What is the difference between a firm that is resilient against cyber threats and one that is vulnerable? What strategies and technologies ensure that a company can continue its day-to-day operations even as it faces a growing list of cyber threats?
When my team started compiling research to develop PwC’s latest Digital Trust and Insights report, we hoped to answer these questions. We expected to find differences between businesses that are resilient and those that are not, but we were surprised to see the stark differences in the actions and strategies taken by the two groups.
Resilient companies do three things differently
Our research, which included surveying more than 3,500 business and IT leaders in the U.S. and throughout the world, showcased that organizations large and small, pressed to evolve in the digital age, have been motivated to renovate their business strategies for digital resilience.
Firms that showed a high level of resiliency scored in the top 25 percent in three areas related to developing resilience strategies. Fundamentally, their emphasis on “resilience by design” put this group far ahead of the rest.
Consider these findings from our research on what sets this group apart, including increased visibility into risks, proactive testing, and prioritizing adaptability.
1. Improve visibility of data assets
Resilient companies consistently track how their data assets and existing processes are impacting the core of their business. That capacity, we were fascinated to learn, marks the most striking difference between the high-resilience group and the rest.
In fact, 91 percent of high-resilience companies maintain an accurate inventory of assets and refresh it on a rolling basis, compared to just 47 percent of stragglers.
Furthermore, it’s critical that this inventory accounts for work with third parties, especially if your business works with a range of vendors. Several retailers learned this lesson the hard way when the chat services vendor they used for their customer service function was recently compromised by hackers.
Luckily, companies on the wrong side of the resilience divide can take steps to catch up. By automating a real-time asset inventory and mapping the process for ongoing accurate visibility across the network, organizations with low resilience can begin to overcome their vulnerabilities.
2. Test your tolerance
Resilient companies purposefully look at the big picture and recognize their tolerance level for handling dicey situations. When facing disruption to their critical business operations during a cyber-attack, we discovered that less than one-third of the enterprises were able to defend themselves from attacks using impact tolerance. The rest, especially the largest organization surveyed, put their critical business services in jeopardy.
Early this year, my team put together a phishing attack simulation for the mid- and large-size Fortune 500 companies and fintech firms to test the companies’ defensibility. The results were astonishing: 12 percent of banking and 8 percent of fintech employees clicked on the phishing link and could have become (costly) victims of ransomware.
By identifying critical business services, defining impact tolerances into specific metrics, testing the impact tolerances, and mapping impact tolerances to business services, companies can gear up for fishy incoming threats.
[ Mitigate cyber threats: Read also How to explain CVE, Common Vulnerabilities and Exposures, in plain English. ]
3. Be adaptable and keep refining
Resilient companies continuously evolve their business strategies. By adopting and executing the first two strategies, organizations are fundamentally in the high-resilience league. However, when facing the rapid development of technology, we found that only 34 percent of highly resilient companies are adaptable to the changes.
According to the White House Council of Economic Advisers, cyberattacks could cost the U.S. economy more than $100 billion a year. Hackers particularly favor attacking the financial services industry, which could destabilize financial markets, global payment systems, and even the entire economy. Technology advancements such as mobile payments and peer-to-peer money transfer have further accelerated the industry’s vulnerability.
To ensure all-around protection, one-third of all highly resilient firms refine their resiliency as their organizations adopt new technologies. These firms often leverage a dedicated team to monitor performance of core assets and IT dependencies and can quickly and consistently redesign business services via lessons learned from disruptions caused by cyber issues.
Resilience by design: The next frontier
Shifting from a traditional disaster recovery/business continuity model to resilience by design is not an overnight task. It often requires the stimulation of regulatory challenges or a significant crisis for companies to take the first step.
But we have witnessed enterprises successfully improve their resilience by creating a platform for a real-time view of prioritized processes and adopting automation, analytics, and visualization for critical business services and IT assets.
These high-resilience companies not only save themselves from the costly financial expense, but also ensure that their business and customer services remain at peak performance – regardless of cyber threats.
[ How do containers help manage risk? Get the related Red Hat whitepaper: Ten Layers of Container Security. ]
Resilient companies have stopped using Windows and are no longer vulnerable to ransomware. Period. Full Stop.
I challenge anyone to provide an example where a non-Windows user clicked on a browser link or opened an e-mail, which ran a script, which encrypted the whole damn network.