Cyber-resilience
It’s a fact of life that technology goes wrong from time to time. As Steve Cassidy explains, the best way to cope is to be prepared
Another cyber-something? Forgive me if I don’t sound the alarm.
That’s the right immediate response, certainly. Unlike a lot of cyber-buzzwords, this one isn’t about short-term emergencies or hack attacks. Cyber-resilience is more of an over-arching philosophy – a way of thinking, if you will. At root, it’s a simple question: what do you do when things go wrong with your IT resources?
“Resources” is a very broad term. Do you mean we’re supposed to keep track of every last piece of technology we own or rent?
Well, yes: if you can’t track it, that’s a risk in and of itself. Admittedly, though, it’s easier said than done. As hot new technologies come in, they tend to overlay the boring old stuff, with no clear demarcation, no tidying up and no end-of-life statement. Old servers keep running, betas are never removed, and so on. If you’ve ended up with dozens of systems, big and small, and you’re not sure which you can safely switch off without affecting your day-to-day operations, then that’s not terribly cyber-resilient. Then again, you might be in a better position than someone who has just one system, but which takes months to recover from an interruption to service.
So it’s about auditing and disaster recovery?
That’s a part of it, but think bigger: the idea is to prepare for all types of unwelcome contingency, so that also encompasses planning for security breaches or liabilities. And we’re not just talking about viruses – for example, a lot of businesses have been running on Oracle Solaris for decades, and now it looks like support may soon be winding down. They now face the prospect of becoming very un-cyber-resilient, through no fault of their own, unless they come up with a plan B.
We don’t need a plan B, though; all our stuff is in the cloud.
This is exactly the sort of mindset that the push for cyber-resilience aims to shake. Even if all you have is one email address, you need to ask yourself the important what-if questions: what if my account is hacked? What if my internet connection goes down? You should have planned, tested answers to each of them. That’s a lot more than just a plan B: you should have a plan Z. Cyber-resilience is about being able to carry on even if your first – or tenth – line of defence is overwhelmed.
Surely there’s a point where the effort and cost that goes into all this planning becomes prohibitive?
You don’t have to go overboard. If your plan for dealing with an IT outage is simply to wait for your services to come back on again, that’s perfectly legitimate – as long as you understand the consequences, and as long as you’re keeping an eye out for a better alternative.
And in some cases, your attempts at resilience will be impeded by third parties. For example, the taxman insists that you can only have one Government Gateway ID, with no provision for alternate access or family passwords. Opening a string of bank accounts looks suspicious, too. That’s just something you’ll have to live with: external hindrances are nothing new, and certainly not limited to the field of computing.
This sounds like an excuse for more expensive consultancy work. Our backups will see us through if disaster strikes.
Perhaps, but if you can properly get into the cyber-resilience mindset, you’ll realise it isn’t just about having a backup. It’s about how you handle losing a morning’s worth of transactions when your database is rolled back to a previous state. And it’s about what you do while your backups are restoring – remember that the process isn’t instant. In a major cloud outage, you could be just one among tens of thousands of affected customers, and you might not even know your position in the recovery queue.
If you’ve done your homework, you’ll have a bunch of mitigation measures ready to roll – such as switching to a secondary email service, or re-hosting your website – and you’ll know what tasks need to be done right away (communicating with customers, say). In short, cyber-resilience doesn’t just mean investing in disaster recovery options – it means knowing exactly how and when to activate them.
“Cyber-resilience is about being able to carry on even if your first – or tenth – line of defence is overwhelmed”