Cyber resilience is about being prepared for attacks rather than assuming 100% security is possible
Cyber resilience is becoming more critical in the public sector. The Government Cyber Security Strategy: 2022 to 2030 requires all Whitehall departments to undergo annual independent audits of their resilience credentials and adjust accordingly. Additionally, there is a police-led network of cyber resilience centres helping local public bodies and SMEs ensure they have adequate people and processes in place.
To understand what cyber resilience looks like in practice, PublicTechnology and Rubrik hosted a webinar discussion with a panel of expert speakers from academia, law enforcement and the private sector to explore some of the challenges in achieving cyber resilience, particularly in the public sector context. Chaired by PublicTechnology editor Sam Trendall, the panel included the detective superintendent for West Midlands Police, Vanessa Eyles, who is also the director of the Cyber Resilience Centre for the West Midlands, Muttukrishnan Rajarajan, a professor of security engineering and director of the Institute for Cybersecurity at City University London, and Richard Cassidy, field CISO EMEA for Rubrik and a member of the Forbes Technology Council.
Getting the concept right
“You can never claim to be completely cybersecure unless you are 100% off-grid,” said Eyles, reflecting on why we talk about cyber resilience rather than cybersecurity. “Cyber resilience acknowledges that being 100% secure online is impossible. The goal is to have security as a ‘golden thread’ throughout everything we do online, professionally and personally, rather than thinking we are fully secure.”
Rajarajan agreed, adding that cyber resilience is built over time through good cyber hygiene and by implementing controls well in advance, including regular patching and updates, rather than just getting a one-time certification.
Cassidy from Rubrik emphasised that cyber resilience is about recovering from the likes of a security breach or systems failure. It is not just about focusing on prevention but also having the right tools, processes, education and recovery plans in place.
He explained that there are three key questions that organisations need to ask themselves to manage cyber risks better: What am I protecting? What am I protecting it from? How can I ensure resilience in a worst-case scenario?
Challenges and pitfalls
The panellists warned that some organisations are too lax in their approach to cyberattacks, assuming they are too small or insignificant to be targeted. They argued that cyberattackers can come in many forms and can target any organisation, regardless of size or sector. Eyles said that, with 50 million daily cyberattacks worldwide, it is only a matter of time before most organisations are hit. Therefore, companies need to focus on reducing their risk rather than assuming that an attack will not happen. Prevention is better than cure.
Another issue is that many organisations use cybersecurity technologies without fully understanding what they protect against and who the attackers are. Without this context, tools may not be fit for purpose against the actual threats. Cassidy explained: “Organisations need to look at who you’re most likely going to be up against. Then, check if you have the right tools to defend against those types of attacks. In most cases, a lot of organisations I’ve spoken to deploy 100% of a technology and only use 20% of the functionality, because they haven’t really tested if they are fit for purpose.”
Cassidy also noted that organisations tend to silo their data and security approaches rather than collaborating and sharing early warnings. “This lack of collaboration gives attackers more time to enact breaches,” he said. To Cassidy, senior management should think differently and prioritise resilience rather than just focusing on prevention, which is never foolproof.
Technology to the rescue
Rajarajan discussed how advancements in technology, particularly artificial intelligence, present opportunities and challenges for cybersecurity and resilience. While AI and cloud offer benefits such as scalability and resilience, organisations must take responsibility for securing their own data.
He explained that, just as AI enables new generations of attackers to automate attacks and pivot techniques more quickly, organisations should strategically use automation for threat detection and investigation, as long as controls are in place.
Cassidy also explained that moving to the cloud introduces more data siloes and complexity for organisations to secure. He said organisations are still responsible for securing their applications and services running in the cloud, whether on an infrastructure-as-a-service or software-as-a-service basis.
“The cloud follows a shared-responsibility model, and providers like Microsoft and AWS have documentation outlining what each party – provider and customer – is accountable for,” he explained, noting that customers are typically responsible for their workloads and merely moving to the cloud does not absolve the organisation of responsibility for protecting data. If a breach occurred, they would still be held accountable by regulators such as the Information Commissioner’s Office.
Addressing the skills gap
Professor Rajarajan highlighted some of the main challenges in terms of preparing graduates and promoting cyber careers to address the high demand for skilled professionals. “Although we follow the Cyber Security Body of Knowledge, we don’t really produce graduates who can work from day one. So, they need to be put on the job and trained again with the real skills that are needed,” he said. “The challenge we find as a university is we don’t get many students locally doing cybersecurity. That’s the fundamental issue. We have a lot of international students who come and do cybersecurity master’s programmes, but they don’t tend to stay: they are stuck with a work permit, or they have to go back to their countries. And we haven’t really unpacked the areas where we need. We say, ‘there is a big skill shortage for cybersecurity of X million graduates’, but we don’t say what areas we are looking for.”
Eyles, whose organisation is part of the UK-wide network of cyber resilience centres, mentioned CyberPath, a programme run by the network to recruit degree students and train them in certain skills. Participants are then deployed into the private sector to carry out services under the close supervision of a cyber senior. This initiative provides valuable experience while also delivering good-quality, affordable services to businesses.
She also shared some insights into the role of law enforcement in responding to cybercrime. Eyles said that law enforcement could help attackers located domestically, but pursuing a full criminal case is very resource-intensive, and outcomes are not guaranteed. Therefore, prevention through initiatives like cyber resilience centres is preferred.
Focus on audit
Rajarajan shared some insights on how cyber audits can ensure real change instead of just being a compliance exercise. He suggested that organisations undergoing audits should be monitored in real-time to ensure they continuously practice good cyber hygiene and maintain their posture, not just during audit times.
He also mentioned that insurers could conduct spot checks to validate that organisations are addressing prior audit findings and maintaining security controls on an ongoing basis when obtaining cyber insurance. Rajarajan believes that this continuous monitoring approach would help prevent audits and certifications from being just a ‘tick-box’ exercise done once a year and instead become an embedded daily practice. In his view, a more active and ongoing validation approach linked to insurance or other requirements could help drive real behavioural and process changes rather than superficial compliance.
When it comes to ensuring that smaller organisations implement cyber resilience on a continuous basis rather than just as a one-time exercise, procurement principles can be of help, as Eyles suggested. “There’s an important role that government, but also larger organisations need to have in influencing [cyber resilience]. They need to say: ‘if you want to be a supply chain for us, you cannot be my vulnerability’. Once you start giving that money as an incentive for businesses, they’ll deploy the tactics.”
The panellists wrapped up the webinar by sharing their closing remarks. Eyles recommended acting and implementing cyber resilience practices rather than procrastinating or overthinking. She suggested using NCSC’s 10 easy steps as a starting point and compared it to a “couch to 5k” running programme where the focus is on starting the journey rather than worrying about the end goal. Implementing essential controls and hygiene practices would help organisations better handle future challenges and respond to incidents if they do occur. The goal is to prevent incidents from happening.
Rajarajan emphasised the importance of practising good cyber hygiene on a regular basis. He compared it to brushing one’s teeth, something that needs to be done daily rather than as a one-time task. He recommended that organisations focus on the basics like patching, updates, staff training, and running regular phishing simulations over time. This will help build cyber resilience into the infrastructure continuously, rather than treating it as a checklist.
Cassidy from Rubrik recommended that all key stakeholders of an organisation should come together to have an honest discussion about what would truly disrupt their business and operations. Then, they should ask themselves if they can recover from worst-case scenarios of systems failures or security breaches.
