Chapter 2. Findings: Understanding Cyber Risks and Response Readiness
Cyber resilience is becoming a critical business and social issue. As more and more business value and personal information rapidly migrates to digital form, the risks from cyberattacks grow ever more daunting. On the front line are public and private institutions that rely on cyber resilience systems and controls to protect intellectual property, information assets and business continuity. Supporting them are regulators who develop the policies to facilitate and defend technology, law enforcement agencies, and industry associations that work to share information and improve institutional security.
Defying all of them are cyberattackers, with a wide range of motives and sophisticated tools to access or disrupt cyber services. Criminals pursue financial gain through online fraud or theft of identity. State-sponsored actors engage in online espionage and sabotage. Competitors steal intellectual property or interrupt business to grab advantage. Online “hactivists” pierce firewalls to disturb functions or make political statements. Often, insiders help the external attackers or initiate their own attacks, worsening the odds for institutions.
Eliminating threats from sophisticated malevolent players is impossible. Other factors also complicate the response. Open and interconnected technology environments make historic “protect the perimeter” strategies insufficient and, in many cases, counter-productive. As mentioned earlier, much of the damage is caused by inadequate response to the breach, rather than the breach itself. Moreover, mitigating the impact of attacks and ruptures often implies complicated trade-offs between risk reduction and business impact. Large institutions struggle with cyber resilience decisions because quantifying risks and its alleviation is difficult, and getting executive engagement on trade-offs is practically impossible.
Cyber resilience is the successful mitigation of the strategic and economic impacts of cyberattacks, and is based on cybersecurity capabilities. This chapter assesses the options for participants in the security ecosystem to increase cyber resilience. These findings are gleaned from the workshops held over 2013 and the interviews with more than 200 industry leaders in seven sectors across the Americas, Europe, the Middle East and Africa, and Asia. The workshops and interviews focused on three topics: practitioner views on the importance of cyber risks; the impact of attacks on businesses, the effect of cyber risks on investment in research and development (R&D) and efforts to mitigate risk; and potential mitigating actions. The interviews were augmented with survey data that compared cyber resilience capability in large firms with best practices across multiple sectors and regions. Some critical findings from the research include the following.