What is Cyber-Resilience and why should you adopt this approach?

Cyber-Resilience strategy by EBRC
By S. Etienne 20/12/2019
Banking, Insurance & Fintech
Health & Life Sciences
Public Sector & European Institutions
Defense & Space
Technology & Software Providers
Energy, Logistics & Industry

Simply protecting data is no longer enough. It is necessary to become cyber-resilient to survive in a virtual world increasingly prey to ever more virulent cyber-attacks. How can this be achieved? What behaviours and solution should be adopted? Yves Reding and Philippe Dann, respectively CEO and Head of Risk & Business Advisory at EBRC, provide us with some answers.

What is Cyber-Resilience?

YR: Digital transformation allows for more agility yet it brings along multiple cyber-threats, which necessarily need to be addressed. "A more holistic approach, based on the fact that all companies are going to be attacked, is the key to answer such a change of paradigm", adds the CEO. This wider approach is called "Cyber-Resilience" and aims at helping professionals navigate through a torrent of cyber-threats, attacks and crimes, without being affected.

The word "resilience" has been carefully chosen: "being resilient actually means recovering quickly from a rough patch, being aware of the environment you are operating in and eventually strengthening your positions and expertise in order to ensure business continuity."

CYBER-RESILIENCE: A GLOBAL APPROACH

YR: Obviously, security remains a key factor of this Cyber-Resilience concept but is now part of a wider approach notably involving strategy, crisis management and business continuity. It consists of preparing, identifying, protecting, bouncing back and can even contain self-defence knowledge and techniques. Adopting such a continuous and ever-growing approach to risk also means that companies are aware of what is currently going on in IT and more generally in the wider cyberspace. It involves analysing flows   entering and leaving the company  , promoting the concept within the company but also collaborating with experts. But first and foremost, it needs to be integrated from the start: "Cyber-Resilience and its multiple dimensions, from initial protection to recovery management, have to merge with the DNA of the company and be accepted   and understood   by all the collaborators. It is all about breaking down silos and sharing a common mindset. As a matter of fact, it has to become part of the company culture".

Why do you believe it is urgent to enter the age of Cyber-Resilience?

YR: We have entered a pivotal period between two industrial revolutions: the third which occurred at the end of the previous century, essentially based on communication technologies and the exploitation of data as a new raw material, and the fourth, which will probably occur at the end of this century and crystallise the convergence of all the new upcoming technologies. We will gradually move from a physical to a virtual world. However, in that nascent cyberspace, most individuals, organisations and States will not have an immune system enabling them to anticipate, counter and cope with cyber-attacks by recovering the lost data.

Are such cyber-attacks as widespread as you claim? Do they have the potential to become physically-speaking dangerous?

YR: 2017 and 2018 were marked by major cyber-security failures, and 2019 has been worse. For example, the European Union, in particular, has feared massive cyber-attacks during the elections scheduled in May. And that is just the beginning! In the future, when everything has become digital, such cyber-attacks will have much more serious consequences. Imagine an airplane suffering a cyber-attack or a technical bug against which the pilot is unable to act.

Is moving from cyber-security to Cyber-Resilience the right thing to avoid the worst-case scenario?

YR: We need a paradigm shift, a more holistic approach to not rely on protection-oriented cyber-security, which has clearly shown its limitations. Given the increasing number of threats, it is necessary to consider that the risk has become certain. It is necessary to invest more in the continuous prevention and detection of potential threats, be ready to cope with and manage the crisis in order to better react and bounce back. This is why we place great emphasis on the concept of cyber-resilience which aims at building up a high-performance immune system for companies and why we offer our customers a fully integrated, end-to-end approach.

How does Cyber-Resilience translate into your consulting and support activities for companies?

PhD: We help our customers to meet best practices, including the ISO 27001 and ISO 22301 standards, and even to obtain their certification. Those two standards are the essential pillars of Cyber-Resilience . ISO 27001 defines the requirements for the establishment, implementation and continuous improvement of an Information Security Management System (ISMS), namely a systemic approach through which an organisation ensures the security of its sensitive data (governance, persons, processes, IT systems). ISO 22301 is the international standard for business continuity management designed to protect the business from potential interruptions occurring as a result of accidents, human errors or organisational and technical disruptions, and obviously from malicious acts such as cyber-attacks. In 2018, we provided support to over 80 customers in Luxembourg, Belgium and France and these numbers keep on increasing every year.

What fundamentally sets the support we provide to clients apart from the support provided by competitors is that our support is absolutely not theoretical; it is pragmatic and based on customer feedback. Anything that we recommend to our customers has already been applied within our company. EBRC has been ISO 27001 and ISO 22301 certified for many years and we implement all the good practices taught to our customers internally on a day-to-day basis.

YR: It is a virtuous circle of sorts. All the solutions and methods that we internally develop are then applied to our customers and the specific solutions that we offer to our various clients are then internally applied within our company. This sharing of know-how and resources, which is made possible thanks to our holistic offering, makes us unique on the market.

You have also set up a Trusted digital ecosystem to complement your Cyber-Resilience approach. Can you tell us more about it?

PhD: In addition to the skills of our specialised teams, we have integrated an ecosystem of partners in order to add more innovation and efficiencies to our consulting offer. Our partners are specialised in cyber-risk management and the protection of personal data, access security and tracing, risks associated with identity and access rights, and the crisis communications automation.

YR: This desire to create a trusted digital environment across several countries is not solely limited to partnerships. We want to become a European centre of excellence in the protection and management of sensitive information. Through its recent directives, and in particular the NIS directive (Network and Information System Security), the European Union aims to become a cyber-resilient continent and we wish to contribute in our own way, not simply by advising our customers, but also by maintaining permanent contact with other critical institutions and operators, in particular in Luxembourg, working in the field of cyber-security and Cyber-Resilience.

PhD: We have set up a close collaboration with the Cybersecurity Competence Center (C3). After conducting crisis management exercises internally, we invite our customers to take the next step and participate in the C3’s simulation and training platform called Room 42   Do(n’t) Panic. In an isolated room, our customers are subjected to cyber-attacks in real-time and must find solutions to eliminate or contain them within a limited time.