What Does Resilience Look Like?

Preventable loss plagues your business.

Business and operational resilience is achievable by trading overly-complicated controls for a behavioral approach suited to an organization’s culture, size, scope, and industry.

Cybersecurity is dead. Who knows if it ever even existed in the first place? Instead of, “Can you protect us?” business leaders now ask, “How prepared are we to strategically respond to unplanned incidents that disrupt our operations?” Because unplanned incidents will happen. Prepare for them so you can rest assured you’ve done a few things right.

Pre-COVID, we were already getting hammered by criminal activity, from phishing to wire fraud to identity theft, and more. In spite of all the clear signs, many organizations still chose to believe “it won’t happen to us.” Then COVID hit.

As the pandemic-era progresses, organizations are still one mistake away from being forced to deal with unplanned (in most cases preventable) incidents that impacts their productivity, reputation, and bottom line – but there are some practical things you can do about it.

Resilience for Everyone

cybersecurity is dead, it's been dead since it started. I dunno if it ever existed. Resilience, even the word, doesn't suck all the air out of the room like the word 'cybersecurity' makes us generally feel afraid and incompetent. This is the approach, to take all of the many remote controls of cybersecurity and translate them into simpler workflows so teams can elevate the business and operational resilience to a broad spectrum of unplanned events from crime to global events

Some of these things you may be doing, especially if you’re working in lockstep with your internal or Managed Services/Security Provider. If you’re not, it’s on you when criminal activity or an unintentional human error disrupts things.

It’s tempting to make things more complicated. Resist the urge.

Reduce your preventable losses right now:

  • Have a Decent (1-pager) Disaster-Recovery Plan – Annually review all mission-critical backup configurations to ensure nothing is overlooked or has changed.
  • Normalize Disaster Recovery Simulations – At least annually (more frequently as required) do a “practice run” recovery exercise using mission-critical assets or conduct table-top simulations of worst-case scenarios once or twice a year so your team understands their roles in a crisis and how prepared or unprepared they are.
  • Audit Passwords – Attackers seek out paths of least resistance, which means your team who use weak passwords – and re-use them across accounts – makes easy work for criminals. Shared accounts often have weak passwords, use no 2FA, and are common choices for criminals to begin with. Have an account that’s no longer active or needed? Document it. Then, disable it.
  • Audit Access Annually – Far too many incidents are a result of an account having too much power. Make sure you’re trying to use the Rule-of-Least-Privilege model to reduce the attack surface. Criminals love it when someone has account privileges above their pay grade.
  • Verify Visibility Into Your Operations – Make sure you have an accurate inventory of hardware, software, and understand the key operations – criminals prefer those who have no clue because it’s much easier.
  • Review Logs Annually – Even if you’re not currently protecting your logs (criminals know how to cover their tracks) reviewing them at least once a year minimizes surprises down-the-line.
  • Conduct Vulnerability Scans (At Least Twice Per Year) – It’s easier to understand your network and devices by conducting semi-regular scans coupled to a simple framework for mitigating what’s found – your clients may ask for proof of this, too.
  • Use End-Point Protection On All Devices – Anti-Malware solutions are essential, regardless of platform (Windows, macOS, Linux) so make sure one is installed on all your devices, mobiles, tablets, laptops, servers, everything everywhere. For visibility into network devices, consider installing an Intrusion-Detection System (IDS) and/or (so-called) Intrustion-Prevention Systems (IPSs). Yeah, this part is a lot.
  • Annual Training – Resilience is a behavioral challenge. Give your team knowledge and tools to protect themselves and your organization.
  • Vulnerability Assessment – Minimize your attack surface (this means the exposed parts that can be most easily exploited – criminals prefer the low-hanging fruit).

Did you actually read all the way down? Well, congratulations is due to you because you have already taken the first step.

No one gets this all done at once.

It takes real time.

The first step is always the hardest.