Cyber Resilience & Security-by-Design: The New Approach to Cybersecurity Post-COVID-19

Cybersecurity has holistically been a well-funded and highly prioritized process at most organizations to protect enterprise systems against cyber threats. However, in recent years, the instance of cyber-attacks and their impact on businesses has increased significantly. The persistent danger of cyber breaches is such that it’s no longer a question of ‘if’ but ‘when’.  

According to a recent Forbes Insights survey in collaboration with IBM, more than 50% of surveyed organizations have experienced at least one cyber incident in the past three years. The study further informs that 13% of organizations have lost data or faced downtime due to their cloud-service provider; around 58% of such cases were security breaches. 

While organizations across the world are continually striving to sustain business continuity during COVID-19, cyber criminals are trying to capitalize on the crisis. Post the outbreak of COVID-19; there’s been a spike in ransomware and phishing attacks. 

The attackers nowadays impersonate high-value brands to mislead people, using COVID-19 as bait. Not just businesses, even the end-users are being duped into downloading ransomware disguised as a legitimate application.
 

In their Q12020 Top-Clicked Phishing Report, security firm KnowBe4 has revealed that phishing email attacks related to COVID-19 grew by 600% in Q12020. According to the report, 45% of all phishing attacks asked the users to click or type their password on malicious domains. Apart from social media messages related to new login alerts and password resets, another common theme of email subject lines was HR-related messages focused around corona virus and working from home. 

The switch to remote working ecosystem mandated by the COVID-19 pandemic has further exposed the vulnerability of virtual private network (VPN) servers owned by organizations and educational institutions. Catching enterprise off-guard Denial of Service (DoS) attacks have become commonplace, leading to sensitive information of their users getting exposed on the internet. 

The cost of a data breach can be overwhelmingly huge for an organization, not to mention the collateral damage, including business disruptions, harm to reputation, and inviting regulatory actions. According to the Ponemon 2019 Cost of Data Breach Study, the average cost of a data breach is $3.92 million. 

How Cyber Resilience and Cybersecurity are interconnected?

Other than the familiar connotations of the common word ‘cyber’, cyber resilience is essentially a cohort term that encapsulates cybersecurity. Cybersecurity is a stand-alone process that focuses on preventing hackers from penetrating IT systems. Although it’s possible to avert a majority of attacks by implementing cybersecurity best practices, there’s virtually no guarantee that a security breach won’t occur. That’s where cyber resilience comes into play.  

While cybersecurity is the first line of defence that takes the ‘keeping them out’ approach, cyber resilience has a much broader scope in terms of how an organization can respond, if subjected to a cyber-attack. A cyber-resilient organization is one that is more capable of withstanding business disruptions caused by a cyber-attack and recover quickly. 

As per the US National Institute for Standards and Technology (NIST) Cyber Security Framework, which is an internationally recognized framework that details approach, activities, outcomes, and various aspects to cybersecurity, cyber resilience covers five stages – Identify, Protect, Detect, Respond, and Recover. Another critical aspect of cyber resilience is helping organizations in business continuity management by identifying the external and internal threats that have the potential to impact business operations. 

Cyber resilience means thinking long-term to prepare an organization by creating a resilient system to ensure undisrupted business operations despite a cyber-attack. Cyber resilience takes a ‘bend, but don’t break’ approach for securing business by bringing together the disciplines of business continuity, cybersecurity, and enterprise resilience. Cyber resilience is a broader process that does not rely alone on prevention but does leverage cybersecurity for protecting IT systems against cyber-crime.

Why building Cyber Resilience matters most?

Taking a realistic view that no matter how robust the defences of the IT system inside an organization, there’s still a likelihood of some cyber-attack, led to the coining of the term ‘cyber resilience’. The UK Cyber Breaches Report (April 2019) states that 60% of mid-sized companies and 61% large enterprises have suffered a major cyber breach in the past year. 

When the IT ecosystem expands beyond the four walls of an organization, it is bound to expose certain gray areas, the most vexing and persistent blind spots being shadow IT, and the dependence on cloud-service providers. In an organization, shadow IT includes non-sanctioned devices, software, and applications. Since you can’t protect what you can’t see, shadow IT is perceived as a prominent cybersecurity threat. 

In the post-COVID-19 world, the increased cloud adoption has raised security risks for the organizations blindsided by the technology beyond their control, such as a custom cloud-based software service subscription. It is common knowledge that most modern businesses rely on their service providers to manage security in the cloud. But what happens if your cloud service provider sets the wrong parameters leaving your company’s cloud-based data wide open? 

According to the report based on a Forbes Insights and IBM survey, over 65% of organizations depend on their cloud-service provider for security, recovery, and continuity. However, only 45% of the surveyed executives are confident that their cloud-service provider can meet service-level-agreements (SLAs) during cyber events.
   
Many businesses rely on insuring their IT systems and assets against cyber-crime for risk coverage but have learned it the hard way that insurance can never be a substitute for a robust cyber resilience profile. The bottom line is that cyber risks are long-tail and hence hard to underwrite for the insurers. Building an orchestrated resilience remains the only viable approach to help minimize the impact of a cyber-attack by recovering quickly. 

A cyber-resilient business can continue to operate even while facing the most sophisticated cyber-attacks. Building cyber resilience enables organizations to embrace disruptions safely and strengthen customer trust. Rather than assuming that their cybersecurity measures would hold, it is more effective for businesses to accept that the worst might happen at some point and build the capability to respond. 

Security-by-design – the new approach to Cybersecurity

Security-by-Design (SbD) is a pragmatic, proactive, and strategic approach to cybersecurity that nurtures trust at every stage of a new digital initiative. On similar lines of cyber resilience, Security-by-Design is about enabling trust in an organization’s systems, designs, and data to lead transformational change for taking on more risk and innovate with confidence. The rising ubiquity of technologies like the Internet of Things (IoT) and Artificial Intelligence (AI) makes a compelling case for adopting a Security-by-Design approach. 

The 3 pillars of Security-by-Design approach

1. Checkpoints – Checkpoints are the defined time points during the Software Development Life Cycle (SDLC). Each checkpoint involves making an overall assessment of the system security along with deciding the future course of action. These are the evaluation points during the software development process, which assess how cyber resilient is our system and is it business worthy to proceed ahead or to call off the project. These could be internal vs external validations.
2. Activities – These are security-related activities which ensure the security of the system. These are operational, technical tasks which are done in parallel to regular software development activities so as the system is resilient and withstands the checkpoint evaluations. The activities are underpinning the security process and defining the expected outputs.
3. Plan  - Defining the timeline of activities as in above in sync with the software development process. The idea is to guide projects to meet Security-by-Design objectives.

Thus, Security-by-Design approach allows introducing security earlier in the development process rather than reactively enforcing security policies and always being behind.  The process involves making systems/software secure as part of the architecture planning process from the inception. The security specifications are coded into templates to ensure that the desired configuration is in place. There is no need for any significant security audit on every infrastructure change; however, an in-depth security assessment is optional when the infrastructure templates change substantially. SbD means less repetitive work and more focus on real issues.

Rethinking Cyber Risk Management post-COVID-19: key takeaways

The outbreak of COVID-19 has forced organizations to become more reliant on the internet and digital ways of doing business.  As the lines blur between technology and business models, organizations need to reassess the threat and reprioritize their investments on mitigating cyber risks that could impact business outcomes. 

According to a recent Gartner report published in Q1 2020, cybersecurity is facing slowing budget growth. According to the report, while cybersecurity grew at 12% (CAGR) in 2018, it is projected to decline to only 7% (CAGR) by 2023. However, in this post-COVID-19 world, organizations need to rethink and realign their cyber risk management strategy to ward off cyber threats.

One-size-fits-all cybersecurity solutions seldom fit every use case. It would be best if you chose a reliable software vendor who can build a customized cybersecurity solution by deploying well-established cyber risk management principles such as the Cybersecurity Capability Maturity Model (C2M2).