In this week’s National Cyber Security Awareness Month post Mr. Jason Warren, a cybersecurity specialist in the Critical Infrastructure Protection Branch of the Office of Port & Facility Compliance, discusses how building cyber resiliency within your organization can minimize downtime and loss follow a cyber incident.

Written by Jason Warren, Cybersecurity Specialist, Office of Port and Facility Compliance

A cornerstone of the cyber governance structure is the necessity to build resiliency into your cyber systems and networks. As in every technological era, there is a dark force racing alongside the rush of innovation — criminality, exploitation, greed and even destruction. Cybercriminals are innovating fast. Enormous amounts of private information are being siphoned out of enterprises via infrastructure breaches, and traditional defenses such as antivirus and network firewalls have failed to stop the continuous stream of data losses. The attacks have moved from monthly to weekly during the past year, and it is no surprise that companies are heavily focused on enhancing their cyber resiliency posture in order to respond and recover from a critical system outage.

Compliance standards are not materially reducing losses. Traditional authentication and authorization technologies have made it harder for legitimate users to get access, while providing only a temporary roadblock for rogue actors. Many successful security and compliance leaders are quickly moving away from a “checkbox compliance” mentality, and striving to attain a more resilient posture leveraging risk-based decision making principles.

Cybersecurity resiliency is loosely defined as the ability for an organization to identify, prevent, detect and respond to a process or technology failure, minimizing harm, reputational damage, and financial loss. A strong approach to cyber resilience means building holistic capabilities across risk and security throughout the enterprise. However, no amount of planning or investment can make an organization’s cyber defenses completely secure, but developing a vigorous resiliency plan may prevent outages of critical systems and functions by cyber incidents or unexpected failures of Operational Technology (OT) that rely on Information Technology (IT) systems for command and control functionality. New threats and unanticipated vulnerabilities emerge daily, and resiliency strategies must be addressed often as conditions and risks change. Organizations should concentrate on the following elements to bolster their resilience:

Empowering the Employee: User awareness has historically been woven tightly into the governance structure and is a key aspect in building cyber resilience. Security leaders recognize that the weakest link in our cybersecurity defenses, the end user, can also be the strongest when empowered. However, basic or infrequent cyber awareness is sometimes not enough, as the quest for cyber resilience demands a focus on people. We need to begin to accept the limits of technology and become more “people-centric”, creating processes that shape behavior and motivate people to do the right thing. An empowered employee understands the risk and how they potentially contribute to it, which creates a culture of accountability and trust. Your people will continue to serve as one of the best defenses in building your cyber resiliency posture.

Business Continuity Management: Compromised IT environments are inevitable, and the ability to restore a system via backup data or software is a crucial element in recovery planning. System backups should be updated and tested often in the event restoration is necessary to carry out core business functions. These redundancy measures prove valuable not only in the event of a breach or cyber incident, but also during the recovery phase of a non-cyber safety or security event.

Incident Response Plan: The implementation of an incident response plan facilitates effective actions in case of a cyber incident. IT risk and security leaders should invest in technical, procedural and human capabilities to detect when a compromise occurs. Providing the tools for first responders to react quickly and investigate the source and impact of breaches, compromise and incidents is paramount. Enterprise knowledge around how to engage efficiently will reduce any duplication of work during an incident. The plan should include updated contact information, structured lines of communication and organized roles and responsibilities. The plan should be tested regularly to ensure its effectiveness.

Asset Inventory: Until an organization can perform a complete inventory of critical IT/OT systems, it cannot perform an adequate risk evaluation. A complete inventory of systems is critical to understanding what equipment and systems require certain patches, security protections and restoration precedence. Further, an accurate inventory allows critical cyber-dependent systems and services to be prioritized, establishing tolerance thresholds and anticipated timelines for any recovery and restoral efforts. Crucial systems that cannot tolerate extended outages may garner additional resiliency measures such as “mirrored” or redundant systems or “hot-standby” equipment. These resiliency efforts also provide senior management the visibility needed in order to make informed and consistent decisions about its overall cyber security posture.

Good Cybersecurity resiliency must be the foundation of your governance structure. You must identify the “diamonds” in your inventory to ensure your business operations can reconstitute quickly, minimizing downtime and losses. The incident response plan should be exercised regularly in order to identify weaknesses or changes to your plan. Incident response and recovery is a team effort, ensure key personnel are included in the plan to assist—this is an “all hands on deck” evolution. Lastly, empower and train the employees often about new threats that target their daily work processes. Proper cyber education and awareness can minimize or prevent a significant cyber incident and make your organization more resilient.

Read our other National Cybersecurity Month posts:

10/16/2017: Nat’l Cybersecurity Awareness Month – The role of AMSCs in cyber

10/9/2017: Nat’l Cybersecurity Awareness Month – Shipboard cyber risk management

10/2/2017: October is National Cyber Security Awareness Month

This blog is not a replacement or substitute for the formal posting of regulations and updates or existing processes for receiving formal feedback of the same. Links provided on this blog will direct the reader to official source documents, such as the Federal Register, Homeport and the Code of Federal Regulations. These documents remain the official source for regulatory information published by the Coast Guard.