Why organizations need to be cyber resilient

I want to share with you a perspective on the major challenges that organizations will necessarily be addressing (or required to do so), not only to navigate through the complications of a digital transformation path but to succeed in the business, to better serve its customers, to be competitive, to create new services and new business models, to increase the quality of its products, to be trusted and resilient.

Let me start from the beginning. Where do we stand and what can we expect in the near future?

Today our organizations are fully digital: this is a matter of fact and quite evident to everybody, but the size of this phenomenon was not the same 3 years ago and will be significantly different in 3 years ahead. User generated content is booming – by 2020 it will reach 2,6 zettabytes of internet traffic, more than quadruplicating since 2015 – and business generated content is also growing – up to 1,7 ZB in 2020, more than triplicating since 2015. We will assist to a continuous exponential growth of these numbers in the next decade, from both consumer and business side.

Such huge amounts of generated (and stored) data, internet traffic and connected devices is made possible by the development of fundamental technologies: cloud (access, computing, storage), which is helping organizations reduce costs, accelerate new business development, transform their processes and adapt more quickly to changing customer needs, and broadband communication systems, which are making it possible to exchange huge amounts of data in almost real-time, bringing “intelligence” to the edge, and allowing for new applications to be developed.

If we combine these two innovation streams with the advancements in the mobile industry (through miniaturization and advanced sensors), in computing (embedded and high performance), in robotics, augmented reality, and Artificial Intelligence, then it is impressively evident how large the technology footprint of the digital infrastructure that organizations use every day is, both directly and indirectly.

This footprint is at the core of the transformation program in every sector: Smart Manufacturing, Industry 4.0, Smart Agriculture, Smart Government, Smart Cities, Smart Transportation, Smart Energy, Smart Home, etc. Therefore, the services and applications that are delivered through such digital infrastructures are subject to the threats and vulnerabilities of every single component of the system. The result is an ever-larger attack surface: managing the related cyber risk is the challenge for the cyber resilient organization.

A special mention must be devoted to 5G technology. All major network operators are offering 5G communications in 2019, providing greater capacity, low latency and a faster user experience for end users, thus triggering new applications such as virtual reality, seamless collaboration, enhanced remote education experience, but at the same time opening the way to critical applications in the field of transportation (both public and private), health services, energy distribution and many others. 2019 will be the “emerging” year for 5G, and it will take 5 years or more to reach the current 4G penetration.

As I mentioned before, such a complex cyber space has its drawbacks. If we concentrate on the last 18 months we can see that cyber threats and attacks have increased in both severity and complexity. Mobile malwares have been a significant new vector for perpetrating malicious attacks, and self-disclosed cyber-attacks will increase in the future, not only because organizations will be more capable of detecting such events but also because they will be required to do so by the EU legislation, due to the new NIS and GDPR regulations. Besides the enforcing measures provided by the legislators, the impact of cyber attacks is evident in terms of lost sales, which must be added to the remediation costs suffered by the same organizations.

We have already commented on the interconnectedness of digital organizations, where every process (manufacturing, logistics, procurement, etc.) is integrated with suppliers’ and customers’ assets. For this reason, threat actors are likely to exploit supply chains and their weakest link to conduct their attacks, which, in turn, will not only be targeting personal and company data, but operational technologies (such as SCADA systems and Industrial Control Systems or ICS) as well, with the potential to disrupt critical infrastructures and the business of small, medium and large enterprises, if not entire sectors.

So, what is the typical trait of a cyber resilient organization? Obviously, there is not a short answer to this question, but I would like to mention the necessary (and not sufficient) condition to characterize it. We, at Capgemini, work with customers in all sectors to design and implement together their digital transformation programs.

What represents a key success factor is the clear definition of a comprehensive cybersecurity strategy. This needs to be linked to the mission of the organization and its strategic objectives, by defining clear links with the financial, customer, and internal perspectives during a strategic planning process.

This is of paramount importance in order to engage the top management, understand the business impacts of cyber threats and define adequate funding to the cybersecurity program, three tasks that typically represent the major issues for a CISO.

Achieving (and maintaining) cyber resilience implies the capability to understand and manage the cyber risk associated to each and every single element of the digital infrastructure through which services are delivered and information is managed.

Today’s priorities are securing:

• the IoT segment
• the variety of communications protocols and vectors
• hardware and software layers of the equipment that processes communication streams
• the access segments of the different cloud providers adopted by the organization
• the applications, which may be developed by different factories/providers
• the processes that the organization has in place
• the mobile, which could represent the easiest entry point for threat actors

All these elements are carefully dealt with in Capgemini Cybersecurity Services, in order to assess:

• attacked surface and associated risks
• threat profiles and related business impacts
• prioritized remediation initiatives
• cyber resilience capability development

Concluding, I would like to summarize the main guidelines for a cyber resilient organization:

• clearly link the cybersecurity strategy with the business one: they should be aligned and integrated
• know where the threat is likely to hit, the profiles of threat actors and the threat vectors they may exploit
• assess and evaluate the relevant risks, including reputational and economic impact
• set the right priorities in the cyber resilience program
• anticipate, leveraging targeted threat intelligence
• complicate attackers’ activity, i.e. improve the capability to detect malicious activities
• improve the response processes through automation and situational awareness
• train, train, train professionals against the newest attack techniques… build a cyber range or use one as-a-Service!
• balance investment in technology with investment in people

The article was drafted by Alessandro Menna.