Maintaining cyber resilience comes with an assortment of challenges, some of which recur annually, while new obstacles also emerge. Achieving resiliency has always been difficult, but today we have the opportunity to take a proactive approach by anticipating future problems.
In this archived keynote session, NeuEon’s Candy Alexander opens our Cyber Resilience 2023 virtual event by addressing the major challenges that enterprises encounter in maintaining business and cyber resilience. The following excerpt is taken from Alexander’s live presentation on August 24, 2023. The event was presented by ITPro Today and InformationWeek.
View the entire Cyber Resilience 2023 event on-demand here.
A transcript of the video follows below. Minor edits have been made for clarity.
Transcript:
Candy Alexander: I appreciate the opportunity to talk to everyone today about cyber resiliency, the biggest obstacles faced by enterprises.
Four Common Types of Cyber Resilience Plans
When it comes to this topic, there are four common cyber resiliency plans and programs that I've seen over the years.
Compliance-driven plans
The first one was developed to meet compliance needs. For example, you discover that due to needing to meet HIPAA requirements, you need to put together a resiliency program quickly. So, somebody does an internet search and finds one that fits their needs, downloads it, does a search-and-replace, puts the company's name in, and calls it done. I'm sure some of you can relate to that one. I will admit in the past I have been known to do that before I got smart.
Y2K legacy plans
The next plan, for those who are on the younger side of our audience today, was created in 1999 in preparation for Y2K. You might laugh at that, but honestly, there are organizations out there that still have their Y2K resiliency plan. And again, for those who are familiar with what that problem was, it was promised that when we went from the year 1999 to the year 2000, everything would break, and the world would go to the Dark Ages again. So, there are some businesses and organizations out there that still have that, and believe me, they more than likely have not been updated since then. And if they have been updated, they certainly haven't been exercised or tested.
Insurance-mandated plans
The next plan is the one that a lot of organizations today have had to put together, unfortunately. This is one was mandated by the insurance company that they had as part of a cyberattack or remediation. Many organizations today have gone through the misfortune of having a cyberattack, whether it be ransomware or some other type of breach, and had to call on their insurance and file a claim. And of course, part of that remediation effort was to renew your insurance.
You need to have a cyber resiliency plan in place. Those are unfortunate instances of companies not understanding the value of having one in the first place and more than likely, they probably don't understand the value of keeping it current.
Business-integrated plans
This brings us to the fourth and last plan that I've seen in my experience, and that is an organization that understands the value of having a live document called a cyber resiliency plan. That plan is developed in partnership with the business and achieves the business goal and its purposes.
Let's face it, again, I'm sure that everyone in our audience today has recognized themselves in one of those four plan types. But the one we rarely see is that last one – ‘the golden grail,’ if you will, of cyber resiliency plans.
Why You Need a Cyber Resiliency Plan
So, let's take a moment and think about why it is that we need to have those plans. I touched on some of those reasons.
The first reason is, of course, the whole response to threats. Cyberattacks are becoming more sophisticated and, more importantly, more methodical. I could argue on the level of sophistication because let's face it, many for-business hacking or malicious programs are out there. I don't know how sophisticated the coding needs to be for a malicious actor to take advantage of it, but they're becoming more methodical. What I mean by that is I'm sure that many of you have recognized those headlines that we see today that talk about leveraging artificial intelligence, machine learning, and other technologies to accomplish these attacks.
But more importantly, I think it's important to recognize that the attackers are opportunists and they're looking for the easiest targets. Those seen recently in the news have begun to target local governments and K-12 school districts. When we think about that target group, I think all of us could agree that they're probably not the most sophisticated in regards to putting together a cyber program and or a resiliency plan.
