Cyber resilience requires a multi-layered approach to be effective
As organisations increasingly focus on building resilience in the face of a shifting threat landscape, one of the key areas of concentration is the technology environment, including the data stored on the IT systems. Making the cyber environment resilient must be seen as a priority given its importance, says Al de Brito, Senior Consultant: Advisory Services at ContinuitySA.
“No organisation these days can run without access to its systems and data. It is thus imperative that both are not only protected as well as possible but that they can be recovered as quickly as possible,” he says. “The cyber threat landscape is so fluid and fast-moving that it’s impossible to identify the most likely threats 100%—it is essential that the IT systems and the data they contain are rendered resilient in order to ensure that they can be recovered even when an unplanned-for event occurs.”
The Business Continuity Institute’s Horizon Scan for 2019 found that cyber-attack and data breach were the top threats for the coming 12 months—a clear indication not only of the nature of the threat landscape but also the importance of this area of any business.
To build cyber resilience, Mr de Brito says, a multi-layered approach that encompasses people, processes and technology is required.
“Traditional cybersecurity approaches remain important but they have typically tended to be seen in isolation. That approach is not sustainable because IT is integrated into the business itself—the two cannot be uncoupled,” he explains. “That’s why King IV has made technology and information governance a priority of the governing body.”
Principle 12 of King IV reads: “The governing body should govern technology and information in a way that supports the organisation setting and achieving its strategic objectives.”
In practice, the board and executive team are responsible for setting the strategy, while senior and middle management decide how the strategy should be implemented. Lower management and administration are tasked with the actual implementation, which obviously affects all employees.
“Everybody has to know what the security policies are, and take responsibility for adhering to them,” he says. “In addition, by building a security culture, employees become essential front-line ‘troops’, because they are best placed to spot any suspicious activities.”
People ultimately control both the technology and processes, so they are essential to building true cyber resilience. It is important that the organisation drives a mindset change as regards security generally, and cybersecurity in particular, based on awareness. Everybody needs to understand the psychological nature of the threat, and also what their individual roles and responsibilities are in the event of an incident.
“This kind of holistic approach can help create a resilient organisation that can protect, detect, respond and recover to any cyber threat,” he concludes.