Many cybersecurity pundits will tell you that it is not a question of whether you will be hacked but when. Cyber resilience is all about planning for contingencies and various levels of failure(s).
That’s why disaster recovery is also part of any complete plan. Cyber resilience comes down to risk mitigation through planning, preparation, and practice. Let’s call them the “Three Ps.”
P1 — Planning
There is nothing magical about creating these plans; they just require you to think through scenarios and design appropriate responses. The hardest part may be determining what you can realistically plan for. For example, you probably cannot handle a three-day power outage without a generator and other expensive equipment. But that does not mean you cannot manage a server outage, internet outages, or even recover from a ransomware attack.
You may need to think outside of the box a bit. You should consider what information won’t be at hand when you need it in case of server or internet outages. Many businesses keep critical information, from contact lists to AP/AR, only in electronic format. Maybe we need to print some things out and put them in a fire safe. Can you find your passwords if the internet is down? How about sharing designated contact numbers with all in case of emergency?
You will also need to identify your “single points of failure” and address them as best you can. A common one is a single internet connection. As with so many things, you will need to evaluate these issues based on how likely they are to occur and what that impact would be on your business. If you are using “business cable” (ask any IT person how much of an oxymoron that one is,) you will be a lot more likely to need a failover connection than someone on fiber.
You also need to consider what the impact of that failure would be. If you are entirely cloud-based, run VoIP phones, and have no local data, an internet outage is a critical failure. If you have servers on-premise and can get by without email for a while, an internet outage is not as critical. Your line of business matters too, of course. Very few stonemasons or plumbers will suffer as much from an Internet outage as would a call center or most retail establishments.
P2 — Preparation
Let’s move on to preparation to remediate these issues and use a different example, the loss of a local server. If you still run your own server or servers, this is one of the most likely failures you are to experience. Modern hardware is very reliable, but we still see failures for reasons beyond the control of you or your IT providers. Keep in mind, server failures are just one of the most likely failures; bad software patches, component failures, and other failures are still real threats to your business continuity.
That is why any security or resilience plan must include the contingency of server failure. And that is why a comprehensive backup plan must include the component of business continuity. You surely know that making frequent, tested (and verified) backups of your data is critical. But the ability to remain productive if a server fails is also critical, so a device that can take frequent “snapshots” of your server and stand in for it, in the case of failure is equally important to data backup.
You cannot prepare for every failure, but by limiting single points of failure and having plans in place, you are well ahead of the game. Just the act of planning and preparing for potential failures will provide you with highly valuable experience. You should also consider what to do in the case of a loss of your primary site. Why not designate and provision key workers with a notebook and firewall for secure remote work should that be necessary?
P3 — Practice
No matter how well you plan, if you never test, all you have is a plan. Consider how much easier it is to test something without the pressure of a failure or disaster to exacerbate things. Test your failover Internet connection, make sure you have email, the phones work, and that you have internet access. Test your server failover device or service; take down the live one and see what happens. Test your ransomware recovery or data breach plans. Test your remote work solution. Test anything and everything in your infrastructure that adds value to your business operations.
The final analysis
Cyber resilience comes down to planning, preparation, and practice. Plan for what you can protect against, prepare in advance, and practice your plans. While you cannot protect against every eventuality, and you will always have to live with some risk, the Three Ps will put you on the way to mitigating risk and achieving better cyber resiliency.