Cyber resilience in the face of today’s modern threats typically requires capabilities beyond those included in most ‘traditional’ recovery and business continuity programmes.
In today’s volatile environment where dependencies on digitisation are increasing, organisations need to plan for a stronger digital resilience that ensures business continuity. Even smaller disruptions, if they occur frequently, can result in having to use substantial resources on incident response, not to mention the direct impact on the organisation’s ability to generate revenue. Given the geopolitical uncertainties, an evolving threat landscape, increased regulatory interest and increased IT dependency (Danish companies spent 6,4 billion DKK more on IT in 2022 compared to 2021 according to the Confederation of Danish Industryi), digital resilience is more important than ever before.
In this year’s survey, we asked respondents about their digital resilience posture – how their organisation has built a robust business operation to ensure that it can respond to and recover from a cyberattack that aligns with the business prioritisation to ensure critical services are recovered in a controlled way with the predefined timeline.
The results from the survey state that most Danish companies and public organisations have prioritised digital resilience. Almost three-quarters of respondents said that their organisation has an order of priority for restoring core operations after a cyberattack.
Figure 9. Prioritising the restoration of core business processes
Have you prioritised the order of restoration for core business processes in the event of a cyberattack in your company/organisation?
Besides an order of priorities for restoring operations, most organisations in the survey (66 per cent) also have a defined timeline for restoration in the event of a severe data loss incident. Yet, 77 per cent of those organisations stated that their acceptable timeline for recovery is within two days, something that hardly correlates with catastrophic, yet the testing is still not fully implemented thereby not being able to validate if the objectives are achievable (see Figure 12 and 13).
Given the current threat scenarios and practices, it is plausible that most companies will experience a gap between the aspirational recovery timeline and the actual restoration of business processes in the event of an attack.
Figure 10. Timeline for core business process restoration
Do you have a timeline defined for restoration of core business processes in the event of a catastrophic data loss event in your company/organisation?
Figure 11. Acceptable timeline for restoration of core business processes
What is the acceptable timeline for core business process restoration?
All organisations have backup, but many do not know how it is tested
Back-up has been an age-old proven method to ensure recovery in case the primary copy of the data is corrupted or wiped out. A pre-defined backup schedule and a strategy indicating what to back-up, when to back-up, and on which medium to back up, have traditionally proven to be a highly effective recovering strategy.
All our respondents said that their organisation has a backup, and most update it on a daily basis. However, almost one in four did not know how often the backup is tested, whether the current data being backed up aligns with the business priorities and to verify the data quality and integrity.
Figure 12. Updating backup
How often is your company's/organisation's backup updated?
Figure 13. Testing backup
How often is your company's/organisation's backup tested?
From simple to advanced backup
The majority of Danish organisations in our survey (67 per cent) have increased their security level from a simple backup process to having immutable backup, i.e. a backup file in which the data cannot be altered in any way, and so providing protection against a ransomware attack. However, 15 per cent of respondents said that they do not have immutable backup, and 18 per cent did not know.
This indicates that organisations are generally making the right investments in improving the underpinning technology in the improvement of immutability; yet, what is backed up, how the back-up is done, and how that aligns with the business requirements, still remain unclear.
Figure 14. Implementation of immutable backup
Have you implemented immutable backup for your company's/organisation's core data/business processes?
We asked respondents whether their organisation has identified a ‘core DNA’, i.e. a set of prioritised processes to ensure that the core functions of the organisation are protected at all times. A little over half of respondents (56 per cent) said “Yes”, but 27 per cent said “No”, and 17 per cent did not know.
Figure 15. A ‘core DNA’
Have you identified a 'core DNA' of your company/organisation which should be prioritised to ensure that the core functions of your business are protected at all times?
From backup to a recovery vault
To understand the resilience to cyberattack, it is necessary to understand the intentions of criminals. Motives behind a cyberattack are no longer limited to financial gain. The aim may be to cause serious strategic disadvantage to businesses, governments and public organisations – and sometimes just to cause destruction.
Many of today’s ransomware and denial of service attacks are made possible due to a lack of security hygiene. Ineffective software patch management practices, poorly implemented access management solutions, and inadequate data back-up and restoration schedules are some of the vulnerabilities often exploited by criminals to cause large-scale disruption.
Today, organisations cannot rely on traditional backup alone, which is why some are already moving into a cyber recovery vault setup. However, 68 per cent of organisations still plan to use conventional back up controls which is inadequate in comparison to the risks mentioned in this survey.
Whatever technology organisations choose, cyber risks and resilience have to be understood holistically to build robust and future-proof defence mechanisms – and the responsibility clearly falls on the executive leadership, as pointed out by member of the European Parliament Morten Løkkegaard in his recent interview with Deloitte. The importance of resilience is at the core of new regulations inbound including NIS2 and DORA to ensure business continuity against the catastrophic yet plausible events.