Skip to content Skip to footer

Loading Results

Three steps to building cyber resilience

05 November, 2019

Joseph Nocera
Cyber & Privacy Innovation Institute Leader, PwC US
Aaron Schamp
Principal, Cybersecurity and Privacy, PwC US

As digital is increasingly integrated into business practices, companies are facing significant vulnerability to cyberattacks. And so they are overhauling strategies to protect themselves from cyber disruptions. How are they doing that? We asked more than 3,500 firms globally about their resilience strategies and the standards they’re aiming for. We found that companies that were most resilient have shifted away from the traditional disaster recovery/business continuity model to create processes that better fit current threats. This approach includes three steps:

1. Maintaining an accurate inventory of assets, systems, and connections

If companies don’t have an accurate inventory of assets and systems, they won’t know which systems or assets to isolate in case of a disruption. Just creating this extensive inventory can yield important discoveries because overtime connections can become obscured—and then they are more vulnerable. The inventory should include third-party relationships because they can be entry points for cyberattacks.

Large organizations can have millions of IT assets and connections. Fortunately, there are technologies now that automate inventory and mapping processes. This is not an easy step, and even high-performing companies are concerned about maintaining an accurate inventory of assets and visibility across the network. Manufacturers seem to be doing fairly well at this step: 69% of surveyed manufacturing companies reported having obtained a full inventory of their assets in the last five years.

2. Defining and testing impact tolerance

Companies need to determine how much disruption they can handle before it affects customers. Practically, this means defining the critical business services that require the most protection and setting limits on the length and potential cost of the disruption. These decisions, or impact tolerances, need to be made beforehand—and preferably translated into specific metrics—to limit the time it takes to respond to an attack.

To test impact tolerance, companies can start with tabletop exercises to discuss how to deal with potential scenarios. These exercises help teams rehearse their various roles and actions in an emergency and can identify gaps in communications and other processes. Some companies go beyond tabletop by setting up a simulated, disruptive event that tests readiness. In our study, 76% of manufacturing companies have tested impact tolerances for their organizations.

3. Building digital resilience by design

This third step is the most difficult—and few organizations have completed it. It brings together automation, analytics, and visualization to formulate a view of critical business services and related IT assets and processes that are always current. Of the manufacturing companies in our survey, 81% have added planned controls to legacy architecture in at least part of the enterprise, with another 15% who have added ad hoc controls. To complete the resilience by design process, companies need to:

  • Create a continuous, enterprise-wide perspective into the performance of core assets and associated IT processes.
  • Build a team that monitors, interprets, and responds to threat intelligence.
  • Continuously redesign business services and supporting process based on learnings from disruption or to meet new needs, such as M&A or expanding a vendor network.

We have seen the benefits of using automation, analytics, and visualization to protect critical business assets. By adopting these technologies, companies have developed continuous improvements in their resilience capability—limiting harm to the business and its customers, even in the face of increased disruption and cyberattacks.