Skip to content

Cyber Resilience: Why It’s Critical for Business Cybersecurity

Your cybersecurity plan is incomplete without considering cyber resilience.

If you own or operate a business in some capacity, you’re probably already familiar with cybersecurity. You may already have a cybersecurity response plan, know to check tech like plugins and operating systems for updates, or even be running some pentesting. But have you planned for cyber resilience?

If you answered “no,” you’re not alone. Cyber attacks are dramatic and scary, and cybersecurity is all over the news. Not nearly as many people are talking about cyber resilience. In fact, many people don’t even know what it is. But it’s the overlooked third step in keeping your business safe from digital threats. If you want to make sure your company survives the next attack or breach, you need to be thinking about resilience.

What is Cyber Resilience?

The National Institute of Standards and Technology defines “cyber resiliency” as:

The ability to anticipate, withstand, recover from, and adapt to averse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources. Cyber resiliency is intended to enable mission or business objectives that depend on cyber resources to be achieved in a contested cyber environment.

That’s a lot of jargon, so let’s simplify it. Here’s a shorter, easier to follow definition:

Cyber resilience is the ability for your business or systems to keep doing the things they’re supposed to be doing, even if they’re currently being targeted by a cyber attack.

Think of it a bit like a backup generator for a house. Getting a generator installed is a homeowner’s “electrical resilience” plan. They get it installed and take the time to keep it working properly. When the electricity goes out, they can switch on the generator. Now, even though the electricity is technically out, they still can turn on lights, keep their house heated or cooled, and make sure the food in their fridge or freezer won’t go bad. Cyber resilience is like having that backup generator, but for the systems and processes that your business needs to keep going.

The metaphor here isn’t perfect – there’s no “cyber generator” you can install that will fix every problem you might have. But you can create cyber resilience by developing systems, tools, and plans that minimize potential risk. It requires planning, proactive management, and being aware of risks, and collaboration between a lot of teams. In the end, you’re all working together to prepare for, respond to, and recover from cyber incidents faster and with less business interruption.

Why Cyber Resilience is Important

In the modern world, it’s not a question of if your business will be targeted by a cyber attack – it’s just a question of when and how. Some business owners assume nobody will target them because they don’t have anything a criminal would want. But whether or not that’s true, it’s completely irrelevant. First of all, if your business has money or access to get money, that’s something criminals want. And second, many cyber attacks aren’t targeted anyway. Some attackers use a “spray and pray” method where they send out huge quantities of attacks with no targeting, see who they catch, and then decide what they can steal based on who they caught. If your business does anything with computers, software, or online resources of any kind, you need a cybersecurity plan, you need a cyber attack response plan, and you need a cyber resilience plan.

Think about what happens if your business is attacked and you’re not cyber resilient. At the very least, you lose money while your systems are down. At the worst, your business manages or provides a service for some kind of critical infrastructure and your systems going down means people die.

Does cyber resilience cost money? Yes – all security initiatives do. But the global average cost of a data breach in 2023 was $4.45 million. And that’s not even counting the damaged trust if your customers or clients find out your operations weren’t secure. Building, for example, a system that’s capable of dealing with millions of malicious requests as well as legitimate ones and not interrupting service to the legitimate ones is a lot more expensive. But it pays off in the long run because a single attack won’t halt your business.

How Cyber Resilience and Cybersecurity Work Together

Cybersecurity is being prepared. It has defenses, develops security systems, prevents bad actors from getting in and catches any that do. Cybersecurity protects infrastructure like your network, hardware, and data. It monitors everything, detects issues, and defends against attacks, intrusions, and incidents. Often there’s a small element of training employees on social engineering attacks, but cybersecurity is mostly tech-focused. Its goal is preventing cyber attacks and protecting your business from phishing, backdoors, DNS tunneling, and other sorts of technical and social engineering attacks.

Cyber resilience supports business continuity – the ability to keep operating, deliver services, or do whatever it is your business does despite a cyber incident. With cyber incidents everywhere, resilience makes sure your company doesn’t shut down, lose business, or interrupt functionality while your security team is resolving it. It also reduces the time required to get set back up after an incident is resolved.

The two concepts have some overlap. They both involve identifying risks that could affect your business and planning to manage those risks. Some of those risks are cyber risks, such as hacking, data breaches, malware, phishing, or business email compromise. And some of the risks are less obvious, such as human error, hardware failure, power outages, or natural disasters. That’s right – while cyber resilience often focuses on what happens if critical tech is taken out by a cyber attack, it can also be extremely helpful in other situations, too.

Cybersecurity, your cyber incident response plan, and cyber resilience all work together in case of an incident. While your security team are getting the hackers out and fixing the tech damage and your legal, compliance, and PR teams are managing the legal and reputational damage, your resilience plan will mitigate the financial and operational damage that an attack can cause.

How to Create a Cyber Resilience Strategy

In order to make your business cyber resilient, you first need to know what kind of risks you’re most likely to experience. Phishing? Malware or ransomware? Data breaches? IP spoofing? Google dorks? Cyber espionage? Disgruntled employees? There are all sorts of different areas where threats could lurk. That’s why it’s important to make this a wide-ranging conversation. Definitely include your IT and security teams. But also include operations managers and other people who understand what your business needs to keep running. It might even be helpful to bring your legal and compliance teams into the conversation. The goal is to bring together people who know what the company needs to do business and people who have the technological know-how to put together systems that can keep business going in a worst-case scenario.

In a perfect cyber resilience strategy, you would never have any downtime. In reality, that’s unlikely. But consider how you can minimize downtime where possible. Talk with your cybersecurity team to figure out what type of attack is most likely to happen in general. Talk with your operations people about what they would need to keep running if this or that system was compromised or offline. From there, you’ll have a better idea of what kind of threats you need to be prepared to mitigate. Once you know what you need to be resilient against, you can start setting up systems and tools to create that resilience.

Sample Techniques for Your Strategy

What techniques you and your company will need depends on a lot of factors. You have certain systems that are critical and certain threats you’re more likely to face, so your strategy will look different from another company with different critical systems and different likely threats. But here are a few elements and techniques that may fit into your cyber resilience plan.

  • Planning ahead. This is essential. If you’re making a plan because a critical system was compromised, that’s not resilience. Know exactly what you need to do before something happens.
  • Strong cybersecurity. Make sure patches are applied and security is in place. Set up strong protections for critical systems with multiple obstacles hackers have to get through to do damage.
  • Monitoring. Your cybersecurity team should already be monitoring for threats. Work with them to get alerts quickly so you can respond quicker to potential threats.
  • Non-persistence. Have your systems retain information or resources only as long as they’re needed. This reduces chances that they can be compromised or corrupted.
  • Restrict privileges. Limit users to only what they need to access to do their jobs. Limit systems to only what they need to access to perform their function. This limits what even a successful compromise can do.
  • Disconnect. Wherever possible, disconnect critical and non-critical services and systems. That way something happening to a non-critical system doesn’t affect critical operations.
  • Redundancy. Have multiple instances of anything critical, and make sure they’re all secure. If one is compromised, you’ll still have access to the others.
  • Backups. Create backups and update them regularly. Keep multiple copies of each backup in separate locations – ideally at least one in hard copy (e.g. on an external hard drive, not a cloud service) and at least one offsite.

Protect Your Business from Cyber Attacks

Do you plan to just pay the ransom when your company gets hit by ransomware? Is your strategy when the systems to down to switch to pen and paper until IT gets everything back up? That may work in the short term, but that’s not cyber resilience.

Cyber resilience requires you to know what your business needs to stay operational, what kind of risks you’re likely to run into, and what systems you can put in place to keep everything going if something happens. It’s not a one-size-fits-all scenario. And it shouldn’t be an exercise in checking boxes. In fact, if all you’re doing is checking boxes, all you’ve done is pay someone to check boxes for no business benefit.

The online world is complicated and dangerous these days. Your business really needs a three-pronged approach to protect itself. The first part is cybersecurity – defenses within your systems, training your people, and monitoring to quickly stop anything malicious. The second part is your cyber response plan, or how you’re going to manage the damage when an incident happens. (More on those plans in this article.) And the third part is cyber resilience, the part that keeps everything running while your response plan and cybersecurity team deal with the incident.

Cyber resilience isn’t limited to a particular framework or assessment tools. It really does depend on what your business needs and what your likely risks are. But there is one thing that is true across all businesses: No matter what that entails, you need to be cyber resilient.

Related Articles

All
  • All
  • Easy Prey Podcast
  • General Topics
  • Home Computing
  • IP Addresses
  • Networking Basics: Learn How Networks Work
  • Online Privacy
  • Online Safety
  • Uncategorized
Michael Lyborg talks about the promises and risks of business automation.

Business Automation is Great – But Some Things Should Be Left to Humans

As we see an increase in cyberattacks, it’s more important than ever for companies to be able…

[Read More]
How to Spot Fake Emails.

How to Spot Fake Emails and Avoid Danger

The good news is that you don’t have to become a cybersecurity pro to protect yourself from...

[Read More]
Introducing the Brick

The Brick Turns Off Distracting Apps, Makes Your Life Less Distracted

Here are some details. Brick is a combined software and hardware app that helps temporarily “remove” distracting...

[Read More]
Howard Goodman talks about cybersecurity and business.

Education and Communication are Key to Business Cybersecurity

The landscape of both technology and cyber threats is constantly changing. That means that cybersecurity and business…

[Read More]
Money Lender “Dave”

Money Lender “Dave” is In Hot Water with the FTC and DOJ. Scam or False Advertising?

Money-lender Dave does the one thing that all scammers do: It lied to its target through its...

[Read More]
Christiaan Brand talks about passkey security and why it's the future of authentication.

Passkey Security is the Future of Account Access

Phishing and account breaches have been a problem for years, and it’s not going away. In fact,…

[Read More]