No matter how hard you try, how many boxes you tick, or how many measures you take, there’s no certain way of avoiding a cyberattack. That’s why resilience, the ability to take the blow but limit the damage and recover quickly, has become an area of increased focus in cybersecurity.
“The biggest misconception clients have is that a resilience plan is just a technical document for the IT department,” says Eoghan Daly, partner and head of cybersecurity at BDO. “Many believe that if they have a backup of their data, they are resilient. In reality, a true resilience plan is a business-wide strategy.”
“It should involve every department, from finance to HR, and consider the impact of a cyber incident on all aspects of the business, including supply chains, customer communication and reputational damage. It’s not just about restoring systems, but about ensuring the business can continue its core operations.”
Fortunately, there are many companies paying heed to Daly’s advice. The reality of never being totally sure is changing the way businesses approach resilience.
READ MORE
“We’ve observed organisations moving beyond the traditional mindset of achieving ‘100 per cent security’ to embrace a reality-based approach: companies will be hacked and will be hacked again,” says Vaibhav Malik, partner in cybersecurity and resilience at Deloitte Ireland.
“Rather than solely concentrating on prevention, the emphasis is now on the ability to continue providing vital services through disruption and restore functioning after an incident.”
This attitude shift is a necessary one, according to Malik, due to the nature of how business is conducted in the modern day.
“The interconnectedness of modern supply chains has amplified cyber risk exponentially. This increased complexity and opacity means that operational disruptions now have cascading knock-on impacts across entire systems,” he says.
“New regulatory requirements like NIS2 and DORA reflect this reality, covering governance, risk management, supply chain dependency, technology resilience and incident management.”
Despite this new reality, there are still many businesses making cardinal errors that should be easily avoided.
“The most common weakness is complacency. Some organisations assume they will not be targeted, or that existing antivirus software is enough. Others believe they are secure because they have not experienced an attack yet,” says David McNamara, founder of CommSec.
“That is a false sense of security. Another key issue is the failure to test defences. Without regular penetration testing, red teaming or purple teaming exercises, organisations have no real understanding of how vulnerable they may be. These tests provide valuable insights into how an attacker could breach the system and how effective current defences really are.”
The necessity of this kind of testing and increased awareness can be seen in the sheer volume of efforts made to attack Irish companies.
“Over the past four to five years, we have seen both an increased number of disruptive cyberattacks and increased focus on resilience by organisations, regulators and government,” says Dani Michaux, head of cybersecurity at KPMG in Ireland
“Some organisations do not go beyond simple scenarios when testing, often making a number of assumptions. Often it is found that once a real incident happens, there seems to have been changes in the organisation that have not been accounted for.”
Michaux says that solid interdepartmental communication on security is fundamental to the success of any plan.
“Often we find gaps between backup and recovery capability and misalignment between IT and business understanding of what is really available to restore a service,” she says.
“We also still see gaps in the communications protocols, especially in more complex scenarios involving regulators, external stakeholders and customers. The ability to handle the challenges at hand and be able to cohesively communicate across all groups remains a challenge.”
Michaux says that the only way to truly implement a robust resilience plan is to make it more than an IT issue and a core piece of company culture.
“In the end we always view cyber response as collective effort and team sport. Everyone has a role to play and the more this has been rehearsed and practised the more effective the response becomes,” she says.
“We also find that organisations where clear leadership and decision making has been rehearsed are more likely to manage incidents effectively and efficiently, compared to others where decisions may be distributed and on occasions conflicting with each other.”
This is a view shared by McNamara, who says that practice may not make perfect, but it certainly helps.
“IT is now an enabler for the entire business, not just a support function. Every part of a business depends on technology, so resilience must be embedded across the organisation,” he says.
“We work with clients to ensure that cyber resilience is fully integrated into their business continuity and crisis-management planning. This includes developing incident-response plans based on real scenarios. For example, what happens if ransomware takes down all systems? Who is contacted? What message is shared with the media?”
By preparing for the worst, a cyber crisis can prove to be a company’s finest hour. The work in response, in displaying resilience, can prove the robust nature of the business.
“These exercises bring clarity and reduce panic during an actual incident. Having a well-defined plan makes recovery faster and more co-ordinated,” says McNamara. “A risk-based approach is essential. It ensures the most critical risks are prioritised and addressed. Planning in advance is key. Without a plan, you are left guessing in a crisis.”
