The UK economy is increasingly being attacked by cyber-criminals and state actors, with the NCSC issuing fresh warnings about state-sponsored cyber attackers homing in on critical infrastructure.

In response, the UK government has unveiled its Cyber Security and Resilience Bill to bolster the nation’s cyber defences and protect essential public services and infrastructure.

Having been involved in various government briefings across the globe, I understand the requirement to develop national cyber policies and regulation that drives a country’s economy towards cyber resiliency. However, the UK’s Cyber Security and Resilience Bill feels like a big stick telling businesses to “be resilient” overnight without having provided much assistance on helping them grow carrots.

Achieving cyber resiliency doesn’t happen overnight. In fact, 80 percent of IT and SecOps leaders have expressed concern about their organisation's current cyber resiliency strategy in the face of today’s challenges and threats.

You can’t buy resiliency off the shelf; it is a state that emerges by having the right people, processes, and technologies in place. Joined-up, pragmatic guidance that helps organisations move towards cyber resiliency, combined with a gradual enforcement regime, would be a better approach.

So, what are the key considerations for organisations to be aware of when it comes to the new resiliency bill, and how can they make impactful changes now to build resiliency?

Enhancing the impact of regulation through key lessons from DORA

The government is right to address the cyber resiliency of UK enterprises. However, the current legislative approach has the potential to impact critical services – either through fines or driving them to focus myopically on compliance rather than true resilience.

Taking important lessons from the EU’s Digital Operational Resilience Act, we should mandate UK organisations build their understanding and measure their impact tolerances and current level of resiliency, rather than requiring immediate achievement of an arbitrary boilerplate level.

Government should consult industry leaders in developing a pragmatic tiered approach, which provides specific requirements for businesses to achieve their cyber resiliency growth. This would enable organisations to identify their current resiliency and build a strategy that enables benchmarked progress throughout, with the foundations of this already part of the NCSC’s Cyber Assessment Framework.

Criticality of an organisation’s products and services to the supply chain need consideration. Maersk’s cyberattack, for example, had a significant impact on the wider economy by preventing the delivery of critical components to manufacturers. Cyber resiliency isn’t a one-size-fits all approach, and an inadequate legislative approach could have repercussions on critical services.

Building resilience in a world of destructive cyber-attacks

Cyber resilience – which brings together cybersecurity, crisis management, business continuity and recovery – is now a boardroom topic.

Companies continue to deploy data security and data management tools that are both proactive and reactive to boost cyber resiliency. In fact, the average enterprise has over 130 different cybersecurity tools installed to do just that.

Yet, we cannot ignore that the vast majority of those tools have failed to be integrated and operationalised enough to prevent organisations from suffering impacts. Today, cyber resiliency requires more than simply deploying technology; it’s about having the right people, processes and integrations atop technology. Everything must line up to achieve true resiliency, and this can’t be achieved overnight.

To get started on their resiliency journey, companies should leverage a cyber resiliency maturity model, which will ensure they take stock of their current capability and measure their increased maturity as they make strides to build resilience to cyberattacks such as ransomware and wipers.

Maturity should be assessed by an external organisation, who will be best placed to provide clear benchmarks and a structured roadmap to achieve effective and efficient operations. An effective resilience maturity model should assess operational capability across the five stages of response and recovery, including:

1. Preparing for an incident

2. Identifying and investigating the attack

3. Containing the attack

4. Eradicating threats and attack surface to prevent future attack

5. Recovery to a secure state

Their maturity model should also be aligned with common cybersecurity response and recovery frameworks, such as the SANS Institute 6 Step Incident Response Process, RE&CT framework, MITRE D3FEND, and NIST SP800-61 Computer Security Incident Handling Guide, giving organisations a path to adopt industry-wide best practices.

Overall, this approach will ensure organisations are aligned with best practice response and recovery frameworks, achieving a state of cyber resilience through the development of governance, technology, people, and processes over time.

The future is bright for organisations that assess their resilience maturity today, allowing them to move towards maintaining the confidence, integrity, and availability of its data to withstand and recover from cyberattacks. Most importantly, a resiliency maturity roadmap will ensure that technology investments, people and processes truly optimise operational outcomes.

James Blake VP of cyber resiliency strategy Cohesity