In the last year and a half (the year of the pandemic), the word resilience - the ability of a system to withstand any negative event and return to functioning as it did before the event - has had a lot of media exposure and has been declined in different keys. Not least the digital one, with the parallel emergence of the concept of cyber resilience.
On this basis, its meaning can be easily deduced: a set of activities aimed at ensuring that a company withstands the consequences of an IT attack in the best possible way. The last Clusit report (October 2021) underlines how attacks in Europe have gone from +15% in the second half of 2020 to +45% in the first half of this year, with a monthly average of 170 serious attacks in 2021. An exponential increase, which corresponds to economic losses with worrying contours: globally they are equal to 6 trillion dollars by 2021, and now account for a significant percentage of the world's Gross Domestic Product, with an annual rate of deterioration in double digits and a value that corresponds to three times the Italian GDP.
If it is therefore inevitable to talk about cyber resilience, it is however appropriate to understand what exactly it consists of and what is the state of maturity of companies in practicing it.
The cornerstones of Cyber Resilience
The management of an IT attack to limit its impact on the business is based on three pillars: business continuity, crisis management, incident response. It is therefore a theme that does not coincide with protection and detection. "We talk about cyber resilience when these have failed. It is the answer to the question: now that we have been attacked, what do we do?". This is how Lorenzo Bernini, Cybersecurity Manager for HWG explains it, who then specifies with an example how many other aspects are touched by the activities that translate this specific type of resilience into practice: "Let's think about the point of crisis management. It's not just about knowing exactly what employees should do after an attack, but also how the company should communicate the event and to whom. So how do you handle communication with those in the legal department, how do you inform employees well about their duties, how do you get the message out there so that the media prominence of an attack doesn't impact brand reputation too much."
Cyber resilience activities constitute a complex set of points, where predicting possible crisis scenarios also matters. Ransomware is a perfect example to capture the scope of these changes. "It is considered when a ransom is demanded to decrypt data or to get it back after it has been stolen," says Andrei Munteanu, R&D specialist for HWG. "But in addition to this, there are also cases of harassment, harassment practiced by attackers on employees, who are contacted through external channels and threatened to induce them to practice behaviors that damage the company.
One key point: business maturity
Faced with potentially unimaginable scenarios and a steady increase in attacks, it is inevitable to ask what kind of company can cope with the danger with an adequate cyber resilience plan. In other words, what should be the degree of maturity that allows the deployment of effective measures to limit damage. "I think the degree has to be high - continues Bernini - I'm thinking of a company that has drafted a detailed business continuity plan, but then never tested it due to lack of resources. Or I'm also thinking of startups. At first glance, their structural agility may seem like an advantage: limited assets, few people employed, and therefore the idea that less effort is needed to do cyber resilience. But startups have business development as their primary concern, not business protection: again, they would lack resources to devote to it."
Bernini's view is confirmed by HWG's experience in Saudi Arabia, where the company is working on a cyber resilience project with the country's largest petrochemical player. This is a giant included in the top 70 companies in the world according to Forbes, with whom HWG has sixteen exercises (i.e. simulations of an event) underway with as many companies affiliated with it. After working on the Middle East and Africa, Europe, and Americas areas, the next step will be a global-level exercise involving management and the CEO. "This shows the scope of the company structure we are working with," says Munteanu. "After all, the decision on investments in cyber resilience is strategic and proactive, because it concerns the consolidation and growth of processes.
The talk then returns to the topic of maturity. "All ISO 27001 certified companies have a business continuity and disaster recovery plan - concludes Bernini - but how advanced is it? Up to which level of management of the continuity plan have employees been trained? These questions are answered by training, which is fundamental: think of the Navy Seals, how much they train for a mission and how they act automatically in the field. Here, during a cyber attack the same thing happens: you have to act automatically, you can't afford to take time to look at documents and plans. You put the thought in for the action; you have to have acquired the theory first."