5 ways to achieve effective cyber resilience

As economies worldwide adopt more digital technologies, ensuring protections against malicious cyberattacks, failures and outages continues to be a critical concern. And the challenge is a dynamic one – emerging technologies and increasing connectivity create a complex and moving backdrop.

Today, many organizations’ primary goals and purposes are supported by technology-enabled business processes with no analogue alternative. This means that cyber resilience – an organization’s ability to minimize the impact of significant cyber incidents on its primary goals and objectives – can go beyond the digital sphere and not only affect service delivery but also stakeholder confidence and market position.

"The challenge is dynamic," states a new World Economic Forum report, Unpacking Cyber Resilience. "The evolution of the digital landscape and infrastructure, driven by the disruption of connectivity and emerging technologies, has vastly complexified the threat landscape and the cyber risks organizations face."

The report, which was produced in collaboration with the University of Oxford Global Cybersecurity Capacity Centre and industry experts, outlines the importance of cyber resilience and details how a cyber-resilient digital transformation of businesses and society has the potential to drive innovation, productivity and economic growth.

It also notes that while various frameworks and standards exist to help organizations improve their cyber resilience and cybersecurity, lessons learned from peers can greatly enhance the generic approach these models offer.

Here are five tips from the front line to help build cyber resilience.

There is no such thing as 100% cybersecurity. Organizations need take a broad view of cyber risk and the many different ways in which malign actors could exploit cyberspace to cause harm to their operations, profitability or reputation.

Investing in cyber resilience can reduce the economic costs of cyber events (data breaches and intellectual property loss, for example), while contributing to improvement in an organization’s reputation. Studies highlight that more resilient companies generate shareholder returns that are around 50% higher than those of their less resilient peers.

Plans must be made for when incidents occur – and they need to reflect and protect the organization’s core strategic, operational, financial and legal priorities.

Cyber resilience plans, the Forum's report notes, should be "based on an understanding of the threats they are exposed to and the potential harms that could arise."

Design business processes in ways that will place the organization in a good position to absorb and recover from events, establishing robust contingency measures for when systems fail. Business processes need to be adapted to ensure service standards can be maintained and stakeholder interests protected in the case of a cyber disruption.

To achieve true cyber resilience, organizations must actively collaborate with external parties, who have a shared interest in strengthening the resilience of the entire business environment.

Adopt information governance practices that can limit the impact of confidentiality breaches and data integrity compromises.

The report stresses that organizations establish "information governance practices that can limit the impact arising from confidentiality breaches and data integrity compromises."

Organizations need to learn from past incidents – and those that have affected their peers – and adapt processes accordingly.

"Paths to success that can be illuminated by the collective experiences and insights of peers – the sharing of good practice on what works and how to overcome barriers to success has motivated this project," the report states.

The globalization of our supply chains, the complexity of technology stacks and the continued appetite to innovate with digital have led to continued aggregation of systemic cyber risk. While the tips above will help businesses improve their cyber resilience, wider changes are needed in the business ecosystem.

This includes collaborating with other organizations to help identify single points of failure and mitigate the associated risks. Businesses also need to work together, and with public authorities, to find ways to address threats and disrupt malicious activity. The Forum's Partnership against Cybercrime is a platform for insight sharing and aims to promote public-private cooperation to combat cybercrime.

Moreover, organizations must also collaborate on utilizing and expanding the limited talent pool with relevant cyber expertise. The Forum’s Bridging the Cyber Skills Gap initiative, for example, has developed a Strategic Cybersecurity Talent Framework that outlines ways organizations can build sustainable talent pipelines.