I attended the Exclusive Networks Think Like a CISO event this week and came away with a few thoughts that have been rattling around my cybersecurity head ever since.
One of the strongest themes throughout the day was that attackers are increasingly targeting data itself. Financial theft still matters, of course, but data is often the bigger prize. It can be sold, used for extortion, leveraged for fraud, used to damage reputations or simply held hostage until somebody pays up.
What struck me was how much the conversation has shifted. A few years ago, most security discussions focused on keeping attackers out. Firewalls, perimeter security, segmentation and prevention. All important, all still relevant, but the assumption now seems to be that sooner or later somebody will get in.
The question is no longer simply “How do we stop an attack?” It’s “What happens next?”
That’s where data resilience comes in.
The scale of the challenge is enormous. Cybercrime is projected to cost the global economy more than $10 trillion annually. If cybercrime were treated like an economy, it would sit amongst the largest economies in the world! At the same time, organisations are generating and storing more data than ever before across cloud platforms, SaaS applications, endpoints, personal devices and third-party services.
More data creates more value. Unfortunately, it also creates more opportunities for attackers.
Another point that resonated with me was that security doesn’t stop at the edge of your own organisation anymore. We spend a lot of time assessing and improving our own environments, but how often do we ask the same questions about contractors, suppliers and partners?
Attackers will nearly always look for the easiest route in. Sometimes that’s not through your enterprise-grade security stack. Sometimes it’s through a contractor working from a personal laptop on a home broadband connection.
The discussion around recovery was particularly interesting.
One of the speakers made the point that backups and recovery are not the same thing. That sounds obvious, but I suspect many organisations still treat them as if they are. Having backups is important. Knowing they’re clean, isolated, immutable and recoverable is something else entirely. I’ve seen organisations spend years investing in backup technology without ever fully proving that they can recover under pressure. The uncomfortable reality is that restoring an infected backup, or restoring systems into an environment where the attacker still has access, can put you right back where you started.
A useful analogy used during the event was physical security. If you’ve got a locked gate, would you leave all the doors and windows open? If you’ve locked the doors, would you leave jewellery sitting in plain sight on the kitchen table? Of course not. In the real world, we use layers. Gates, locks, alarms, cameras, safes and hiding places. Yet in cybersecurity we’re sometimes still guilty of believing a single control will save us.
The same principle applies to data.
The more valuable the asset, the more layers of protection it deserves.
I wanted to provide some actionable questions that could help you look inward after this insight, so here’s 5 questions I think every organisation should ask:
- Which data is most critical?
- Who can access it?
- Can we recover it cleanly?
- Have we tested recovery?
- What is our minimum viable company?
As security leaders, we need to spend less time asking “Could we be attacked?” and more time asking “How quickly could we recover?” Because in today’s threat landscape, resilience isn’t the backup plan – it’s the last line of defence.