Cyber Awareness Month: Building a cyber resilient organisation
17 Oct 24
Cyber Security
17 Oct 24
Cyber Security
With over 50% of UK businesses and 32% of charities reported to have experienced a cyber-attack in the last 12 months, it’s more important than ever for organisations to consider their cyber security measures.
From ransomware to phishing attacks, the adverse effects of these threats can have severe consequences - not just on IT systems, but on the core business outputs that drive success. The key to ensuring cyber resilience lies in understanding and managing these risks in a way that aligns with the critical business outputs and objectives.
A cyber-resilient organisation doesn’t just focus on preventing attacks; it protects itself from them, responds to them efficiently, and, importantly, recovers from them in a manner that ensures minimal disruption to business outputs.
To achieve this, the central focus must be risk; identifying and categorising business-critical assets, understanding which threats are most likely and could cause the most impact, and then mapping these back to the operations that keep the business moving.
One common pitfall is treating cyber resilience as merely a technical exercise. It’s easy to focus on elements like firewalls, encryption, or access controls, however these controls only truly matter when they are tied to a larger question: How will a cyber threat impact the organisation’s ability to deliver its core functions?
Importantly, this will also allow an organisation to prioritise resources towards the high-likelihood/high-impact risks first.
Frameworks and standards such as the NIST Cybersecurity Framework (CSF), ISO 27001, or MITRE ATT&CK will provide valuable guidance on creating a well-rounded cybersecurity posture. These resources help to ensure that organisations cover essential areas including identifying assets, detecting threats and responding to incidents. NIST CSF 2.0, for example, outlines core functions — govern, identify, protect, detect, respond and recover.
A common mistake is trying to implement every control outlined without consideration for the organisation’s unique risk appetite or resource limitations. An exhaustive approach might not always be feasible due to constraints in time, cost and quality. For example:
Instead, as with the overall approach above, implementing these frameworks needs to be risk-based. By identifying the most significant risks to the business, relevant controls can be selected that directly mitigate those risks.
At Inzpire, we help organisations by identifying their risks and working with them to quantify them, presenting a view that the organisation, particularly non-specialists, can understand - allowing them to improve their resilience to a cyber event.
Let’s consider a financial services company that provides online banking and investment services to its customers. The key business outputs are likely to be:
Using a risk-based approach, the company would:
By prioritising these actions based on risk, the financial services company ensures that its core business — delivering secure and reliable financial services to customers — remains resilient, even in the face of cyber threats.
Building a cyber-resilient organisation means understanding the organisation’s cyber landscape, the threats that could disrupt business-critical operations, and managing those risks in a way that aligns with your overall strategy and risk appetite.
Frameworks like NIST CSF play an important role in guiding the process, but they are just that — guides. Cyber resilience isn't about ticking every box in a framework; it’s about ensuring that your resources are focused on protecting the core business outputs that matter most. At Inzpire, we can support you with any element of this, from initial risk identification all the way through to operating securely within the framework of your choice.
05.12.24
In honour of International Volunteers Day, we spoke with a few generous members of team Inzpire to find out more about their volunteering efforts, and why they find it so rewarding.
Our team are here to help. If you have any questions, no matter how big or small, please get in touch.