Every individual and organization transforms their ability through technology for collecting, analyzing, and using the information in a better way. Numbers of historical barriers are removed by the integrated networks and internet, for the purpose of sharing the information in productive manner and use the technology for revolutionize our economic and personal lives. This concept results in cyber eco system, and it includes community related to interacting devices, peoples, organizations, networks, technology for providing support to these interactions.
The main aim of this system is to transform the use of technology by organizations for the purpose of increasing their benefits. It must be noted that organizations while using this system also developed cyber resilience. Cyber resilience is considered as, ability of organization to powerfully resist, reacts, and recovers the threats related to cyber security and reshaping the environment for ensuring secure and sustainable cyber operations (Dhillon, 2015).
Organizations which are cyber resilient do not only rely on traditional technology solutions and methodologies for achieving their goals. They ensure exceptional resilience leadership, culture, networks and change readiness for the purpose of creating sustainable advantage over their competitors, cyber criminals, and others.
Cyber criminals are those criminals who have various resources and they will use any situations for achieving their goals, such as natural disasters or any other temporary disruptions. It is necessary for organizations to understand how these sources are varied. This report does not answer the question “why it is necessary for organizations to be resilient” but instead of this report answers how this sustainability related to resilient operations can be achieved. Organizations must consider the way through which they can achieve their goals and also manage the cyber resilience. Cyber-attacks are not easy to handle and there are no simple solutions related to these attacks. It is necessary for organizations to manage these cyber related issues foe ensuring long term existence and reputation of the business (EY, 2014).
About information Resilience:
In the present world, it is necessary for the organization to safeguard their sensitive information. A resilient organization must manage its information related to physical, digital and intellectual property throughout its complete process that is from source to destruction. Organization can ensure this by adopting the practices which are information security-minded and which allowed the stakeholders to collect, access, store, and use the information in securely and effective manner.
Information is considered as the key which maintains the trust and transparency throughout the supply chain, and it is also considered as essential element which manages the performance of the organization and enhances the quality of the end product. Business productivity was greatly boosted by the digitalization but it also introduces various security threats in the organization such as computer-assisted fraud, espionage, and sabotage and cyber vandalism. However, these threats are not external but generate from internal practices of the organization. Use of cloud computing and outsourcing the personal and business data is the actual reason which increases this problem. Therefore, it is necessary for organizations to collect, use, and stores the information in appropriate manner and protects its integrity with the robust information security management systems. It becomes compulsory for organizations to create trust between them and their consumers, that information system of the organization is run securely and adequate measure are taken to protect the sensitive data. Best practice in organizations ensures information security in their practices and ensures rapid and effective decision making in safe environment.
This can be understood through example ISO 27001 is used by Capgemini, a global leader organization in consulting, technology, outsourcing and local professional services for the purpose of increasing its cyber resilience. By adopting this standard, organization also gets the advantage over its competitors. Comprehensive approach related to information security was adopted by the organization and it also adopts various measures for the purpose of ensuring the confidentiality and integrity of the information. Key security drivers adopted by the organization includes potential attacks by computer system hackers and some new threats also such as increase in government regulations and more strong approach from the PIN card industry. In case organization fails to compile with these regulations then there is risk of heavy fines and severe damage to the reputation. Issues related to security also become major concerns for clients of the organization (BSI, n.d.; OECD, 2012).
Cyber eco system approach:
Cyber resilience mainly focuses on the measures that can be adopted by the organization for increasing its security from both internal and external threats, and on those elements also which collaboratively developed by the organization with its business partners and industry peers.
Cyber resilience is considered as primary issue in the Corporate Plan 2015-2016 to 2017-2018, developed by ASIC and authority deals with this issue on priority basis. In Australia, cyber task force is already in operation and collaborating with the industry, regulators and the Government.
It must be noted that cyber resilience is considered as fundamental issue in all organizations because it deals with the confidential information. As per the research conducted by industry almost 60% of the customers stop using the products of the company or services if any cyber-attack resulted in security breach. Such things negatively impact the business and profitability of the organization, even though such breach is temporary in nature (ASIC, 2016).
It is very important to understand the cyber eco system of the organization for the purpose of managing the risk. It is not like traditional information security in which organization only ensures their security, but now it is important to address the security concerns of their stakeholders also.
Next step is Mapping the relationships, which means organization must consider its approach for analyzing its position in the system. It is necessary for organization to understand its external and internal environment for the purpose of determining its crucial information which actually needs protection. In other words, organization can adopt risk based approach under which organization mainly protects its crucial information which is necessary for its survival and growth and not all the information. Organization can established security limit which state the key relationships and guides the organization regarding the organizations and authority from which they can share the information. Security limit actually states the rules, guidelines, and commonly accepted protocols for the purpose of sharing the information between trusted parties.
There is one more step under which organization can conduct risk assessment related to cyber security by considering the information assets, dependency of organization on other institutions, threats, etc. (ASIC, 2016).
NIST Cyber security Framework:
Effective cyber resilience is necessary for developing the appropriate strategies which also includes planning to handle cyber-attack. There are various standards and methodologies which are developed by the Australian government for the purpose of mitigating the cyber risk:
ASIC considered that NIST Cyber security Framework is relevant for the regulated population, and especially for financial service providers which operate their business in a global environment. NIST cyber security framework is adopted by critical infrastructure providers in the United States, and it also includes those who are operating in financial services and markets. For financial markets, NIST can become global benchmark. This can be understood through example, US security Industry and Financial Markets Association (SIFMA) is encouraging its members to use NIST and it is also supported by Global Financial Markets Association (GFMA).
It must be noted that both the American Bankers Association and the American Insurance Association strongly supports this framework. This framework enables the organization to apply or complement the methodologies and standards which exists. In other words, new standards and concepts are not introduced by this framework, but it only considered the existing methodologies and standards related to global security and IT governance (ASIC, 2016).
Cyber resilience initiatives in Australia:
Australia initiated various processes for the purpose of reviewing and updating their cyber resilience initiatives, and these initiatives mainly focus on improved collaboration between the industry and public-private information sharing. Some on these initiatives are stated below:
National plan to combat cybercrime- this national plan was introduced by Australian government in 2013, and it includes the commitments from the commonwealth, state, and territory governments of Australia for the purpose of working together and addressing the threat of cybercrime. Six priority areas are identified by the government under this national plan, and actions of the government for contributing in these areas. This is considered as national response to cybercrime. Six highlighted areas are:
- Provides education to the community for the purpose of protecting the community.
- Participates with the industry in solving the issues related to cybercrime.
- Encouraging intelligence led approach and sharing of information.
- Increasing the effectiveness and efficiency of government agencies, especially in the area of law enforcement for the purpose of addressing crime.
- Focus on addressing the issues related to cybercrime at international level and contribute in global efforts to reduce the crime.
- Ensure effective framework related to criminal justice.
ACORN- ACORN was introduced by the Australian government in November 2014. It is the online system which works at national level and allowed the public to report the cybercrime in secure manner. It is considered as important initiative under the national plan which was designed for the purpose of simplifying the method of reporting, and it also develop the better understanding in relation to effect of cybercrime on Australians.
ACSC- in November 2014, Government opened ACSC for the purpose of bring the law enforcement, defense, and security capabilities related to cyber security at single window, and it also ensure collaboration between different agencies. Some functions of ACSC are stated below:
- It responds the issues related to cyber security on behalf of the Australian government.
- Helps in coordinating the operations and capabilities of national cyber security.
- Investigate the issues related to cyber threats.
- ACSC takes steps to encourage the public to report on cyber security incidents.
- Make reports on extent of cyber threat.
- Raise awareness related to cyber security.
ACSC achieve the above stated targets by collaborate the operations of the following authorities:
- Cyber security mission of ASD’s.
- CERT in Australia that is national computer emergency response team.
- Representatives of the Australian Federal Police.
- Crime commission of Australia, for the purpose of understanding the cyber threat intelligence and encouraging respond options.
- Specialists of cyber investigations and telecommunication security from the Australian Security Intelligence Organization.
- Analysts of cyber threat from Defense Intelligence Organization and Defense Science and Technology Organization (AISC, 2015; ASIC, 2016).
Following are some recommendations which are given after analyzing the above facts, and can be adopted by the board of directors of the company. These recommendations help the organization in integrating the cyber risk and resilience into the business strategy for the purpose of ensuring growth and profitability of the business. Following are some principals which must be adopted by the Board for ensuring cyber safety in their organization:
- Board of directors takes the responsibility for oversight the cyber security.
- It is necessary for board of directors to gain knowledge related to cyber security.
- It is the duty of board to make sure that any one corporate officer is accountable for the cyber security.
- Programs related to cyber resilience and risk assessment must be conducted by the management of the board.
- Board of directors must define the risk tolerance power of the organization.
- Accountability must be imposed on the management of the company by the board of directors in the matters of cyber security.
- Inclusion of stakeholders must be encouraged by the board of directors of the organization.
- In annual report of the organization, Board of directors must address the plans related to cyber resilience.
- Performance of the board related to enforcement plans of cyber resilience must be reviewed by the board itself.
- Board of directors must enforce review related to cyber resilience.
From above standards, it is clear that cyber threat is developed from the internal practices of the organization. Therefore, it is necessary that organization must analyze their internal practices.
This report states the issues of cyber resilience, and not focus on the causes of cyber threats but it states the measures of cyber threats. In other words, measures related to sustainability of resilient operations. It further suggests the way through which organization can achieve their goals and also manage the cyber resilience.
ASIC, (2015). Cyber resilience: Health check. Viewed at: Accessed on 28th August 2017.
ASIC, (2016). Embedding cyber resilience within company culture. Viewed at: Accessed on 28th August 2017.
ASIC, (2016). ASIC’S corporate plan 2015–16 to 2018–19. Viewed at: Accessed on 28th August 2017.
ASIC, (2016). Building resilience: The challenge of cyber risk. Viewed at: Accessed on 28th August 2017.
ASIC, (2016). Cyber resilience assessment report: ASX Group and Chi-X Australia Pty Ltd. Viewed at: Accessed on 28th August 2017.
BSI. Organizational Resilience. Viewed at: Accessed on 28th August 2017.
Dhillon, G. (2015). What to do before and after a cyber-security breach?. Viewed at: Accessed on 28th August 2017.
EY, (2014). Achieving resilience in the cyber ecosystem. Viewed at: Accessed on 28th August 2017.
OECD, (2012). Cybersecurity policy making At a turning point. Viewed at: Accessed on 28th August 2017.