The Expert View: designing organisations that are resilient to cyber-threats

Creating a resilient organisation is about more than just protecting your data, said Phil Davies of Rubrik, introducing a recent virtual roundtable event. It is also vital to have a plan for how you recover and to be able to determine whether, in the event of a ransomware attack, data has been exfiltrated.

 

A resilient organisation is one where everyone knows they have a part to play in helping to prevent an attack, and where playbooks are available to guide people in the event of an attack taking place. The briefing’s attendees, senior executives from a range of sectors, agreed that it is a challenging task, and one that different organisations are addressing in different ways.

 

Securing the data

 

One attendee said his company had been creating a live vault: a certified, verified process with live environments that are refreshed every time an application is updated. In the event of a ransomware attack, they would simply be able to move applications from the vault into a clean environment.

 

The challenge, however, is that the malign payload that triggers any ransomware attack may also be in the vault, which would leave them just as vulnerable. The challenge is to be able to interrogate the data before it is restored, and isolate anything dangerous.

 

But the challenge isn’t just technological. Although security specialists will do everything they can to protect the company’s data, it is usually somebody elsewhere in the organisation who will be targeted. Getting them to understand cyber-risk and be able to act as safely as possible is a vital part of creating a resilient organisation. Do they know what constitutes suspect behaviour? Do they know what actions to take if they are targeted in an attack?

 

Communicating the risks

 

Every organisation must balance the desire to be as secure as possible with the knowledge that there is always a risk of falling victim to an attack. That could be because your defences are breached, a person in the organisation makes a mistake or someone within the organisation acts maliciously. No system is perfect, so staff have to be aware of the challenge.

 

The difficulty, attendees said, is that IT people sometimes struggle to communicate the risk. The board doesn’t necessarily understand technical terms, for example, and wants everything expressed in a simple way that they can take in while in a hurry. Other staff members struggle to relate to technological threats.

 

One attendee said she had arranged for someone to physically break into the office to demonstrate the risks of poor security. She said that understanding the threats to physical security actually helped people to consider cyber-security risks. Another tip was to talk about personal cases of cyber-attacks that had affected staff and family members. This often brings home the dangers.

 

Devise a playbook

 

But every organisation needs a plan. All those at the briefing said they had playbooks to work from in the event of an attack. These vary from quite basic and in need of updating to a comprehensive set covering a range of possible situations. Even so, attendees agreed it was impossible to devise a playbook for every possible scenario.

 

But any kind of playbook can help someone to understand how to handle the early stages of a cyber-attack, particularly if the attack comes to light out-of-hours, when it takes time to reach senior people. Attendees agreed that time is of the essence when facing an attack, so any time that such an approach saves will be valuable.

 

As one attendee put it, “speed is the new defence in depth”, which is part of the reason that automation appeals to so many organisations. An automated response can often deal with a threat before human security specialists are even aware of the problem.

 

Achieving and maintaining resilience against cyber-attack is a constant battle, because new threats emerge all the time. To give themselves the best chance of success organisations need to plan ahead and stay co-ordinated.