A Case for Cyber Resilience

Originally published by Rubrik on March 28, 2023.

Written by Bipul Sinha.

Last month, The White House introduced a new National Cybersecurity Strategy for the first time since 2018. The landscape has changed rapidly over the past five years – a lifetime in cyber. Yet one thing remains constant, then and now: Cyberattacks are inevitable. We support a whole of government approach to solve these existential challenges we face. In particular, efforts like this one, which is focused on resiliency, are likely to produce the greatest impact. Our only hope for real change in the cybersecurity industry is to double down on our focus on resilience – because cyber resilience is business resilience.

Cyberattacks are an enormous tax on business and organizations, from the largest banks to the smallest schools. The breadth and scale of this problem is daunting. According to The State of Data Security report from Rubrik Zero Labs, 98% of organizations experienced a cyberattack in the last year. This means that nearly every organization has already been compromised to some degree with one or more adversaries sitting in its environments, searching for the right data asset to strike.

The average cost of a data breach in the U.S. is $9.4 million, according to IBM. And yet, many organizations still report that they feel ill-prepared for an attack. The State of Data Security also reveals that 92% of IT and security leaders are concerned they won’t be able to maintain business continuity after a cyberattack in the coming year. Ransomware – a kind of cyberattack involving data denial and extortion – has become rampant, causing costly business disruptions all around the world.

The question is: Why are we so exposed to cyberattacks even after collectively spending over $150 billion on cybersecurity tools and technologies? Why after everything we’ve done are our news feeds still full of cyberattacks and their impact on all types of organizations? So far, the cybersecurity industry has focused on infrastructure security and the prevention and detection of attacks by delivering ever more technologically sophisticated versions of the same approach – “taller walls” and “wider moats.” However, modern attacks are not only technologically sophisticated but also psychologically clever, taking advantage of human follies. We quickly click on an important email from a seemingly trustworthy source, or we procrastinate in applying patches to known software vulnerabilities. We look past the burnout and stress on our IT and security teams.

Our collective focus must shift from relying on preventative measures to assuming data breaches will occur – meaning it’s no longer a question of if, but when. Data breaches will happen to us all. Then we can focus on the right question: Are we resilient? Will our organization quickly bounce back when attacks happen? Can our operations continue in crisis periods independent of the cause?

Welcome to the era of Cyber Resilience.

It is time to accept that we cannot stop the growing wave of sophisticated cyberattacks by relying on infrastructure security alone. Prevention and detection of attacks at the infrastructure layer, while critical, are not able to stop all cyber breaches. We must also prioritize data security as part of a holistic cybersecurity strategy to effectively overcome modern cyberattacks and to enable organizations to quickly recover and restore business-critical operations.

Think of your business as a house. To keep it safe, you close your windows, lock your doors and set alarms. That’s infrastructure security. But that’s not enough. Someone could still break in. You go to the next step: Inside, you keep your crown jewels in a smart, safe box. Your most valuable assets are securely protected even after break-ins. That is resilience.

For any business, data is the most important asset, the valuable crown jewels of your organization. If your data is secure, your business is resilient.