Despite the continuous increase in computer attacks and data leaks not all companies and organisations take the measures necessary to guarantee their resilience in the face of an attack or a disaster with serious consequences. Organisations that have already suffered an incident of this type are more aware of the importance of cyberresilience, but we must not wait for an incident to happen to prepare to resist it. All companies, large or small, whether or not they have suffered an incident, must be concerned about their cyberresilience; hence, the first step is to anticipate.
Anticipating, in cyberresilience, means to have the capacity to prevent threats from becoming reality, relying on procedures established by the organisation itself and on advance cybersecurity technology that helps to manage the various types of risk identified. Moreover, it is important to emphasise the training that is given to the employees, because, if an event should occur, everybody in the organisation has to be able to react appropriately.
Knowing an organisation's level of cyberresilience will make it possible to provide the means to improve it, above all if it is discovered that the problem could cause serious consequences or losses for the organisation. Organisations that support critical infrastructures in the country are a special case since they are obliged by the PIC (Critical Infrastructure Protection) Law to adopt plans to guarantee the security of their facilities.
The IMC model allows organisations to measure and improve their ability to achieve four aims: to anticipate, to resist, to recover and to evolve. Next, we shall develop the components to measure to improve the aim of Anticipating.
Anticipating is one of the four aims of cyberresilience. It consists of maintaining a state of informed readiness, in order to prevent essential services from being compromised in the event of a cyberattack. To measure the objectives of this aim, its three functional domains are analysed: cybersecurity policies, risk management and cybersecurity training.
Below we shall see each of these three domains in detail.
The first functional domain of the aim to Anticipate consists of establishing a cybersecurity policy in which the cyberresilience requirements for each essential service provided by the organisation are identified. This will make it possible to measure the organisation's degree of commitment to setting the specific cyberresilience aims and the requirements to fulfil them.
This policy must include information about the existing procedures, such as collaboration with public and private bodies, CERT or private entities such as consultancy firms or suppliers, to receive notices of vulnerabilities or notify the incidents. A collaboration agreement or exchanging cyberresilience information with this type of organisation guarantees collaboration in the event that a cyber-attack may cause unavailability of essential services. These information exchange agreements helps to improve anticipation in incident management, vulnerability management and continuity of the essential service.
The second functional domain within the aim to Anticipate is risk management, which is defined as the process of identifying, analysing and quantifying the probabilities of losses that incidents may cause, containing preventative, improvement and reduction actions, which must be begun. The elements that must be part of proper risk management are:
- Identifying the essential service, or essential services, establishing priorities among them, according to the value set by the organisation.
- Knowing, understanding and ordering by seriousness of their impact on the essential service the most important threats for the organisation.
- Preparing for cyber-attacks that overcome security technologies, in order to detect them, contain them and remedy their actions in the shortest possible time and thus to minimise damage within the company (BIA).
- Estimate the maximum acceptable recovery times and the volume of data at risk that is considered acceptable during this time.
- Set the risk tolerance thresholds to trigger the different responses to it: elimination, mitigation, transfer or acceptance.
Security organisation, processes, technologies, tools and services must be reviewed and adjusted as threats evolve as part of a process of continuous improvement. Carrying out a Business Impact Analysis – BIA - on the essential service is essential to be able to analyse the consequences of an interruption to or an alteration of the provision in order to identify the critical processes and activities that support this service, to prioritise their recovery. A cyber-resilient organisation means adapting in the shortest possible time.
The third functional domain of this aim is to train all members of an organisation in cyberresilience. Investing in cybersecurity training has become more and more importance since it is necessary to prevent undesirable situations and incidents in which the organisation's assets or the essential service are compromised. In spite of having established and documented risk management to which improvement actions are applied, everybody in the company has to be capable of reacting appropriately to risky situations.
Having a training and awareness plan within the organisation is the way to create a security culture, that is, to make each employee, depending on their role within the company, aware that the company's cybersecurity also depends on them, and commit to it within their area of action.
The aim of this functional domain is to carry out training and awareness activities in cyberresilience. To that end, a plan must be prepared and implemented aimed at the staff involved in some way in the essential service. This plan will contain the resources that must be allocated, how to train or educate staff and what activities will be carried out. Moreover, they will be oriented to educate, train and raise awareness among the organisation's staff in this area, depending upon their needs and their role in the security of the essential service; it may include training sessions, incident simulation and participation in cyberexercises. Likewise, a training plan must also be adapted from time to time since threats evolve and new ones appear. On the other hand, if necessary, consideration must be given to training contractors and users.
Anticipating is the first step in adopting a cyber-resilient attitude. All organisations or companies committed to cybersecurity will manage to reduce any type of threat to a certain extent, or, otherwise, they will be ready to mitigate them. Having a high level of maturity in the first aim of Anticipating will help the organisation to develop better within the other cyberresilience aims: Resist, Recover and Evolve.