The Importance of People, Process and Expertise for Cyber Resilience in the AI Age
Written by Sam Woodcock, Senior Director of Cloud Strategy at 11:11 Systems
No business is immune to the cyber threats that exist today, ranging from malicious software and ransomware to AI threats and more, which occur daily, weekly and often even more frequently than this. To counter them, companies must have strategies in place to minimise the potential damage of an attack by protecting data and putting plans in place to recover from a cyberattack as quickly and effectively as possible.
The increased adoption of AI by everyone from employees to cyber criminals is adding further risk and complexity to the security landscape. While cybercriminals are incorporating AI into their arsenal to enhance their attack strategies, employees are unwittingly helping these attackers gain their sought-after prize, data. Many employees today are experimenting with generative AI models to assist with their jobs, but many put vast amounts of data, ranging from personal details to company information, into these systems, often without the organisation’s knowledge.
However, as it is still early days for these technologies, the number of people using them is likely to increase and companies must determine how they secure their access credentials for those systems and similar applications and services before the risk increases. To achieve this, companies must focus on the technology, people, process and expertise to improve the defence structure of the organisation.
The people
To increase the overall security posture of an organisation, one of the most important things that companies must do is focus on education and enablement. To fully benefit from this, it should be a continuous education process with end users and employees, focusing on what is being placed into systems like ChatGPT, and explaining the security ramifications of putting sensitive data into these systems so that employees understand the risks associated with this behaviour.
Companies should also develop and implement security policies around the use of generative AI technologies to reinforce what employees can and cannot share across these platforms.
The process
At its core, resilience describes how organisations can prevent and withstand a cyberattack, but it goes beyond this. To be truly resilient, organisations must adopt a multi-layered security approach with predefined processes that prevent data from being easily accessible in the case of a breach, as well as securing the system. Further, the approach must outline how the company will get the business back up and running and recover its data. As such, resilience is about prevention and recovery. And while many companies often incorporate one of these elements, to be resilient they need to incorporate both holistically.
To achieve this, companies need to rethink how they plan for these attacks, determining what new technologies they need to counter possible threats and implement scenario planning into the mix to understand the process and be able to quickly and easily recover their backups to restore the business to an operational level as quickly as possible. It is important to note that even with the most comprehensive plans in place, companies need to prepare for the unexpected. For example, they may not be able to go to the last point in time in a cyber recovery scenario because the cyberattack may have been lying dormant in the environment for the last 30 to 90 days or more. As such they would need to turn to historical backups to recover the business.
An effective cyber resilience strategy and recovery plan also needs to be tested regularly. Unfortunately, many organisations have a lack of focus on testing, both in terms of their planning and their process during simulation. However, tabletop exercises are key because they get to the heart of the metrics and unpack how long it will take to get the organisation back up and running. It also helps to clarify how the company will respond to the situation and helps teams to understand where they have gaps or need to evolve their planning. In doing this, the company will have a plan and know how it will operate through an incident.
The expertise
Metrics provide a mean time to detect issues and mean time for recovery. They also give insight into incident response times and help to provide an overview of where the company is in terms of its ability to recover versus where it wants to be and what good looks like.
However, while metrics are valuable in that they provide a snapshot of various aspects of recovery, companies need to look beyond the dashboard of metrics and focus on what is important for their recovery. Unfortunately, many companies invest in technologies hoping for a silver bullet solution, but find that they simply add to the noise and complexity of data alerts, rather than easing the process. Further, leaders do not have the time or skills needed to see what the vast number of alerts are showing them, in order to improve upon what they have.
Overcoming this challenge involves combining a mixture of the right technology with the right expertise to interpret the data, make informed decisions, and improve the overall defence structure of the organisation.
According to research findings from Veeam, 85% of organisations have been a victim of a ransomware attack in the last 12 months, but more concerning is that these organisations have been hit two or three times. Businesses need to be prepared for the next incident if they are to protect their data and recover from a crisis. This means having a resilience plan in place and testing it regularly.
Resilience must be a multi-department, multi-organisation effort. It is about understanding the organisation’s level of maturity across its IT systems and ensuring that it is fully prepared for any eventuality. IT teams must be able to answer the question: how comfortable are we if we were to be attacked tomorrow? Understanding this comfort level across different areas of the business is key to withstanding an attack and if there is any discomfort, this is a warning that work needs to be done and systems need to be tested to deliver more maturity and confidence in the cyber resilience strategy.