Business resiliency boot camp – part I: The evolving cyber-threat landscape

By: Anyck Turgeon

There was a time when cybersecurity just meant keeping the bad guys out; but over time, cyber-attacks have evolved and grown more sophisticated. As of September 2018, cybersecurity has been recognized by Secretary Nielsen as the #1 threat against the United States affecting organization’s business continuity. While dealing with trillions of cyber-attacks daily, C-level decision-makers can unite under the banner of cyber resilience to address critical challenges like offering faster cyber incident recovery and finding ways to remain in business with the understanding that the attackers are already in—now what?

Insider threats

Insider threat is alive and well. According to white hat Dark Web professionals at Black Hat 2018, it appears that many hackers are certified professionals who operate as trusted time bombs and have already penetrated most organizations. Insider threat has given rise to an underground economy, estimated equivalent to the 6th largest nation’s GDP. Cybercriminals with privileged access are currently benefiting from lucrative crypto-mining activities and, once they’ve finished depleting digital assets, will be ready to strike. Cyber-hacking monitoring organizations report that enterprises are plagued with insider threats who compensate themselves millions of dollars monthly at the enterprise’s expense.

Attacks are getting harder to spot

With the rise of this new under-economy, analysts report that six out of seven cyber-attacks go undetected. In its 2018 report on the cost of data breaches, The Ponemon Institute conveyed that fewer than 2% of organizations have a plan to respond to cyber incidents, and organizations take an average of 69.5 days to contain a breach and 199 days to identify cyber-attacks. As crypto-environments get patched, it’s important to implement various preventive and corrective measures (such as security micro-segmentation, end-to-end ID management and automated contextualization) to keep critical infrastructure going and deal with current and future insider threats.

Lethal IT/OT/IoT exposure

A new major trend that makes cyber resiliency more challenging than ever before is the weak security posture in operational environments and IoT devices, particularly with the Industrial Internet of Things (IIoT). Many of these environments are 20+ years old, were pushed out after performance testing (no security by design) and have never been updated or patched. As these environments are connected to IT environments and to the internet, they are becoming our deadliest and most destructive areas of concern. Cyber-resilience is all about keeping business going and offering business continuity solutions, so we need to consider IoT’s currently unpatched/unpatchable environment and employ pervasive security.

The good news is that technological advances benefit the good guys too. It is vital to implement end-to-end, integrated security for all devices (not just in traditional information technology environments) in a way that is orchestrated, intelligent, cognitive and automated.

Cybersecurity hiring (and firing!) practices

Talented cyber professionals aren’t easy to find. With an estimate of 3.5 million cybersecurity job openings by 2021, England echoed the United States’ need for cyber talent and announced upcoming hiring of 2,000 cyber professionals. According to the National Association of Software and Services Companies (NASSCOM), India is also going to need 1 million cybersecurity professionals by 2020 to meet the demands of its rapidly growing economy.

Even so… Counter-intuitive but true: High-tech security professionals and corporate executives/decision-makers are often fired as a result of a cyber-incident. This is like firing your fire-fighting department: the source of the confirmed cyber-event is most often not their fault and, given their knowledge of the environment, they are the best qualified to resolve issues most efficiently. In fact, firing your most talented cyber professionals actually opens up new vulnerabilities and the absence of timely decision-making capabilities just pleases hackers. Unless the individual in question was unequivocally part of the problem, ousting cybersecurity staff and decision-makers after a breach is not wise, especially given the industry talent shortage.

Successful cyber-criminals make more money selling access to your entire network of systems (including connected supplier and partner sites) and crown jewels like corporate trade secrets and intellectual property. Firing your cyber professionals 1) leaves your business without a knowledgeable fireman and 2) opens up room for artificial intelligence (AI)–based attacks that unfamiliar fire crews could not even imagine.

Corporate cyber-destruction

It was estimated by the Association of Certified Fraud Examiners (ACFE) that fewer than 25% of cyber-fraud cases reach any form of recovery, given hackers’ common practice of deleting trails. The latest wave of cyber-attacks, AI-based cyber-destruction, requires organizations to equip their IT, infrastructure, compliance and security departments to continuously prepare, test, respond and coordinate efforts. Prepare today by employing cyber solutions like runbooks, forensic-based recovery tools, trained communities and orchestrated workflows. Bring all critical corporate executives—including your heads of operations, IT, communications, security, legal and governance—along with your cyber team to third-party cyber ranges at least two to four times yearly. Spread cyber-knowledge and responsibilities across your entire communities so that everyone becomes accountable for their corporate performance in your enterprise’s cyber-posture. Invest in continuously-tested, orchestrated cyber resilience as it is the key to corporate survival. Remember: cyber-prevention is much more cost-efficient and empowering than cyber-resolution.

Overwhelming proliferation of attacks

It only takes one attacker to be successful. As hackers get more advanced, threats like the new zero-day attack (ZDI-18-1075 / ZDI-CAN-613)  that enable hackers today to gain access and dilapidate any systems using all Windows operating systems and most Microsoft products, businesses can no longer afford just trying to prevent the cyber-tsunami at their doorstep.

As seen with the complex “Evil Twins” Triton attack as well as with the Ukraine shutdown, nation-state attacks are on the rise and have the capacity to create WW3-class destruction. In an era of encryption-breaking quantum computing systems, AI-powered attacks and vulnerable IoT devices, the number of daily threats has increased from billions to trillions and enterprises can no longer manually address every single threat.

Instead, government and corporate decision-makers must “comm-laborate” more closely to identify, prioritize and resolve the entire interconnected infection. All teams should aim to contribute into global Information Sharing and Analysis Organizations (ISAOs). To supplement and augmenting mutual cyber-aid programs, it is vital to revamp enterprise risk evaluations towards dynamic and intelligent analysis, real-time publishing through customized dashboards and automated contextualization.

As cognitive cyber analysis becomes necessary, cyber risk analysis should be continuous and go far beyond the standard two-level dimensions (typically impact and probability). In my experience, organizations performing with weighted multi-dimensional analysis and extended performance metrics see much better insights and are able to establish a more credible enterprise risk posture to insurers, bankers and shareholders. Be prepared for security and resiliency to transform in major leaps as we enter an era of global community sharing and intelligence.

Cyber incident recovery

The Ponemon Institute’s 2018 Cost of Data Breach Study – Impact of Business Continuity Management reports a 32% chance of a disruptive cyber incident within two years. It also reports that only 23% of organizations have a formal cybersecurity incident response plan (CSIRP.) It’s time for organizations to shift their plans for a cyber incident from if to when. Coordinated usage of security and recovery orchestration is vital in our increasingly interconnected world—which includes lots of cross-system dependencies. To best respond, corporate and external resources (like first-line responders) must be able to gain SHA copies for forensics and e-discovery. Experts need to complete systems analysis. Cyber-threat hunters, networking professionals and law enforcement need to work with tracking technologies like deceptive honeypot technologies and network sniffers to catch the criminals. In parallel, disaster recovery/business continuity operation teams need to figure out which air-gapped copies to recover and in which order from immutable storage while vulnerability experts focus on treating the quarantined deltas.


Buckle up, because we’re just getting started. Bookmark IT Biz Advisor and stay tuned for my next blog related to business continuity in this series, which will take a closer look at threats from within an organization. For more insights on cyber resilience, follow me on LinkedIn.

IBM solutions for cyber resilience range from maturity assessments to IBM Resiliency Orchestrator with nearly 500 pre-defined workflows. The latest two cyber incident recovery RALs enable cyber recovery experts to detect, monitor, repair and report on configuration and data delta changes. Questions? Schedule a consultation with an IBM Business Continuity Services expert today.

Ready to take the next step? IBM specialists help guide you in defining and documenting your business continuity, disaster recovery goals.

Related topic: Disaster recovery as a service (DRaaS)

IBM products related to business continuity plans

Understand how to plan for and react when business disruptions are happening.

Adapt and respond to risks with a business continuity plan (BCP)

How to defend against cyber attacks

Do you have your disaster recovery plan (DRP)?

Defend against ransomware attacks?

What is data breach and how to defend against one?

What is a recovery time objective (RTO) and how does it affect disaster recovery for your enterprise?

What is an RPO (recovery point objectives)?

Topics: , , ,

About The Author

Anyck Turgeon

Global Cyber-Resiliency & Security Evangelist

With more than 25 years of technology innovation and security expertise, Anyck Turgeon has served for the past 15 years as a Chief of Information (CIO), Execution (CEO), Marketing (CMO), Risk (CRO), Strategy (CSSO), Business Security (C-BISO & CISO) and management leader for public and private companies including IBM, M-CAT Enterprises, CoreClean Group, Crossroads Systems... Read more