Cybersecurity plans should center on resilience
Cybersecurity threats are still abundant — data breaches surged 20% from 2022 to 2023, and a March 2024 cyberattack on a large U.S. health care billing company had wide-reaching impacts. Meanwhile, artificial intelligence has opened the door for new threats, many still unimagined. Despite the scope and scale of these threats, many firms have become inured to the dangers while others simply don’t know where to focus their cybersecurity efforts.
No company can expect to have 100% protection against cyberattacks, no matter how much time, technology, and resources they invest in the challenge, according to Keri Pearlson, executive director of Cybersecurity at MIT Sloan.
The more realistic goal is cyber resilience — making sure a business can quickly respond to inevitable attacks by getting systems back up and running with minimal disruption. A resilient organization emerges from an attack relatively unscathed, with little to no data loss, impact to its financial health, or damage to its brand reputation.
Organizations must make cybersecurity a shared responsibility while putting strategies and mechanisms in place to promote cyber resilience. “It’s everyone’s job to be a little more vigilant today,” Pearlson said during a recent webinar hosted by MIT Sloan Executive Education. “It doesn’t mean you have to go figure out the next [security] software buy or how to stop the bad guys from coming in. There are appropriate activities that every single person in the organization can take.”
A plan for resilience
For organizations to hit their resilience goals, Pearlson recommends the following:
Focus on planning and testing. Resilience is all about preparation. Spend time anticipating cyberthreats and how and where potential events would have the most serious impact. Test business recovery plans in the context of cyber incidents, do tabletop exercises, and build processes to ensure instant recovery.
“The more you’ve practiced and gotten organizational processes and technologies ready, the more likely you can absorb the shock and get back to operations in a quick manner,” said Pearlson, who teaches executive education courses about cybersecurity leadership for non-technical executives and cybersecurity governance for boards of directors.
Change attitudes and beliefs. Employees must see cybersecurity as critical to an organization’s health. Pearlson said that instead of mandating actions, organizations should cultivate a security-oriented culture through storytelling, training, and incentives to foster desired behaviors.
Take a balanced scorecard/risk management approach. Pearlson recommends that companies apply a qualitative approach to resilience by examining potential risks and responses in the context of areas like compliance or supply chain risks. Organizations can use a cybersecurity framework from the National Institute of Standards and Technology that helps businesses identify, respond to, and recover from threats and establish governance and risk management practices.
Keep an eye on AI. Artificial intelligence holds both promise and peril for how organizations deal with cybersecurity risks and resilience. Generative AI and new technologies like quantum computing will power systems that more effectively identify and respond to threats. At the same time, new technologies will be weaponized for things such as deepfakes, poisoned data, or manipulated models. This in turn will require new cybersecurity processes and innovations.
Keep security top of mind. As businesses move forward, raising organizational awareness of cybersecurity threats must be a priority for everyone in and around the C-suite. “Bad guys thrive in the darkness, so if we shine the light on what we’re thinking and protecting, we can help our organizations be more resilient,” Pearlson said. “Understanding where the risk is coming from is the only way we’re going to manage that risk.” SOURCE