Spring 2014 issue of Horizons

FEATURE

In summary, these components are the basic tenants of what is known as cyber resilience:

for defending/defeating those attacks and potential responses to those attacks. Cyber resilience plans are critical for entities of all sizes and can be adopted through the following five key steps. Step One: Assess the Risks The first step to developing a cyber resilience plan is to consider the business risk. What loss can the entity live with? Since budgetary spending on security is often limited, entities must identify the risks they face and then prioritize those risks to identify which ones are their greatest concerns. Keep in mind that the greatest risk may be your reputation and not the dollars directly associated with an individual attack. The thought process evolves from thinking about what type of protection to provide to all of the operations and assets to what are our most important assets and how do we protect them. Entities move from thinking about what are the inputs we need for a security plan, to what are the outcomes, or consequences, that we can live with and then how do we balance those risks with our limited resources. Step Two: Develop a Plan Once the priority assets have been identified, develop a plan to protect against the threats on those assets. The mindset should be of one moving beyond the minimal preventive and defensive controls needed for compliance standards, to how can resources be effectively aligned to protect an entity’s assets. As the effects of a cyber attack can impact all aspects of the supply chain, there needs to be a plan that strikes a balance between addressing concerns around security and not unnecessarily constraining the means by which business needs to be conducted.

∙ Security

∙ Preservation of reputation

∙ Customer impact

∙ Consequences

A cyber resilience plan incorporates an understanding of modern attacks, a plan

> 57% of respondents expect to experience a security breach within the next year, yet only 20% regularly communicate with management about threats.

~ Poneman Institute

page 10 | horizons Spring 2014