other that doesn’t have it,” Watson says.
But he warns that certification alone doesn’t ensure cyber resilience. Organisations also need their people to have a broad awareness of cyber security, from board members who understand the issue to the staff on the shop floor.
Cyber resilience is about having an in-depth response to cyber security, says Watson.
“It’s around the notion of there’s a reasonable chance you’re going to be breached or compromised in some way. It is literally that old military kind of tenet of defence in depth – keep rebuffing every layer that the person gets into,” he says.
“It’s around how can we build in those defences in all parts of the organisation. And that’s not just from the technology point of view but also with people and processes.
Part of the response is about defence of data and how quickly an organisation can bounce back from a cyber incident.
Watson said Australian organisations are a mixed bag on their cyber resilience.
Those in highly regulated industries tend to perform well, while many small and medium businesses take the view that they don’t have anything of value which cyber criminals would want.
And there are still many businesses which adhere to the belief that putting up a firewall is enough to prevent them from being hacked.
