Cyber Security VS Cyber Resilience

Is your business cyber secure, or cyber resilient? 

Cyber security refers to the defensive measures to protect your business against cyber attacks. Think next-gen endpoint protection, spam filtering, multifactor authentication, application control, password security, security awareness training, etc.

But what happens when an attacker breaches your defenses? And they will - it’s not a question of “if” but “when”.

Before you ask “Then what’s the point of investing in cyber security?”, let me explain.

Many investments have some form of diminishing returns like the red line in Figure A. Investing in cyber security is no different. You can invest an infinite amount of money and resources into defending your business but at some point, the incremental return on that investment is no longer proportional to the investment made.

Figure A.

This means that no matter how much you invest, there will still be ways for attackers to compromise your business. The key when making the investment is to get the highest return.

An effective approach is to make your defenses so good that an average attacker will give up and focus efforts elsewhere. It doesn’t mean that there isn’t a way in, it just means that you’ve made it difficult enough for the attacker to give and seek an easier target. But what about the diligent/skilled attacker who finds a way around your defenses? Now what?

“Plan A” is to prevent a breach. What’s your “Plan B”? This is where cyber resilience comes in.

Defend your business and mitigate the impact when you are breached. How fast can you be functional again? Hours? Days? Weeks? Think disaster planning, backup, cyber insurance, detailed logs, etc.

True story: We were invited in by a company who had ransomware twice but didn’t want to invest in proper disaster recovery. I asked the owner how long they could survive in the event of another hack or even if they had an old-fashioned equipment failure. The owner’s response: “Two weeks.”

He was adamant that the business would be fine for two weeks without their server. (Side note: their server was not in good shape and they ran some specialized software that was, to put it politely, "persnickety".)

I should have run away from that prospective client, but I didn’t. About two months later, that software crashed hard, and they lost all of their data. We were able to get them running again and recover most of their information, but it took days and a few sleepless nights.

The entire time, the owner was furious because people couldn’t work and he couldn’t get paid. I had to gently remind him of the decision he’d made. We eventually fired that client; but I must admit that I am grateful for some of the stories we have from working with them.

Don’t settle for just having cyber security. Make your business cyber resilient so that when the unthinkable happens, you’re prepared.

Not feeling so confident in your cyber resilience, or cyber security? Sign up for a Confidential Cyber Security Risk Assessment to reveal where your company is at high risk to ransomware, hackers and cyber attacks: