Damage Control: Why Building Cyber Resilience Is Non-Negotiable

The Europe, Middle East, and Africa (EMEA) region has been particularly hard hit in recent years. The global surge in distributed denial-of-service (DDoS) attacks has been especially apparent in Europe where our researchers have observed a dramatic uptick in the number of attacks.

In addition to the traditional motives of financial and IP theft, hacktivism and efforts to erode trust and destabilise governments have increased in response to geopolitical conflicts.

The U.K. and EU governments have been ahead of the curve in introducing regulatory frameworks designed to strengthen digital resilience. These include:

• The Digital Operational Resilience Act (DORA), an EU regulation designed to ensure that banks, insurance companies, and other financial organisations can recover from cyberattacks or other disruptive events that impact information and communication systems.

• The NIS2 Directive, the updated version of an EU directive that establishes a common level of security for network and information systems across a variety of industries. It sets forth minimum standards for cybersecurity, together with strong risk management and incident reporting requirements.

• The Cyber Security and Resilience Bill, a forthcoming bill in the United Kingdom designed to enhance protection of essential services — including healthcare, energy, transportation, and digital services. The bill expands regulation to these critical services by strengthening regulators and mandating increased incident reporting.

• The Cyber Resilience Act (CRA), an EU law designed to enhance the cybersecurity of products that contain digital components. The act places mandatory cybersecurity requirements on manufacturers and retailers throughout their products’ lifecycles.

Viewed together, these regulations create an interwoven collection of requirements and enforcement mechanisms intended to close security gaps that have emerged over time. The net result is a region where cyber resilience and cyber compliance are tightly linked.

While these regulations are specific to the EU and the United Kingdom, they frequently affect any organisation seeking to do business there — which means essentially all multinational enterprises. We’ve seen this with the EU’s General Data Protection Regulation (GDPR), which businesses worldwide have adopted in a phenomenon known as the “de facto Brussels effect.” We can expect compliance with other EU cyber resilience regimens to follow a similar pattern.

But compliance is only a means to an end — in this case, building a more resilient society. That society is becoming increasingly complex, with rapidly evolving business models, political dynamics, and cyberthreats. In the face of this complexity, I believe organisations need to secure with simplicity.

When security strategies are complex, they are difficult to manage and, therefore, often are not fully realised. Focusing on basic cyber hygiene principles and limiting variables makes security less complex and more manageable. 

If you have 100 security vendors, that means you have 100 management controls to keep track of, which increases operational costs and raises the risk of a gap in protection.

This leads to an important practice for resilience: You don’t have to put everything in an impenetrable box — that’s just not practical. Instead, ringfence the most critical assets and use microsegmentation to prevent lateral movement of malware that, sooner or later, may get into your environment. 

Well-engineered microsegmentation offers the flexibility of security policies that move with workloads as your environment evolves — something static firewalls can’t do.

To achieve this protection, you need visibility of and control over your application and data estate. Keep it simple: Start with your core assets, and then you can expand over time in a phased process to include your entire infrastructure. 

This visibility can give you the ability to spot network activity and potential vulnerabilities that you were not previously aware of. That’s a huge win.

By focusing on protecting what matters most and employing strategic microsegmentation, you can isolate ransomware and turn cyberattacks into trivial events. And isn’t that what resilience is all about?