Regardless of the size of your company, a cybersecurity breach is likely to occur at some point. Despite that statistical reality, you should still pursue cyber security controls to the best of your ability because these will help reduce the number and severity of the incidents. 

Accepting that cyberattacks are inevitable does not mean your company needs to give up hope. While work should continue on compliance with cybersecurity standards for the prevention of attacks, the other tactic on your company’s radar should be building your cyber resiliency.

What is Cyber Resiliency?

NIST defines cyber resiliency as “The ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources.” In other words, how well can your company continue to function in the wake of a cyberattack? How much damage can your business absorb?

In December 2021, NIST released volume 2 of NIST SP 800-160, which focuses on cyber resiliency. The document notes that a cyber ecosystem can be compared with the human body. The human body can be attacked by many different viruses. Sometimes you have to pause all activity and recover, but most of the time, the immune system is able to deal with everything at least to a point where life remains manageable. A cyber environment is the same type of system. A business may be attacked numerous times. Not every attack can be caught. However, if a business has strong cybersecurity and strong cyber resiliency, those attacks will not be enough to bring the company to a standstill.

Why Focus on Cyber Resiliency?

Why did NIST create a document specifically focused on cyber resiliency? The primary reason given in the actual SP 800-160 document is the concept of advanced persistent threats, or APTs. Ron Ross of NIST has spoken of this often over the last several years. APTs are cyberattacks that begin by infiltrating a system without notice. Think of this as a kind of mine or bomb set in position but not triggered. This explosive in a system can be present for days, weeks, or even months. During the 2013 cyberattack on Target, the hackers infiltrated the system a few days before the actual attack began. A 2023 cyberattack on the city of Dallas, Texas, began on April 7, 2023 but did not actually trigger for almost a month, on May 3. With hackers able to remain undetected in systems for so long, preventing all cyber incidents becomes increasingly difficult. Experts like those at NIST still advise working on prevention, but cyber resiliency also needs to be strengthened as malignant players become more advanced.

Building and Managing Cyber Resiliency

As the cybersecurity sector awaits news on new regulations, now is the perfect time to focus on building security and resiliency systems for your company’s data. If you would like to talk about your company's cybersecurity ecosystem, contact us today for a no-obligation meeting.