Your All-in-One AI-Powered Toolkit for Academic Success.

+13062052269

info@desklib.com

Available 24*7 on WhatsApp / Email

Company

Tools

Support

Achieving Cyber Resilience: A Company's Strategic Imperative

Verified

Added on 2019/11/08

AI Summary

Cyber resilience refers to the ability of an organization to anticipate, prevent, and recover from cyber-attacks. It involves three stages: strategy, design, and transition, operation, and continual improvement. The strategy stage sets the objectives and identifies critical assets, while the design stage selects controls, training, and procedures. The transition stage tests the controls, and the operation stage operates the controls with continued testing. Continual improvement involves evolving the strategy as technology evolves. To achieve cyber resilience, organizations must identify sensitive information, involve all stakeholders in the decision-making process, and share information among organizations. It also requires investing in training, conducting cyber drills, and complying with relevant security standards.

Contribute Materials

Your contribution can guide someone’s learning journey. Share your documents today.

Cyber Security Resilience 1
CYBER SECURITY RESILIENCE
Author’s name
Course
Name of the professor
Name of the institution
Location of the institution
Date

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

Cyber Security Resilience 2
Abstract
Traditionally, companies were focused on mitigation of risks posed by cyber threats.
However, with the fast growth of technology, there is a need for measures to ensure
organizations survive and recover from attacks. This is cyber resilience which is a strategy that is
spear headed by the board but includes, the employees, suppliers, customers, partners. There are
various forms of attacks but findings of a research carried out indicate ransomware as a common
threat to cyber security in 2016 (Telstra Cyber Security Report 2017, 2017). The essay focuses
on the cyber resilience framework used in accordance with the ITIL service management
lifecycle. The recommendation is the all departments should be involved in the process and
information should be classified according to priority.
Contents

Cyber Security Resilience 3
Abstract.......................................................................................................................................................2
Introduction.................................................................................................................................................4
Methodology...............................................................................................................................................4
Findings.......................................................................................................................................................5
1. Threats.............................................................................................................................................5
2. Adoption of security protocols.........................................................................................................7
3. Framework.......................................................................................................................................7
Recommendations.......................................................................................................................................9
Conclusion.................................................................................................................................................11
References.................................................................................................................................................12

Cyber Security Resilience 4
Introduction
As the computer industry has evolved so have the security measures used to safeguard
data. To start with, there was computer security which involved limiting the level of access of
ordinary users to the level that enabled them to only perform their tasks. Information security
was the second aspect after users got personal computers and began innovating. The third term
was cyber security was developed after the introduction of the digital era. Nowadays, there is
cyber resilience that ensures that cyber security is implemented from the top level using the top
down approach. Using this strategy, cyber security is not solely the task of the Information
Technology (IT) department.
Due to an increase cybercrime, companies ought to start embedding resilience protocols
in their business models. This should be done through governance and management processes.
This is aimed at protecting information in business processes such as product development which
not only minimizes risk but also increases efficiency. According to a research carried out by
Telstra, Australian companies are recognizing the significance of involving all stakeholders in
cyber security (Telstra Cyber Security Report 2017, 2017). In addition, their research indicated
that the Information Technology (IT) department was held responsible for the security breaches
experienced in 2015 and 2016. However, their research also indicated that the blame has shifted
towards top level managers due to an increase from 19 percent in 2015 to 61 percent in 2016
(Telstra Cyber Security Report 2017, 2017). Moreover, there is a rise in the involvement of
executives in cyber security initiatives.
Methodology
The research carried out involved secondary data retrieved from the internet. One of the
sources was the Telstra Cyber Security report comprised of findings from a research carried out
by Frost & Sullivan. The online surveys conducted by Telstra gained 360 responses and 42

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

💎 Try AI Paraphraser

Cyber Security Resilience 5
percent were from Australia. Additionally, Telstra used data gathered from its security products
and partners. Majority of the results were derived from large organizations with more than five
hundred employees globally (Telstra Cyber Security Report 2017, 2017). The research focused
on the information technology sector, public sector and manufacturing and logistics respectively.
The other secondary sources did not involve research findings.
Findings
1. Threats
Threats can be categories in various ways. First, cybercrime where the aim is to acquire
financial rewards directly or indirectly. Second, cyber hackers that are motivated by a belief to
achieve a certain goal. Third, cyber espionage which is aimed at getting a strategic or economic
advantage. Fourth, business continuity management which includes natural disasters and
consequences of human error (Cyber Resilience Best Practices, n.d.). The nature of threats
varies depending on the forms of crimes and the tools used. For example, the forms may include,
manipulation, blackmail, and theft. On the other hand, the tools used may be malware, spyware,
ransomware, and devices (Telstra Cyber Security Report 2017, 2017). In some cases, such as
ransomware there are companies that sell these services (Cybersecurity: Threats, Challenges,
Opportunities, 2016).
To begin with, there is the ransomware which occurs when one is denied access to a
device until a ransom is paid. The most common is cryptoware which encrypts files and demands
payment to unlock them such as Cryptolocker. Another type is Ranscam where the exhorters
claim the file are encrypted while in reality they have been deleted (Cybersecurity: Threats,
Challenges, Opportunities, 2016). In such cases, ransom is not supposed to be paid since
companies have backups. However, companies choose to pay the ransom if the price is lower
than the cost of implementing the backed-up files and resuming normal operation. In some cases,

Cyber Security Resilience 6
the files are not recovered after payment because they can be sold to third parties or they had
been deleted.
In Australia, these attacks are common as aforementioned. In 2016, 24 percent of the
companies experienced this type of an attack and it took at most five hours to recover (Telstra
Cyber Security Report 2017, 2017). A vendor research revealed that along the Asian region
ransomware is the most downloaded tool of attack. This is because of the ease of availability on
the internet. As a result, only 40 percent of the Australian companies in the research did not
undergo such an attack. For those companies that paid the ransom, 33 percent failed to recover
their files. Some companies choose to pay the ransom to maintain their reputation.
Another form of threat is botnets. A bot is a device that is compromised, controlled
remotely and connected to the user such as a webcam. A collection of bots makes up a botnet.
With a large number of botnets, one can carry out a distributed denial of service attack such as
the attack on the website of the Australian Bureau of Statistics Ecensus in 2016 (Cybersecurity:
Threats, Challenges, Opportunities, 2016). Denial of service attacks occur when many messages
are sent to a website making normal operation to halt. On the other hand, distributed denial of
service attack occurs when many devices are used to deliver this attack (Cybersecurity: Threats,
Challenges, Opportunities, 2016).
Phishing is form of attack that occurs when a user clicks on a malicious link in an email
that had posed as a trusted message and malware is downloaded and executed. An example is a
fake shopping invoice phishing for credit card information. Spear phishing attack is when an
email targets a certain member of an organization based on research carried out mainly through
social media. Another term that is used is whaling which occurs when a phishing attack targets a

Cyber Security Resilience 7
top senior executive (Telstra Cyber Security Report 2017, 2017). Generally, these forms of
attack are can be grouped as social engineering attacks (Cyber Resilience Best Practices, n.d.).
2. Adoption of security protocols
The findings revealed that most companies use various security measures such as access
controls. They also use guidelines from the Australian Prudential Regulation Authority and
Australian Cyber Security Center (Telstra Cyber Security Report 2017, 2017). Mainly, audits are
conducted and assist in the formulation of policies on cyber security. There was also an increase
in the number of board briefing meetings conducted by companies within a month. These board
meetings checked on the effectiveness and efficiency of the security measures being used by the
companies. This is proof that many companies are involving the top management in cyber
security initiatives.
However, there are vital security measures that majority of the companies do not
implement. The findings revealed that majority of Australian companies do not conduct cyber
drills (Telstra Cyber Security Report 2017, 2017). Cyber security drills are useful for testing the
response and continuity plans in case an attack occurs. Further, most companies do not adopt the
Payment Card Industry Security Standards which are required to avoid security breaches for
those who accept credit cards. This was attributed to lack of awareness, outsourcing of this
function and the lack of use by the majority. Finally, there was also a small percentage of
companies that failed to check the authenticity of the information provided by their vendors.
3. Framework
Cyber resilience is used to ensure the company is able to continue meeting its objectives.
This means that the measures employed must be aligned to the objectives. The framework
outlined is in the Cyber Resilience Best Practices and is based on the ITIL service management

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

💎 Get Pro

Cyber Security Resilience 8
lifecycle (Cyber Resilience Best Practices, n.d.). This approach was developed in 1989 and has
continued to deliver effective IT services. This framework can also be used by companies that do
not use ITIL in IT service management. The elements of this cyber resilience are clear ownership
and responsibility for it by the board and tailored training for the employees. as a result, the
company’s critical assets and key threats are identified and communicated. The company is also
able to assess its cyber resilience strategy.
There are also control measures that a company must employ to maintain balance in
cyber resilience. The first are preventive controls which are used to prevent incidences that lead
to attacks. The second are detective controls that are used to indicate when such incidences
occur. The third are corrective controls that respond and correct such incidences. The selection of
the right balance depends on the ability of the company to deliver services, maintain customer
convenience and mitigate risks. The design and implementation of these controls is done based
on the management system the company uses. For example, there is the strategy, design,
transition, operation and continued improvement used by ITIL (Cyber Resilience Best Practices,
n.d.).
The first stage of the cycle is the strategy. Here, the objectives of the company are clearly
defined and understood so all the activities that follow are based on them. Then, the critical
assets that are information, systems and services are identified. These assets include those that
are essential to the stakeholders. The threats and risks that these assets face are also outlined. The
second stage is the design. The design is done based on the strategy that was set up. The
selection of the appropriate controls, training, and procedures is done. Moreover, the levels of
authority for different personnel is identified so everyone knows who has the power to do what
(Cyber Resilience Best Practices, n.d.).

Cyber Security Resilience 9
The third stage is transition where the operation of the controls is tested. This is where
the detection occurs since the company through testing knows when an asset is not right through
an accident or malicious action. There is also detection of where the attack came from that is
internal or external. The fourth stage is operation where controls are operated (Cyber Resilience
Best Practices, n.d.). It involves continual testing of the controls, the readiness of a company to
respond to attack, minimize the effects and provide the solution within the required time span.
The last stage is continual improvement where the strategy must evolve as technology evolves. It
must also redefine the whole process once an attack occurs so as to learn from it.
Recommendations
In order to achieve cyber resilience, the company must identify the types of information it
holds and determine what types need to be protected depending on how important the
information is. There is sensitive information in every company that must remain confidential
such as commercial agreements. For other companies, the integrity of the information is what
matters most. Therefore, companies should not aim to protect all information with the same level
of security measures. In such cases, there may be some compromises to be made. The decision-
making process should involve all stakeholders not only the IT department. In fact, there should
be a system where the ownership of information assets is given to those departments that heavily
rely on the information. For example, customers’ personal information’s security measures are
best identified by the sales and marketing department (Cyber Resilience Best Practices, n.d.).
Cyber resilience requires the active participation of other departments. This requires the
involvement of the board to oversee this transitioning. In addition, the risk management process
but be aligned with the control measures implemented in the cyber resilience practices (Cyber
Resilience Best Practices, n.d.). For an effective cyber resilience practice, all stakeholders such
as customers, suppliers, and partners must be involved. For example, to implement controls, the

Cyber Security Resilience 10
procurement department must cooperate to determining the cyber resilience requirements for
different suppliers. Similarly, the handling of client information requires the cooperation of the
sales and marketing department especially when the information is shared with suppliers.
Cyber resilience can also be implemented through sharing of information among
organizations. For example, companies can unite and share information about common security
threats and attacks (Cyber Resilience Best Practices, n.d.). This can assist those companies that
have not been affected to update their security measures. The information shared can also
provide the solution on how to detect and remedy such incidences. It can also provide a forum
where businesses can acquire training on state of the art technology to handle cybercrime. The
government can also formulate standardized policies that must be met to enhance security.
Cyber resilience depends on people, processes and technology. The company must
provide training to create awareness among employees, suppliers, partners, and customers. This
is to ensure security is maintained for all types of information. In the design and implementation
of the company, the culture of the company must be considered (Cyber Resilience Best Practices,
n.d.). This is because the processes of an organization are governed using clear set rules or loose
guidance. The designs chosen should not affect the performance of the company. In regards to
technology, the technology and security measures used should cut across different departments
and stakeholders.
To maintain resilience the company should not only employ various detection and
response technologies but also invest in conducting cyber drills. In fact, if those strategies are not
tested they are bound to fail. Testing is beneficial for the organization since it needs to use some
resources to cater for a threat that has occurred while ensuring all other resources are geared
towards providing products and services as before. Therefore, the continuity plans of the

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

💎 Try AI Paraphraser

Cyber Security Resilience 11
organization are vital in case of an attack. If the company uses credit and debit card information
it must comply with the PCI security standards (Telstra Cyber Security Report 2017, 2017).
Conclusion
Conclusively, generally, the policies and frameworks adopted must meet the company’s
requirements and be aligned with the objectives. As aforementioned, sensitive information is
being shared between the business and its partners. This has necessitated the need to include all
stakeholders in the cyber resilience practices to achieve efficiency and effectiveness. Companies
need to work together with the government to create policies that enhance cyber resilience.
Finally, the company should reinvent its business practices to keep up with technological
advances and cyber resilience practices.

Cyber Security Resilience 12
References
Cyber Resilience Best Practices. (n.d.). [ebook] pp.4-19. Available at:
https://www.tsoshop.co.uk/gempdf/RESILIA_Cyber_Resilience_Best_Practices.pdf
[Accessed 9 Sep. 2017].
Cybersecurity: Threats, Challenges, Opportunities. (2016). Australian Cyber Security, pp.8-44.
Telstra Cyber Security Report 2017. (2017). Telstra Corporation Limited, pp.4-30.

1 out of 12

+13062052269

info@desklib.com

Achieving Cyber Resilience: A Company's Strategic Imperative

Contribute Materials

Secure Best Marks with AI Grader

Paraphrase This Document

Secure Best Marks with AI Grader

Paraphrase This Document

Related Documents

Cyber Security and Resilience: A Report for the Board of the Company

Cyber Resilience Report

Cyber Security Essentials for Students

Network Security and Types of Security Threats and Attacks in Information Technology

System Security Assessment using Vulnerability Repositories

Computer Data Breaches10 RECENT COMPUTER DATA Breaches AND SOLUTIONS