It might sound suspiciously like yet another tech buzzword, but there’s a lot of talk right now from organisations such as the Word Economic Forum about the need for a new level of "cyber resilience" that goes beyond basic cyber security.
So what is it? Essentially, cyber resilience is a discipline that brings information security and business continuity together to help organisations plan for what will happen both during and after a cyber attack. In other words, it doesn’t just look at potential points of weakness in your networks and systems, but also involves creating a business-wide strategy that deals with both the immediate impact and the aftermath.
The problem is that most organisations aren’t currently planning in this way and they frequently suffer damage to their operations and reputations as a result. You only have to look at what happened to many hospitals, councils and businesses in the wake of the WannaCry cyber attack to understand what can happen when proper planning isn’t in place.
If you work in a charity that provides health or social care services, you can easily see how this kind of event could have a similar impact on your services, particularly as more services move online.
So, yes, in answer to the question in our headline above, cyber resilience is something charities definitely need to think about, and probably sooner rather than later.
The most important thing to say about getting started is that it doesn’t mean investment in a whole load of new technology. What it does mean, rather, is that technology needs to be released from its traditional silo and become the responsibility of many more people than the IT team.
This chimes with what we’ve been saying generally about IT for some time now, particularly with regard to digital. To make a digital transformation really work, you need to involve everyone in the business, from HR to financ, to get them to fully understand how technology can help them to revolutionise and replace old manual processes.
It’s the same with cyber resilience. If you want to be truly resilient, cyber security shouldn’t be a task for IT alone. In many cases, people in all sorts of roles are specifying and choosing their own technology these days anyway. They need to take more responsibility for protecting it accordingly.
Usually the best place to start is with a thorough audit of where you are now and what the potential risks are should you suffer a truly disruptive cyber attack. This should involve all key stakeholders.
After that critical first step, there are a number of things you can do to start encouraging the whole organisation to become more cyber resilience-focused. These include security awareness sessions for all non-IT staff involved in digital projects. In addition, it’s a good idea to provide regular, easy-to-understand "threat" updates that reinforce the importance of security in all services. You should also look to create a business-focused framework for cyber resilience that helps all staff to understand security in the context of business continuity and your most critical services and operations.
We don’t want to oversimplify this, because any kind of cyber-related risk is a complex and ever-evolving thing. But if you do choose to take these steps, you are much more likely to be in a position where you’ve gone beyond the limitations of pure IT planning and you’re making cyber risk-evaluation a normal part of business strategy. If that happens, it can only be a good thing.
James Mulhern is chief information security officer at Eduserv, a not-for-profit provider of IT, digital and web development services