With over 50% of UK businesses and 32% of charities reported to have experienced a cyber-attack in the last 12 months, it’s more important than ever for organisations to consider their cyber security measures.
From ransomware to phishing attacks, the adverse effects of these threats can have severe consequences - not just on IT systems, but on the core business outputs that drive success. The key to ensuring cyber resilience lies in understanding and managing these risks in a way that aligns with the critical business outputs and objectives.
A cyber-resilient organisation doesn’t just focus on preventing attacks; it protects itself from them, responds to them efficiently, and, importantly, recovers from them in a manner that ensures minimal disruption to business outputs.
To achieve this, the central focus must be risk; identifying and categorising business-critical assets, understanding which threats are most likely and could cause the most impact, and then mapping these back to the operations that keep the business moving.
One common pitfall is treating cyber resilience as merely a technical exercise. It’s easy to focus on elements like firewalls, encryption, or access controls, however these controls only truly matter when they are tied to a larger question: How will a cyber threat impact the organisation’s ability to deliver its core functions?
Importantly, this will also allow an organisation to prioritise resources towards the high-likelihood/high-impact risks first.
Frameworks and standards such as the NIST Cybersecurity Framework (CSF), ISO 27001, or MITRE ATT&CK will provide valuable guidance on creating a well-rounded cybersecurity posture. These resources help to ensure that organisations cover essential areas including identifying assets, detecting threats and responding to incidents. NIST CSF 2.0, for example, outlines core functions — govern, identify, protect, detect, respond and recover.
A common mistake is trying to implement every control outlined without consideration for the organisation’s unique risk appetite or resource limitations. An exhaustive approach might not always be feasible due to constraints in time, cost and quality. For example:
Resource constraints: Implementing every control in the NIST CSF might not be possible for small businesses with limited cyber security budgets.
Operational trade-offs: Certain controls, such as stringent access controls, may slow down operations or impact performance, potentially disrupting critical business outputs.
Instead, as with the overall approach above, implementing these frameworks needs to be risk-based. By identifying the most significant risks to the business, relevant controls can be selected that directly mitigate those risks.
At Inzpire, we help organisations by identifying their risks and working with them to quantify them, presenting a view that the organisation, particularly non-specialists, can understand - allowing them to improve their resilience to a cyber event.
Let’s consider a financial services company that provides online banking and investment services to its customers. The key business outputs are likely to be:
The availability of the online platform
The integrity of financial transactions
The protection and confidentiality of personal customer data
Using a risk-based approach, the company would:
Identify critical business functions: Recognise that the availability of the online banking platform, ensuring accurate financial transactions, and protecting sensitive customer information are essential to operations and customer trust.
Map key functions to critical assets and information flows: Identify the systems and services that enable these key activities so they can be prioritised for protection.
Map risks to business functions: Evaluate cyber risks that could impact these functions, such as denial of service (DoS) attacks that could bring down the online platform, compromise user accounts resulting in fraudulent transactions, and data breaches that expose personal and financial information.
Identify and prioritise controls: Instead of implementing all available controls, the company would tailor their implementation by deploying DoS mitigation services to ensure platform availability, multi-factor authentication to secure user accounts, and encryption to safeguard customer data.
Monitor and adjust: Continuous monitoring of the effectiveness of these controls, ensuring that the controls are actually reducing risk and not just documented to satisfy company governance. Changes to key business functions, as well as new vulnerabilities, should also be monitored.
By prioritising these actions based on risk, the financial services company ensures that its core business — delivering secure and reliable financial services to customers — remains resilient, even in the face of cyber threats.
Building a cyber-resilient organisation means understanding the organisation’s cyber landscape, the threats that could disrupt business-critical operations, and managing those risks in a way that aligns with your overall strategy and risk appetite.
Frameworks like NIST CSF play an important role in guiding the process, but they are just that — guides. Cyber resilience isn't about ticking every box in a framework; it’s about ensuring that your resources are focused on protecting the core business outputs that matter most. At Inzpire, we can support you with any element of this, from initial risk identification all the way through to operating securely within the framework of your choice.
