Is it better to focus energy on preventing attacks, or on being able to pick up the pieces after an attack?
Thinking about disaster recovery for an organisation is always an uncomfortable topic to consider – it recognises the reality that no matter how much time and effort went into defending against an attack, there's always a possibility that somebody found their way around the defences.
As with all aspects of business, decisions need to be made about where to focus investment, and this is also true when prioritising between building stronger defences against attack and putting measures in place to recover from a successful attack. Both are essential, it's a question of focus and priorities.
Investment in proactive defence will always have diminishing returns, but there is an obligation (often embodied formally, such as the European NIS Directive) to take "appropriate" measures in proactive defence. There can also be benefits to going beyond these requirements, but it needs to be a carefully considered business decision.
There is a school of thought that given the persistence of attacks and the fact that no defence is perfect, it's more a matter of "when" rather than "if" an attack is successful – in fact the 2018 UK Government Cyber Security Breaches Survey found 43% of businesses reporting a breach or an attack within a 12 month period. This is where reactive defence comes into play.
Reactive defence (more often known as incident response) is first about limiting the damage caused by the attack, and second about understanding the attack and collecting information to protect against similar attacks in the future. It is also considered good practice to eventually share collected information with peers so that the security of the whole community benefits.
The most damaging incidents are when the organisation loses control of information and must make time-critical decisions based on limited situational awareness and whilst focussed on damage limitation. Investment in incident response helps to keep control of the situation during an attack, reducing decisions made under pressure and increasing the capacity to understand the attack and prepare mitigations.
Aviation has historically invested heavily in anticipating unusual circumstances and events and putting checklists and procedures in place to handle them. There are benefits in extending this approach to consider cybersecurity – it's a familiar approach, and already proven in terms of safeguarding in crisis situations.
In summary – consider what works well elsewhere in the organisation, and where existing protective approaches can be also be applied to security. Use external guidance such as the NIS Directive to measure an appropriate level of Proactive Defence and look into using Reactive Defences to keep as much control as possible, even in the event of successful attacks.