3 Cyber Resilience Best Practices for Businesses

Cyber resilience best practices can help organizations face a variety of threats. Here are three guidelines shared by experts at the MIT Sloan CIO Symposium.

Jordan Horowitz, Contributor

June 2, 2022

4 Min Read
3 Cyber Resilience Best Practices for Businesses
Alamy

Imagine your company is undergoing a cyberattack. You discover that temporarily shutting down System X will stop the attack immediately, but it will also cause your company to lose out on millions in revenue. You then discover that if you shut down System Y instead, it won’t adversely affect your revenue stream, but it will take much longer (a few days) to stop the attack.

Your decision about what to do in this situation requires more than just knowing the technical nuts and bolts of cybersecurity. It demands that you think through the human and business outcomes.

This is where cyber resilience comes in.

What Is Cyber Resilience?

Cyber resilience is a concept that describes an enterprise’s ability to use cybersecurity know-how and foresight to adapt to a variety of security threats, attacks, and incidents.

At the recent MIT Sloan CIO Symposium, a panel discussion, “How Cyber Resilience Has Become a Key Competitive Advantage,” brought together leading experts to discuss how cyber resilience best practices can help companies face all types of threats.

Here are three of the cyber resilience best practices that experts shared.

1. Create Trust

In a world where cyber threats seem to loom around every corner, cybersecurity providers receive a lot more questions from their end customers. “[Customers are] getting more sophisticated,” explained Fred Cohn, digital risk leader at Schneider Electric.

Related:8 Tips for Creating a Ransomware Response Plan

Cohn said that customers can sometimes ask hundreds of sophisticated questions about a provider’s cybersecurity capabilities. That’s why having the ability to explain your security program is more critical than ever.

Esmond Kane, CISO at Steward Health Care, echoed Cohn’s sentiments. Kane emphasized the importance of illustrating cybersecurity concepts with customers through stories and easy-to-understand analogies. For example, he pointed to how the metaphor of a door can help explain security basics -- e.g., putting a lock in the door, having an unsecured backdoor. This kind of nontechnical communication helps to build trust with customers who aren’t versed in the nitty-gritty of cybersecurity, he said.

2. Educate Your Employees

By now, phishing exercises have become routine at companies, but more cybersecurity education is needed for non-IT employees.

Kane noted that IT risk will never be eliminated -- but it can be mitigated. The best way to mitigate risk is to have an informed and empowered workforce.

Security awareness is a balancing act, however. “You want enough friction to stop the bad guys but not so much that it inconveniences the good guys,” Kane said. In other words, you want your employees educated, but you don’t want to overburden them with information and responsibility to the point where it hinders their normal job duties. “People are the weakest link in cybersecurity,” he said. “But they’re also the strongest asset.”

David Masson, director of enterprise security at Darktrace, an AI-based security firm, urged companies not to shy away from uncomfortable results of phishing exercises and other security tests. If several employees fail a certain exercise, don’t sweep it under the rug. Instead, acknowledge the weakness and use it to grow.

In a similar vein, Masson offered another cyber resilience best practice: Tell your employees to report breaches early. A cyber resilient enterprise puts everything on the table and doesn’t hide anything, he said.

3. Know Your Board, Inform Your Board

A corporate board might be comprised of people who are extremely knowledgeable of cybersecurity, or it might be made up of people whose areas of expertise lay elsewhere.

Keri Pearlson, executive director of cybersecurity at MIT Sloan, said IT professionals should speak to the board about security on a level that matches the board’s understanding. For example, that could mean moving away from simply providing the board with results of phishing exercises to interpreting those results in terms they would appreciate.

Explaining how cybersecurity fits into a larger business context is key to informing the board about the state of the company’s cybersecurity program, Pearlson said. That’s the only way executive decision makers can ensure the company is cyber resilient.

What are cyber resilience best practices you would recommend? Tell us in the comments below!

About the Author

Jordan Horowitz

Contributor

Jordan Horowitz is a freelance writer and editor based in the Boston area. In his spare time, he enjoys playing guitar, listening to history podcasts, and translating Brazilian songs into English for a YouTube channel that he runs.

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like