Duncan Bradley, Director of Customer Engagement, UKI Cyber Resiliency Practice Leader at Kyndryl, highlights why the importance of cyber resilience is set to grow in the years to come.

For all of its complexity and difficulty, cybersecurity enjoyed an advantage over other IT specialisms for a long time, in that its goal was relatively easy to define.  

Success in areas like software development or cloud operations can feel like a moving target: understanding what a good outcome for the business or for customers looks like is almost as much work as delivering that outcome.

In security work, the rubric could be simplified down to something much starker: breaches and data loss mean failure, absence of them success.  

While there has always been much more for cybersecurity professionals to consider, as they seek to balance security with things like usability and cost, this underlying formula has informed a lot of how we describe the sector.  

So often, the language is about cat-and-mouse games or arms races between attackers and defenders, each side constantly innovating to spot potential opportunities and intervene first though the attackers only need to be lucky once with an attack.  

However, that metaphor carries a risk of overlooking some of the important things that cybersecurity can or should achieve – and, over the last few years, shifts in the territory have led us to a situation where we might need to fundamentally rethink this quiet assumption about what successful cybersecurity looks like.  

A growing threat  

The arms race metaphor is appealing because malicious actors have so many distinctive tools to work with when targeting an organisation, from the brute force of a DDoS attack to the subtle social manipulation of spearphishing.

But perhaps the most prolific, threatening and consistently profitable of strategies is ransomware.  

While nothing new, ransomware has been growing in prominence over recent years for a variety of reasons.

One is that it offers a clear path to a payday.

Another is that rapid digitalisation has put significantly bigger opportunities on attackers’ radars.  

Where digitalisation once happened in a relatively piecemeal way, the imperative now is towards fully integrated systems that touch every part of a business’ activity.

This consolidation has unlocked new efficiencies in business processes and computing procurement, made data more readily available for analysis, and changed how different business units can digitally collaborate.  

A growing reliance on these integrated systems has also incentivised the use of extensive backup solutions, clustering and replicating data across multiple points of presence to ensure that, even if parts of the IT infrastructure fail, employees still have fast and uninterrupted access to the tools and information they need.  

Unfortunately, this context of highly connected, constantly replicated data is also incredibly fertile ground for ransomware seeking to take root.

Once a successful breach has happened, the damage can quickly spread much further than wherever the security flaw happened to be.  

It means that the problem will often be rapidly copied across the business’ backups as those tools do their job of ensuring that information created in one place is available everywhere.  

The result is a rate of ransomware attacks that businesses are significantly underprepared for.

A study conducted by IDC and Kyndryl last year found that over two-thirds of large businesses had suffered a successful ransomware attack over the preceding 12 months, and nearly a third had ultimately paid between $50,000 and $100,000 to recover their data.  

Considering that nearly half of those businesses were disrupted by the attack for a week or more, and that such incidents always come with reputational damage, the overall costs per incident are much higher.  

The new security stakeholders  

The disruptive potential of incidents like ransomware attacks is one of the major factors stimulating the appetite for regulatory interventions on cybersecurity that we’re now seeing emerge from governments and multilateral bodies around the world.  

When an organisation suffers days or weeks of downtime, the consequences are rarely contained within that organisation, as anyone who relies on them for day-to-day operations also suffers.  

Consider the Digital Operations Resilience Act (DORA), a flagship EU regulation that comes into force in January 2025.

It targets financial institutions, as well as providers that support them, with strict expectations and frameworks for behaviour around their digital operations.  

DORA has been driven forward in the knowledge that, losing just one key component of financial infrastructure could well have a ripple effect across whole economies.  

Unlike the many industry-led cybersecurity frameworks which practitioners have developed over the decades, DORA comes with a defined reporting structure and the power to levy penalties for compliance failures.

Echoing the GDPR, these penalties are scoped at a scale that makes the regulation unignorable: potentially up to 2% of global annual revenue per day of non-compliance.  

There is also NIS2, an EU directive that applies to 18 critical sectors also subject to fines up to €10m or 2 % of global annual revenue.

In the UK, there are new financial regulations looking at outsourcing and third-party risk management as well as a commitment to a new Cybersecurity and Resilience Bill covering critical national infrastructure and supply chains.  

With an organisation’s critical third parties falling under these regulations many organisations are taking a blanket approach contracting these new supplier obligations to ensure that all their suppliers meet these new requirements. 

The landscape of public sector interventions into cybersecurity practices will likely continue to evolve for some time, but it seems certain that one of the effects will be to add a second layer of risk for businesses. 

From security to cyber resilience 

Cybersecurity threats like ransomware are growing in both volume and damage, particularly in their potential to interrupt day-to-day operations.

However, governments are increasingly motivated to make cyber risks something that businesses formally recognise and act on before breaches occur.  

Neither of these shifts will be best responded to by leaning harder into the arms race mindset that cybersecurity has traditionally revolved around.

Regulators will be more interested in the consistency, visibility, auditability and cohesiveness of a business’ strategy than its response to any one specific threat.  

Instead, businesses should move towards investing in an operations centre model which centralises threat detection and response in a way which, vitally, is agnostic about the cause of disruption and instead organises itself around the ability to recover from disruption.  

Cyber resiliency, rather than cybersecurity, is a mindset that seeks to minimise damage both to the business and its customers.

It understands what parts of a business’ digital infrastructure to prioritise in any recovery process, and how the business’ people and management systems play into those functions.  

It means defanging the worst of the disruption that cyberattacks can cause in a holistic way that meets the goals of regulatory intervention, to protect industries and the wider economy. 

Prevention, detection and response are essential but not wholly sufficient to deal with cyber threats, especially those that are unknown or zero-day.

Cyber resilience is essential because it allows businesses to quickly and seamlessly recover from a cyberattack.     

Now, security leaders are realising that the most important goal is to get the business back on its feet after a cyberattack, rather than trying to prevent or detect all possible attacks.

Cyber resiliency needs to become a core designed requirement for new application or important business system modernisation projects.  

This article was originally published in the November Edition of Security Journal UK. To read your FREE digital edition, click here.