Cybersecurity challenges affect all industries, but create a unique challenge for organizations in the private equity space. PE groups not only have to be concerned with cybersecurity within their own organization but must also verify that the risks are addressed appropriately in their portfolio companies, which are often numerous and can span multiple industries.
In recent years, the term “cyber resilience” has become increasingly common in discussions about cybersecurity, risk management, and related issues.
More than just another buzz phrase, cyber resilience describes a different and useful way of thinking about protecting data and information systems. Rather than focusing only on preventing attacks or intrusions, cyber resilience also focuses on mitigating the consequences of such incidents.
Cybersecurity is not a new concern in either the public or private sector, but the level of concern has increased in recent years as new types of threats have emerged. Among the most pervasive of the current generation of threats are ransomware (malicious software that blocks access to a system or data until a sum of money is paid) and whaling (scam emails that appear to be from a high-level executive or other legitimate authority).
Threats such as these are more malicious in their intent and potentially more devastating. Their consequences are often immediate and severely damaging. The newest types of ransomware no longer merely hold a company’s data hostage until a ransom is paid; they actually start destroying data if the ransom isn’t paid quickly.
Moreover, all signs point to attackers continuing to grow more devious and demanding. Witness, for example, the recent experiences of one manufacturing and development company in the Midwest that was infected four times in three months or large financial institutions that can experience hundreds of ransomware-related emails in a single day.
Not if, but when
Most security experts have come to recognize that, as attackers become more numerous, persistent, and cunning, prevention alone is no longer an adequate strategy. Most organizations have accepted the idea that intrusion attempts are virtually inevitable and that some of these will eventually succeed. And that raises the more important question: What steps can an organization take to minimize the effects of the attack?
That outlook is the underlying mindset that drives organizations to begin embracing cyber resilience – a concept drawing together various practices related to security, disaster recovery, and business continuity.
Cyber resilience integrates principles and practices from all these fields into a comprehensive readiness and response effort that encompasses three phases:
Incident management: The immediate response to an attack, designed to limit the damage and prevent it from spreading;
Service continuity management: Processes that allow the organization to continue operating, performing only its most essential functions in a diminished capacity, in the immediate aftermath of an attack;
Disaster recovery: Processes and practices designed to help the organization get back to normal and resume full operations as quickly as possible.
Components of cyber resilience
Updated this year, the Computer Emergency Response Team (US-CERT) organizes cyber resilience into 26 separate process areas across 10 domains:
Asset management: Establishes an organization’s inventory of assets and defines how these assets are managed to support the organization’s critical services;
Controls management: Identifies, implements, and assesses the administrative, technical, and physical controls used to maintain mission-critical services and assets. This effort applies to operational controls, which are implemented by the organization’s operating units, and to enterprise controls, which apply universally across each entity in the entire portfolio;
Configuration and change management: A continuous process of controlling and approving changes to information or technology assets and related infrastructure;
Vulnerability management: Focuses on the processes used to identify, analyze, and address vulnerabilities, particularly those weaknesses that would affect a critical service;
Incident management: Aims to improve the processes used to detect, identify, evaluate, and respond to disruptive events, regardless of the cause;
Service continuity management: Spells out predefined procedures for sustaining essential operations in varying adverse conditions, ranging from minor interruptions to large-scale incidents. Beyond planning, service continuity management identifies the services that are most important to carrying out the organization’s mission and involves the design, development, and testing of response plans;
Risk management: In the context of cyber resilience, this refers to processes that identify, analyze, and treat the operational risk of IT-dependent assets and services;
External dependency management: Focuses on establishing appropriate controls to protect assets and sustain critical activities that depend on public infrastructure and relationships with technology vendors, suppliers, and other services;
Training and awareness: This domain focuses on ensuring staff have the knowledge and skills needed to perform their work in incident management, controls management, risk management, and other related domains;
Situational awareness: Provides stakeholders with up-to-date information about the immediate operational condition of critical services so that they can make decisions effectively.
These domains provide a helpful framework for understanding the concept of cyber resilience. In addition, they offer organizations a structure useful for organizing their cyber resilience efforts.
US-CERT produced the Cyber Resilience Review in order to provide a voluntary assessment that organizations could use to measure and evaluate their operational resilience in the face of various disruptive events. It is important, however, to avoid the natural tendency to regard the review of portfolio companies as a checklist.
Rather than approaching cyber resilience from a compliance mindset, a more useful approach is to use such assessments as a way to mature an organization’s cyber resilience capability.
A checklist suggests that the organization either meets or fails to meet a certain standard measured as effective or ineffective. Maturity, on the other hand, encompasses not only effectiveness but also two additional important attributes: efficiency and responsiveness.
Say, for example, that an organization establishes a series of manual activities that must be performed as part of its patch management protocol. Such a manual arrangement might be perfectly acceptable and deemed effective, but it does not necessarily reflect a high level of maturity. A more mature organization might choose to automate those same processes in order to reduce opportunities for manual errors or oversights and to become more responsive to new vulnerabilities.
More than compliance
By approaching cyber resilience from the perspective of maturity, rather than just effectiveness, an organization can help make cyber resilience efforts more than exercises in compliance. With the establishment of a foundation for improved decision-making, it can even develop cyber resilience beyond its primary function as an important risk management tool. A cyber resilience program can limit an incident’s impact, increase business continuity, and hasten recovery – ultimately adding value to any organization and ultimately to the holding company’s bottom line.
Implementing a cybersecurity resilience program
As with all cyber-based programs, the risk and threat landscape is broad and continually maturing, often at a quicker pace than the internal responses to those threats. The most effective approach to managing such risks is to start with a comprehensive risk assessment identifying which areas to address to provide the most value to private equity groups and their portfolio companies.
The risk assessment will identify the cyber resilience components that would be the most advantageous to address in the short term, while also providing a general road map to follow as the program matures.
Absent a risk assessment, organizations should focus on the following critical components in the short term:
Incident management: Cyber resilience is based on the assumption that a breach will happen eventually, and the ability to respond to an incident effectively is a critical component of any resilience program. Each portfolio company should proactively identify a formal program and response team, and programs should include training and testing exercises;
Vulnerability management: Parent organizations must have visibility into the vulnerabilities in the existing environments of all of their companies in order to manage them appropriately. The ability to mitigate these vulnerabilities greatly decreases the likelihood of an incident becoming a breach;
Training and awareness: The weakest point of any security effort is typically the end user, which is why phishing continues to be a threat that has led to some of the most widely publicized breaches. Most organizations have training programs, but they must determine if these programs actually are effective;
Controls management: This is a broad topic. However, the focus initially should be on managing those risks related to advanced endpoint protection. In reality, managing employee behavior in the face of very advanced phishing schemes is difficult, and even with critical training, incidents will still occur. Organizations need to evaluate technical controls at the endpoints to minimize the impact of an incident when it does occur.
Mike Del Giudice is with Crowe Horwath. Chris Wilkinson is a principal with Crowe Horwath.
Adapted from ‘Cyber Resilience – Going Beyond Security to a New Level of Readiness,’ published in July 2016 by Crowe Horwath.
This article is sponsored by Crowe Horwath. It was published in a supplement with the October issue of pfm magazine.
If you do not receive this within five minutes, please try to sign in again. If the problem persists, please email: