printer friendly version

Cyber resilience is more than cybersecurity

Cybersecurity has reached the stage (much like other forms of crime in South Africa) where we hear of breaches, even those that could include our personal information and make us targets of identity theft and other crimes, but we see it more as background news. The sheer number of breaches is staggering, numbing us to the reality of cyber risks.

Most organisations see cybersecurity as something you install or a service you pay for, such as a next-generation firewall (NGFW) or a managed cybersecurity service. And while these solutions and services are critical to organisational and personal information security, they are not the proverbial ‘silver bullet’. The monster of cybercrime is far more insidious and there are very clever people making millions from various forms of malware. (Unless otherwise noted, in this article we use ‘malware’ as a catch-all for all forms of malicious software, from viruses to Trojans as well as ransomware, and even hacking, etc.)

Cyber resilience is the new game in town in the cybersecurity world. Just as resilience is defined in the traditional business continuity and disaster recovery world, it includes protecting your digital assets, mitigating risks to prevent attacks from succeeding, and also the ability to recover when you are hit by malware. And all the people mentioned below in our round-table discussion agree that it is a case of when you are attacked, not if.

Our cyber resilience expert panel included:

• Roy Alves from J2 Software.

• Edison Mazibuko from DRS.

• Craig Rosewarne from Wolfpack Information Risk.

• Hayden Sadler from Infinidat.

Hayden Sadler.

So, what is cyber resilience?

Sadler, who heads up Infinidat’s storage business in Africa, says cyber resilience requires organisations to focus on their whole digital infrastructure, not only networks and servers, but also include their storage systems as this is where the ‘lifeblood’ of organisations resides – their data. This must include their primary as well as secondary storage systems, as attacks no longer only focus on the business’s production data, but also its backups.

This is especially pertinent in the ransomware arena, where criminals try to infect backups as well to prevent organisations from simply restoring their backups and carrying on without paying the ransom demands.

Alves is responsible for revenue at J2 and therefore speaks to customers regularly. He says the sophistication and number of attacks are getting worse in five primary areas which a cyber resilience programme must cover:

1. Email is the primary attack surface.

2. Data, as Sadler noted, is also being targeted aggressively.

3. Hardware, from servers to end points.

4. The Internet is naturally also a regular target through various techniques, from web apps to DNS attacks and more.

5. Users are also great attack surfaces, primarily those who don’t have the training to recognise and handle threats. However, malicious users who steal and sell information, plans or customer databases and so forth, are also a growing threat.

Craig Rosewarne.

Wolfpack focuses on the cyber risks from three perspectives: country, company and community. In the community space, the company does a lot of pro bono work to assist people (https://alertafrica.com/), with its primary business focused on the corporate space. In the cyber resilience space, Rosewarne says that companies and countries generally have defences in place (just as in the physical world), but when those defences are breached you need to have resilience plans in place, such as incident response, business continuity and disaster recovery. In other words, bouncing back after an attack.

DRS is a cybersecurity provider and Mazibuko explains that cyber resilience is a subset of business resilience in that companies need to be able to adapt and operate in a changing world. Whether it’s supply chain issues or ransomware, resilience means you are prepared to deal with the problem and continue operations with as little disruption as possible.

While DRS supports the NIST cybersecurity framework of identify, detect, protect, respond and recover, Mazibuko notes that this is not always a successful approach as there are almost endless possibilities of where attacks can come from, some of them completely unknown. He therefore focuses on making the framework relevant to customers and advises them to assume they will be hit (or are already compromised) and need to know how they will continue operating from there.

Edison Mazibuko.

More than IT

Mazibuko continues by making the point that a cyber resilience programme requires multiple stakeholders from all parts of the business, not just the IT department. Some of the more cyber-mature organisations out there have even made this a part of their governance process that is driven from the top. However, there is still a big gap between the levels of cyber maturity in organisations, and work needs to be done to raise awareness and capabilities in this field.

Alves breaks it down into the enterprise, commercial (sub-1000 seats) and SME spaces. At the enterprise level there is a general awareness and proactive work being done because they have the requisite number of people to rely on for their cyber governance. In the commercial space there are some elements of cyber preparedness that are well managed, while other areas are neglected – naturally this depends on the specific company. Those commercial entities that are governed by regulatory or fiduciary requirements are more focused on cyber resilience as a standard.

The challenge appears in the SME space. These companies generally don’t have a dedicated cybersecurity department or skillset. These companies often rely on service providers, many of which are good at what they do from an IT perspective, but simply add cybersecurity in as an additional offering without having specific skills to understand the customer’s business and create an effective security posture.

It’s in the SME space that J2 sees most of the ‘action’ as these companies are “easy pickings” when it comes to cyber exploitation. He explains that cyber exploitation is not always some expert hacking attempt or ransomware, but includes fraud – sending emails that appear to come from a manager to pay a fake invoice, for example.

Elements of cyber resilience

As noted, cyber resilience is not about installing the latest antivirus software or firewall, it consists of various integrated elements to produce a programme to defend and eventually recover. Sadler has four pillars of cyber resilience when it comes to the storage aspect of cyber resilience.

These pillars are:

1. Immutable snapshots of primary and secondary storage.

2. A virtual air gap between the snapshots and production infrastructure.

3. A secure test environment to recover and test snapshots before restoring them.

4. The ability to rapidly recover from cyberattacks or hardware failures (it doesn’t help if it takes days or weeks to recover from a severe incident).

Businesses are also inclined to deflect the responsibility for anything cyber to the people with the expert skills, says Rosewarne. While these skills are definitely required, the business depends on its data and IT systems to function effectively, and if they are compromised this will have significant implications in terms of operations, finances, reputation, etc.

So, while not everyone needs to be an expert, everyone needs to be involved and aware of the potential impacts. As a starting point, Rosewarne recommends the old 80/20 rule: identify the 20% of your data and processes that are most critical and get on to protecting that. Of course, this is only the starting point.

Mazibuko echoes this, stating that people, processes and technology make up the key elements of cyber resilience. This means you need to get the right people on board, whether these are direct employees or managed service providers, who are able to understand the risks and improve the company’s overall security posture.

In terms of technology, there are many good solutions available and the competition in the space means all the options out there offer similar functionality. So, while you don’t have to get the most expensive systems available, a company needs to create multiple layers of security to ensure it is protected if one layer is breached.

The processes are key and Mazibuko believes they make up the glue that holds the people and technology together. He recommends the NIST framework (www.nist.gov/cyberframework) as a starting point for designing processes that ensure cyber resilience. As mentioned above, the framework includes:

Identify: You can’t protect what you don’t know about, and it is important to gain business context as part of the identification process.

Protect: Once you know what you have and how critical it is for business operations, it needs to be protected using the relevant technologies.

Detect: The ability to detect intrusions, attempted intrusions and other potential issues is key, and depends on how well you have done the first two phases. Detection is more than simply responding to every alert, just as it is in the physical security world; you also need the ability to verify and ensure you prioritise real threats, especially to the key areas of your business.

Respond: Incident response plans and the processes involved in dealing with attacks follow, again dependent on planning and how well the first three phases have been done.

Recover: With all that in place, if you can’t detect and prevent a breach, a business will then need the ability to recover effectively (such as via immutable snapshots) throughout the whole business lifecycle.

Roy Alves.

Dealing with ransomware

While cyber threats extend beyond ransomware alone, this is one of the primary attack mechanisms used today because of its profitability to the cybercriminals. When it comes to breaches, the average time to detect and rectify a breach sits at over 200 days at the moment, which means that ransomware will have ample opportunity to damage backups as well.

The ideal is obviously to be able to detect and prevent, or at least stop such an attack before it compromises your systems to the extent that you need to do a full restore. Sadler explains that by making immutable snapshots of your data over the course of the day, changes or anomalies can be detected (such as encrypted data that can’t be de-duplicated or compressed) and the relevant response initiated.

In the prevention category, Alves notes that there are ways in which companies can make it harder for ransomware to gain a foothold in the first place. For example, enabling two-factor authentication (2FA) is a relatively easy option that can significantly add to your overall cyber resilience. Sometimes it’s the little things that make a big difference.

Awareness training is also key to prevention. If users understand what the threats they may face are and how to deal with them, this can assist in reducing the risk of one of the biggest threat areas at the moment, which is email, better known as Business Email Compromise (BEC). J2 assists in this by launching simulated phishing attacks on customers, with associated training for those who fall for the fake email. This results in dramatically reduced numbers of employees falling for these scams.

This training also helps people and their families at home with more knowledge of the threats in our digital world. Rosewarne says Wolfpack’s community service (https://alertafrica.com/) has seen some drastic cases of people being defrauded or having their identities stolen –the alertafrica.com site exists in order to provide education and assistance.

The key to educating people, Rosewarne advises, whether it’s your kids or employees, is to incorporate the training in an effective change management process. In a company scenario, making rules or setting processes generally leads to people switching off and doing what they can to avoid what they consider to be the additional hassles you’re putting in their way. Effective change management (making it personal and real) allows them to understand the risks and implications of these threats and makes them part of the detection and prevention process.

It’s also worth remembering that cyber resilience and cybersecurity is a process. Alves notes that you can’t solve every problem in one day or with one training video; it is a process and quite often the road to a good security posture includes many simple processes and habits that have a significant impact.

For more information contact:

• DRS, +27 11 523 1600, [email protected], www.drs.co.za

• Infinidat, [email protected], www.infinidat.com

• Wolfpack Information Risk, +27 11 794 7322, [email protected], www.wolfpackrisk.com

Share this article:

Further reading: