What leading companies are doing differently to keep operations running smoothly and securely as digital connections multiply
Good enough is not enough anymore. That much is clear from PwC’s Digital Trust Insights study into resilience strategies in over 3,500 firms globally. We’re in the midst of a mindset shift in what it takes to protect the business and rebound from cyber disruptions. Here’s how we know: Businesses where strategies are the most mature are also the most likely to have revamped resilience plans. And they’re not done. They’re aiming for these standards:
Half of more than 3,500 business and IT leaders from around the world reported that increasingly commonplace business practices are “significantly raising vulnerability to cyberattacks.” Practices like these are driving businesses to update plans or revamp strategies for resilience entirely.
What are organizations doing to improve resilience? What’s the standard they should aim for? To find out, we surveyed the maturity of resilience strategies in three areas. We found a high resilience-quotient (high-RQ) group that scored in the top 25% across the three areas.
The high-RQ group is more likely to have revamped strategies in the face of new, “very significant” threats, 59% vs. 31% of the rest of the survey respondents. They are also more confident that they can manage emerging risks that test cyber resilience, 73% vs. 24% of the rest.
In essence, high-RQ group members have shifted their mindset away from the traditional—and myopic—disaster recovery/business continuity model to “resilience by design.” This more expansive approach involves gaining real-time views of higher-priority processes so that decision makers and responders can react to incidents in concert, with minimal harm to the business.
Without understanding how data assets and processes are connected to core business services and their interdependencies, an enterprise can’t know which systems or assets to isolate if a disruption occurs. The most striking difference between the high-RQ group and the rest is this: 91% of high-RQ companies maintain an accurate inventory of assets and refresh the list as needed, compared to only 47% of the rest.
Just creating this extensive inventory can yield important discoveries. For example, a company mapped what it thought were all 50 of its critical assets and systems in one area, and thought itself well-protected against cyber incidents. Yet when it used software to probe its networks, it uncovered secondary and tertiary connections that brought the number of critical systems to 450—a ninefold increase. By virtue of lying “hidden,” those 450 systems made the organization more vulnerable to disruption.
The inventory should encompass third-party relationships: an enterprise’s more sensitive connections may in fact be outside its walls. In one recent major customer data breach, hackers compromised a chat services vendor that was used by several retailers to manage customer service matters.
For large enterprises, IT assets run in the millions and connections in the hundreds of millions. But there are technologies now to map critical assets and processes in-depth. More than half of high-RQ entities have automated their inventory and mapping processes, compared to only 10% of the rest.
This first step to resilience is not easy. We learned from the May 2019 Digital Trust Insights Cyber trailblazers reframe security, driving business growth that IT professionals (even trailblazers) consider their capabilities least mature in the “Identify” function of the NIST Cybersecurity Framework, which is about pinpointing assets and processes that need protection.
Catch up to the high-RQ group:
Develop a way to maintain an accurate inventory of assets that can be refreshed as circumstances change.
Automate the inventory and mapping process for continuous and accurate visibility across the network and data end-points.
How much disruption can an organization withstand without crippling its ability to serve its customers?
To answer that question, it must first define its critical business services—a non-trivial task. It’s not surprising that 73% of the high-RQ group have identified their most important business services, while only 27% of the rest have done so.
Next, the organization must set limits on the duration and the cost it’s willing to bear—in short, its impact tolerances. About two-thirds of high-RQ respondents have set impact tolerances for critical business services, while only 24% of the rest of the survey respondents have done so.
The high-RQ group is also more likely to have translated impact tolerances into specific metrics. A ransomware victim cannot waste precious time determining its tolerance after an attack; it must use its pre-defined limits on the nature, severity, and length of disruption it can endure, in addition to other risk considerations to help decide whether to pay the ransom.
More resilient enterprises also conduct tests of their ability to stay within the impact tolerances, starting with “tabletop” exercises with its devised scenarios and round-table discussion. Tabletop tests help teams rehearse vital communications during disruptions and discover gaps in governance and other processes. Some go beyond tabletop by mirroring systems in a simulated environment, testing dependencies and connections there.
And a final differentiator: Among the high-RQ group, 61% have mapped impact tolerances to business services, not just critical ones. Only 18% of the rest have done so. This is particularly important if disruptions result in paying contractual penalties to business partners.
Catch up to the high-RQ group:
Identify your critical business services and set impact tolerances for downtimes.
Define the impact tolerances into specific metrics or outcomes.
Test impact tolerances.
Map impact tolerances to business services.
The “third leg” of the journey required for resilience is the most challenging. That may be why so few organizations—even among high-RQs—have completed it. Asked if their organization has implemented “digital resilience by design” across the enterprise, only 34% of high-RQs said “yes.” For the rest, that number drops to 14%.
What the third leg entails is three-fold:
PwC has seen the evolution and the payoffs that come with using automation, analytics and visualization for an always-current view of critical business services and the related IT assets and processes. Adopting these technologies allows for continuous improvements in the organization’s resilience capability.
The next frontier for the high-RQ group: Resilience by design
Build a platform for a real-time view of prioritized processes so that decision makers and responders can react to incidents in concert, with minimal harm to the business and its customers.
For Financial Services companies, already represented well in the high-RQ group, regulations may be the trigger. Top of mind for many is the Bank of England pilot stress testing on how disruptions can affect payments. Its focus on the ripple effects of cyber disruptions on customers is prompting plans for greater resilience.
Without a regulatory challenge or precipitating crisis, finding the motivation to embark on the resilience-by-design journey may be challenging. But hearing this question from the board or the CEO can create the momentum you need to get started: “Is our organization safe from a crippling, costly disruption or a headline-grabbing incident?”
Principal, PwC US
Principal, Cybersecurity and Privacy, PwC US
Principal, Cybersecurity and Privacy, PwC US
Principal, Cybersecurity & Privacy, PwC US