Cyber resilience is an emerging approach to tackling the threat of data breaches and disruptions, combining elements of cyber security and business continuity management. It acknowledges that traditional approaches to cyber security are increasingly inadequate, with organisations unable to cope with the number of threats facing them.
With cyber resilience, organisations don’t put all their faith in their defences. Instead, they place an equal emphasis on how to respond to breaches. This is not only realistic but also cost-effective.
A security incident can cause a devastating loss in revenue and reputation, which can be compounded by regulatory fines, such as those levied under the GDPR (General Data Protection Regulation). The longer it takes to respond, the greater the damage will be. However, being able to defend against breaches and react quickly to incidents that can’t be stopped ensures minimal losses and GDPR compliance.
The GDPR requires data controllers and processors to implement “appropriate technical and organisational measures” to secure personal data, including “the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services”.
In this context, resilience refers to an organisation’s ability to continue operating during a disruption and its ability to restore its systems to an effective state in a “timely manner”.
The timeframe is intentionally imprecise because there is no definitive reasonable length of time for recovery. Different types of disruption will cause longer or shorter delays, and the size of the organisation will also affect its response capabilities.
To ensure a ‘timely’ response, organisations should coordinate their response with their MTPD (maximum tolerable period of disruption) and RTO (recovery time objective).
An MTPD is the estimated point at which the level of disruption to a product, service or activity becomes unacceptably large. It sets the boundary for the RTO, which is the period of time within which you aim to recover.
If you justify and meet your RTP, supervisory authorities should accept that your response is ‘timely’.
Sign up for The Weekly Round-Up to receive all the latest cyber security news and advice.