What do resilient companies do differently?

Cyber resilience is the ability to maintain productivity and meet business objectives despite a successful cyber attack. Given the growing threat landscape, this is essential. After all, the risk of a cyber attack can never be completely eradicated. Rather, it's about minimizing the likelihood of an incident while taking measures to remain operational in the event of an emergency. For critical infrastructure organizations in particular, it is essential to achieve a high level of resilience. How far along are such CRITIS organizations on their path to sustainable resilience, and what do resilient companies do differently than those that are still in the early stages? This was determined by the market research company Frost&Sullivan on behalf of Greenbone Networks.

The four main criteria to measure resilience

Cyber resilience is a comprehensive concept that goes one step further than IT security. It takes the approach of establishing security within business processes rather than building a protective wall around them after the fact. To measure resilience, four main criteria play a decisive role:

• Can cyber attacks be adequately managed in the enterprise?
• How well can impacts from potentially serious cyber attacks be mitigated?
• Are best practices and a sensitized corporate culture established with regard to cyber resilience?
• What skills are especially important to recover quickly after a cyber incident?

Detailed questions were used to determine how well the study participants see themselves positioned in the four areas for the next twelve months and what their priorities are for coping with cyber attacks. Only 36 percent of the CRITIS companies surveyed believe they have already achieved a high level of cyber resilience. The U.S. is already further advanced in this regard. Fifty percent of the U.S. companies surveyed are among the highly resilient organizations, but only 36 percent of the European and 22 percent of the Japanese.

Six characteristics that distinguish resilient companies

What do the 36 percent of resilient companies do better than the others? The following six characteristics emerged as particularly important from their capabilities, best practices and corporate culture.

1) Resilient organizations are able to identify critical business processes, associated assets and their vulnerabilities.

This requires that they have analyzed their critical business processes in detail and know which digital assets are indispensable to maintain these processes. The next step is to identify vulnerabilities and take appropriate measures to mitigate or close them. To do this, a vulnerability management solution plays a crucial role. The ability to manage vulnerabilities is what most clearly distinguishes highly resilient companies from less resilient ones.

2) Resilient companies are better at minimizing damage after a cyber incident. Delivery bottlenecks, customer dissatisfaction, damage to equipment, or production and service delays can be resolved promptly. 

This is achieved through their ability to respond quickly to cyber attacks, close vulnerabilities and contain the threat. To do this, they need a cyber security architecture that is aligned with their business processes. In addition, resilient companies can act in an agile manner and have defined clear security processes and responsibilities.

3) By establishing best practices early on, resilient companies are able to respond early. 

To do this, they have created awareness of critical business processes and assets within management and the workforce and embedded cyber resilience in the corporate culture. In 95 percent of highly resilient companies, the owner of a digital asset is also responsible for securing it. The accumulated experience and thus established approach helps to quickly mobilize all organizational levels to close gaps and quickly recover from damage caused by attacks.

4) Resilient companies are more likely to seek support from third-party providers or are willing to do so. 

They use the expertise of specialized service providers not only to manage security technologies, but also to obtain advice. The consultants help, for example, to develop a security strategy for the company, select suitable technology, implement managed security services or determine the ROI with security metrics.

5) Resilient companies consider the ability to respond to cyber incidents and mitigate the impact on critical business processes to be particularly important.

In their own estimation, this puts them in the best position to recover quickly after a cyber attack. European companies have different priorities here than American ones. They find the ability to eliminate vulnerabilities most important. In the U.S., on the other hand, companies focus more on their critical business processes. The ability to prevent cyber incidents plays only a minor role for all respondents. So there is a growing awareness that cyber attacks and their impact are inevitable.

6) Resilient companies prepare for cyber attacks through simulations. 

They simulate various what-if scenarios in training sessions and also involve asset owners outside the IT department. They also apply the same cyber security rules to all digital assets. This makes it easier to comply with them consistently.

The key to greater cyber resilience

According to Greenbone Networks, the study results have shown that cyber resilience is not a question of IT budget and requires much more than suitable security technology. The key is to identify business-critical processes and digital assets and make them the focus of all measures. Best practices should be aligned with the business processes and lived across all areas of the company. To achieve this, it is important to create awareness of the critical processes and assets and the associated risks among management and employees. If this can be achieved, companies can significantly increase their cyber resilience.

Source: Greenbone Networks

370 companies in the USA, Japan, Germany, France and the UK were surveyed. They come from the six CRITIS sectors of energy, finance, healthcare, telecommunications, transportation and water.

You can request the complete study report at the following link: https://www.greenbone.net/businessrisk/