Building cyber resilience in critical infrastructure environments

The finance, manufacturing and healthcare sectors have all been in the line of fire, with 62% of all cyber-attacks against these top three industries in 2020. As a result of recent geo-political tensions and ongoing supply chain disruption, in 2021 that attack trend has shifted more broadly to target all critical infrastructure sectors. (You can read further in NTT Holdings’ 2022 Global Threat Intelligence Report.)

Every critical infrastructure organisation in Australia and New Zealand is aware that they are target for cyber adversaries. While these organisations have focused on their compliance and reporting obligations, and on identifying, protecting, detecting and responding to threats, the truth is that these measures don’t add up to true resilience.

Resilience ultimately comes from recovery. The very best defence is still no guarantee against a cyber-attack. It’s important for boards and senior management to assume that they will be breached and ask the question, ‘how do I recover’?

We know that in healthcare for example, that there are two major targets for cyber criminals. The first is selling patient data. An electronic medical record (EMR) sells for up to $250 on the dark web, which extrapolates to a lot of money when you think about the tens or hundreds of thousands of patient records that might be held in a hospital’s systems.

Alternatively, hackers might use this data as a ransomware opportunity – extorting money either by threatening to publish or sell that data, or by locking it up or encrypting it so you can’t access it. In 2021, 24% of all incident response engagements with our Digital Forensics and Incident Response team were related to ransomware – a 240% growth from 7% in 2019. Ransomware can have a devastating impact on organisations. When your hospital relies on access to your patients’ EMR, that effectively shuts you down until you can regain access to that critical information.

Boards need to be thinking about the acceptable security risk to the organisation, and what are the critical applications and systems that they need to run the business. Then you can set the acceptable risk in terms of Recovery Point Objective (RPO) and Recovery Time Objective (RTO). RPO is a business calculation for acceptable data loss from a breach. RTO refers to the amount of time you need to bring IT systems and business operations back online.

Effectively, the quicker you can recover and limiting any data loss is your measure of resilience.

How do you develop your organisation’s cyber risk profile and cyber risk appetite, and use this to improve your overall cyber resilience?

We’ve developed an hour-long workshop to help board members, considering the different requirements for types of organisations and industry sectors. For a hospital, loss of access to patient records or the network being down for even an hour could result in the loss of life, whereas a retailer may be able to withstand a week-long business disruption.

The aim of our Cyber Security Board Simulation workshop is to guide board members towards asking the right questions of their security teams. The focus is not necessarily on how much money should be spent on security, but on how business can be continued in the event of a cyber incident. We use real-life cyber incidents to help board members understand where their organisation stands, identify any weak points and put measures in place to strengthen defences.

When we talk about security, the most important part of a good security program are not the security applications themselves, it's about the recovery. Please keep focusing on resilience, because resilience is what’s going to save you.

For more information on Cyber Security Board Simulation click here.

Related:

Copyright © 2022 IDG Communications, Inc.