Cyber Vulnerabilities of Energy Companies’ Control Systems Can Be Addressed Safely and Successfully

 

By Tyler Chase, Managing Director
Energy and Utilities Industry Leader

and

Michael Porier, Managing Director
Technology Consulting – Security and Privacy

 

The realization is growing across the oil and gas industry that the major cybersecurity threats to upstream, midstream and downstream data and operations are often aimed at operational technology (OT) systems and equipment – usually older, legacy models – rather than at the information technology (IT) side. Those operational technologies typically include industrial control systems (ICS), supervisory control and data acquisition (SCADA) devices and other related technologies implemented at operational facilities, such as plants, pipelines, terminals and rigs.

A recent survey of more than 300 oil and gas companies found:

  • More than 60 percent of companies have suffered a security compromise in the past year, which exposed confidential information and disrupted OT systems and operations
  • Two-thirds of companies believe risks to OT systems have increased substantially in recent years, and 59 percent believe they face greater risks in OT than in IT
  • Only one-third of companies report that OT and IT are fully aligned in their organizations
  • Just 35 percent rate their readiness to address cyber threats as high
  • Close to half of all attacks on OT are going undetected

These survey findings appear shocking – but they are also consistent with Protiviti’s experience in performing cybersecurity assessments for energy and utility clients, particularly evaluating their OT systems. We often find unprotected field terminals with inadequate physical security of connection points, live ports that lack deterrents, and an absence of intrusion detection capabilities. We also commonly see flat networks that are not segmented to appropriately segregate the OT systems from the corporate network environment, making it easier for potential hackers to exploit vulnerabilities across the organization.

Obviously, OT systems with any of these shortcomings present significant cybersecurity risks for the energy and utilities industry. The threat is multiplied by the fact that energy and utilities organizations are deemed critical infrastructure, whose exploitation can have devastating effects to broad geographic regions affecting multitudes of people.

More and more ICS/SCADA technologies allow for the capability to connect (via IP) to the broader corporate network infrastructure. While this provides for certain efficiencies, it can also expose oil and gas systems to unprecedented risks that occur when the previously isolated OT systems are linked to sophisticated IT networks so data can be shared, managed and analyzed.

Despite this newfound connectivity, the industry has remained stubbornly reluctant to challenge legacy OT systems from a vulnerability perspective, for fear of creating interruptions or process errors. This reluctance often leads to a failure to adequately test or update systems to optimize security and minimize cybersecurity risks.

The concerns are legitimate, but only up to a point. In our experience, there isn’t sufficient justification to hold OT systems “off limits” for cybersecurity evaluation and upgrades, given the high potential for targeting by sophisticated opponents and the alarming numbers cited in the survey. To this end, assessments should still be performed, but they must incorporate a series of precautions designed to assure both operational continuity and a complete threat risk review. These precautions include:

  • Well-defined rules of engagement, including identification of the types of reports and system information to be compiled prior to conducting a vulnerability scan
  • Performing security evaluations in a test, rather than production, environment
  • Collaboration with both engineering and IT security personnel to define the scope of the review engagement
  • Reasonable limitations on initial tests so sensitive systems can be excluded if needed to allow for the development of workarounds
  • Establishment of clear lines of communications so any network or system irregularities are reported and evaluated during testing

Working within these parameters, the end goal of testing the security control environment of the ICS/SCADA environments should achieve the following:

  • Evaluate the key security risks prevalent in the ICS/SCADA network architecture
  • Identify the network vulnerabilities and test the connectivity to the enterprise network
  • Assist with the development of a vulnerability management program specific to the ICS/SCADA infrastructure

Ideally, what energy and utilities companies want is to ensure they have an ICS/SCADA environment that can function in a secure and effective manner, and that they can be highly efficient in detecting and responding to breaches and attacks. This requires technical expertise, collaboration between departments, appropriate planning, and leveraging vulnerability assessments to periodically test security.  Testing these systems requires more work, but it is not impossible, and it should not be considered “out of the question.” In fact, testing is an essential practice to preserving the integrity of any critical system.

Answer Fundamental Questions and Beware of Overconfidence Before Moving to the Cloud

By Rick Childs, Managing Director
Consumer Products and Services Industry Leader

 

 

 

For any business, migrating to the cloud is an essential step in the digitization journey. The baseline cloud benefits, such as reduced costs, greater efficiency and enhanced customer service, are important objectives to strive for, of course. The latter is especially attractive to consumer products and services companies. But there are many considerations, in addition to the benefits, that businesses must keep in mind when shifting to the cloud if they are serious about achieving true digital transformation.

To begin with, companies must have a thoughtful — and even an aspirational — strategy behind any cloud migration project if they are to realize measurable value from it. Protiviti’s white paper, Cloud Adoption: Putting the Cloud at the Heart of Business and IT Strategy, emphasizes this key point: Executives need to recognize cloud adoption as a strategic business issue, not an IT issue. To ensure that such a move will enable true business and IT transformation, executives must have clarity on what they expect the cloud to accomplish for the organization. They also need to understand their digitization priorities within their specific industry and regulatory contexts.

Consumer products and services companies leading the cloud race

Cloud adoption is accelerating across all industries, but for consumer products and services companies the pace is quicker. According to Protiviti’s latest annual Technology Trends and Benchmark Study, nearly two in three companies today are now focused on investing in cloud adoption. For consumer products and retail companies that participated in the study, that number is 80 percent. These businesses also reported that they are currently focusing on and investing in digitization.

Interestingly, despite being on the forefront of cloud adoption, consumer products and services companies don’t appear to be overly concerned about risks that may accompany such a dramatic move. Executives from these businesses who responded to the Executive Perspectives on Top Risks for 2017 survey from Protiviti and North Carolina State University’s ERM Initiative did not cite the following as a top five risk for their industry, even though it was fourth on the overall list of top risks in the survey:

Rapid speed of disruptive innovations and/or new technologies may outpace our organization’s ability to compete and/or manage the risk appropriately, without making significant changes to our business model.

On the surface, this finding seems positive: Consumer products and services companies believe they have a handle on this top risk. However, it might also be a signal of overconfidence. And overconfidence is a risk in and of itself, and could potentially undermine the success of any digital project. To help those feeling confident test their preparedness, a recent issue of The Bulletin suggests that executives ask themselves the following questions:

  • Directionally, do we know as an organization where we’re going and why?
  • Are we prepared for the journey we are undertaking?
  • Do we possess the ability, will and discipline to cope with change along the way?

Pondering these questions can help organizational leaders think more critically about their goals, the risks associated with the changes they want to undertake, and whether they fit within the risk appetite of the company. Answering these questions will also help them to think more critically about what to move the cloud, how and when, to realize the most value for the company.

For example, back-office operations are often overlooked as potential candidates for cloud migration in favor of more customer-facing functions. This oversight could result in the business missing out on some significant benefits, like building greater resiliency into its core operations. The inverse is another common mistake: Rushing to migrate a back-office function and then realizing, too late, that the legacy technology supporting it can’t be cloud-enabled. Yet another pitfall is jumping on the cloud bandwagon before properly considering privacy, security or compliance issues.

Even more questions to consider

In addition to the “soul-searching” questions above, organizations should seek to answer some other key questions to help them develop their cloud strategy:

  • Why should we adopt the cloud?
  • What are the business needs, and what are the outcomes we expect?
  • What are the use cases?
  • What portions of the business should we move to the cloud, how, and when?
  • Which cloud model is most appropriate for this initiative and for our organization (e.g., private, public, hybrid, or multi-cloud)?
  • What is the economic and operational value proposition?
  • How would this project impact IT’s approach to its current business model?
  • What vendors should we work with?

The bottom line of this discussion can be summed up in a word: preparation. Well-placed confidence, clear business-driven goals and a well-thought-out strategy will position organizations to execute their cloud migration project successfully, achieve the desired value from them, and be another step ahead in their digital transformation journey.

No More Waiting Game for Manufacturers: Industry 4.0 Is Already Here

By Sharon Lindstrom, Managing Director
Manufacturing and Distribution Industry Leader

 

 

 

The term “Industry 4.0” isn’t new to manufacturers. What is new, for many of these businesses, is the recognition that the next wave of the Industrial Revolution is already breaking. There is no more time for “Let’s wait and see what this means for our business.” No manufacturer can afford to sit on the sidelines and watch as their industry is transformed by major innovations in digital technology — from cloud computing to big data analytics to advanced robotics to the Internet of Things (IoT). They must be in the game. And to be in it, they must transform their operations digitally.

Embracing big data analytics is an important step on the path to smart manufacturing. It has the potential to affect every step of the manufacturing process. Ultimately, advances in big data analytics are expected to augment the interconnectivity of equipment on the factory floor as part of a larger movement toward the IoT and greater manufacturing intelligence.

That’s a pretty big deal. Yet manufacturers, generally, have been slow to adopt big data analytics, especially in manufacturing operations. This is not necessarily due to lack of interest, or worry about costs, privacy, security or even change itself. The real hindrance is a combination of several significant roadblocks that many manufacturers must overcome before they can implement and execute big data analytics successfully.

These common barriers include:

  • Unwieldy data and processes — Manufacturers facing this problem can take comfort in knowing it’s an issue that plagues most any company pursuing digital transformation. Certainly, there is no shortage of data being produced by the business. The challenge is figuring out how exactly to bring together that ever-ballooning volume of raw data from different systems and sources so it can be analyzed and turned into actionable insights for the business.
  • Disparate systems — This barrier relates to the one above, obviously. Integrating data is complicated by inaccessibility. It is often the case that a business’s legacy technologies have not been designed to facilitate open access to data. The complexity of a typical IT ecosystem makes it very difficult to mine quality data and convert it into a workable format for analysis.
  • Expertise shortage — Finding specialized talent to work with big data — especially professionals with knowledge of the manufacturer’s business and industry — can be a tremendous hurdle. Manufacturers are finding that talent is in very short supply, and extremely competitive to recruit and retain. Over time, as the industry becomes more digitized, manufacturers are likely to face talent shortages in even more areas of their business.

Again, these are just some of the roadblocks manufacturers face. They are not trivial, and companies will find that some are quite persistent. But a manufacturer that wants to be a relevant player in Industry 4.0 must address them sooner than later.

Make sure big data projects have a purpose

As manufacturers work to overcome big data analytics obstacles they must not forget an important aspect of their effort: keeping their business strategy in focus. I will come back to this subject and offer a few tips for success in this area in a future post, but the one I want to mention here is extremely important: Identify a specific use case.

Manufacturers should not just “do” big data analytics because they are under pressure to evolve their operations. Any big data initiative should have a clear purpose. Lack of purpose is often the root cause of a company’s struggles to harness its data effectively and turn it into meaningful insights.

Some may consider it an upside that the manufacturing industry has not moved as quickly as other industries to jump on the big data bandwagon. And it is true that manufacturers that have so far taken a “wait and see” approach with big data analytics and similar digital innovations have the benefit of learning from the missteps of early adopters, and can develop a strategy for success based on lessons learned. But they must make their move now, or they risk falling too far behind the digital curve and becoming obsolete in Industry 4.0.

 

 

Data Security Alarms Should Be Sounding for Oil and Gas

By Tyler Chase, Managing Director
Energy and Utilities Industry Leader

 

 

 

Oil and gas industry executives don’t need to see a new Wikileaks story about secret CIA hacking tools or hear more about the electronic penetration of presidential campaigns to understand the seriousness of a potential digital hack to their operations.

But it’s a large step from knowing a risk exists to being ready for it. Achieving confidence in the ability to manage such risk can involve substantial new investments and operational adjustments, even for an industry accustomed to meeting regulatory, operational and market challenges.

Protiviti’s recently released 2017 Security and Privacy Survey indicates that oil and gas companies are facing their cybersecurity challenges in ways similar to other industries. The survey’s main findings include:

  • Nearly one in five companies cannot confidently identify or locate their “crown jewels,” or most valuable data assets, because they lack an effective enterprisewide data classification scheme and policies.
  • How well companies manage their vendors’ security practices marks a notable difference between top security performers and the rest.
  • Companies with a high level of board engagement in information security issues rate considerably higher than those without such involvement in nearly all facets of information security best practices. These companies also report a higher level of confidence in their ability to prevent an opportunistic data breach.

These findings largely correspond to what we have seen among our own energy clients. One difference we have noticed, however, is that energy companies tend to have little to no formal documentation on testing of security incident response plans, compared to other industries. This could mean that energy executives have not substantiated a basis for the same level of breach-prevention preparedness as some other industries. I would argue that as a critical infrastructure, they should.

Although Protiviti energy clients indicate they are committed to security, we see about the same 38-percent level of compliance with implementation of the five core information security policies identified in the Protiviti survey: acceptable use, records retention/destruction, data encryption, information security, and social media policies.

In addition, energy companies, specifically those in exploration and production (E&P), have been hesitant to invest in tools to identify where their “crown jewels” are stored, apparently on the basis that many do not feel their company is much at risk because it does not retain much sensitive data. However, many common processes at E&P companies (i.e., escheat and royalty owner payments) do involve sensitive information protected by state privacy laws (e.g., individual tax ID numbers are actually Social Security numbers). Further, company confidential information, such as reservoir data, land acquisition data, and merger and acquisition activity, would be considered data that requires identification and protection. Very commonly, even where these processes are mostly manual, this information is digitized (e.g., scanned documents) or entered into a system. If the company does not know what data exists and where, it will have a difficult time protecting it.

Energy executives and boards would be wise to ask themselves some worst case scenario questions and know the answers now rather than having to discover them under fire later:

  • If our data assets were compromised, could they be reconstructed, and how long would it take?
  • If field operations were disrupted by an attack on the operational control system, how much revenue would be lost per week? Per month?
  • If competitors or counter-parties were able to learn confidential details of our strategies and plans, where would our company be most vulnerable?

The bottom line is that what you don’t know, such as where your critical data is, can, and eventually will, hurt you. With all issues of cybersecurity, it’s only a matter of time.

Alyssa Brister and Luis Castillo from Protiviti’s Technology Consulting practice contributed to this post.

Board-Level Cybersecurity Discussions Must Be Proactive, Have Substance, and Inspire Real Change

By Gordon Tucker, Managing Director
Technology, Media and Communications Industry Leader

 

 

 

Cybersecurity is a hot topic in most boardrooms today. Not a shocking revelation, certainly. But keep in mind that, in many organizations, it has taken a long time for this issue to even become an agenda item for the board. Among them are technology, media and communication companies, which should be helping to set the standard for cybersecurity best practices. Many of these companies are doing that, of course, but others still have a lot of work to do.

While it is good news that more boards of directors are talking about cybersecurity, there is a problem: These discussions are too often prompted by a headline-grabbing data breach or hack that has rattled the business or its peers in the industry. This reactionary approach needs to change if boards and executive management truly want their organizations to be prepared to weather a cyberattack or other disruptive cyber event, and its potential consequenses.

Success in a digitized world hinges on effective cybersecurity

Taking a more proactive view toward cybersecurity will also help businesses to succeed in a digitized and hyperconnected Internet of Things (IoT) world. At the World Economic Forum’s annual summit in Davos, Switzerland, this year, cybersecurity experts discussed how this rapidly emerging world will help businesses to reach new heights of productivity — provided they build effective cybersecurity.

This future is not far off, which is why there is an urgent need for boards and executive management to change how they talk about cybersecurity. They need to focus less on worrying about the potential reputational or financial risks of a single embarrassing cyber incident, like a phishing campaign that targets the CEO, and focus more on helping the business define and develop an overarching set of activities that will help it create a stronger, more resilient security environment.

Board engagement as a cybersecurity success factor

For those boards that still view cybersecurity as primarily an “IT problem” — and they are still out there — Protiviti’s 2017 Security and Privacy Survey presents some findings that should help to change at least a few minds. The research found that organizations that are top performers in terms of adhering to security and privacy best practices have two critical success factors present:

  • Their boards of directors have a high level of engagement in, and an understanding of, information security risks that the organization faces.
  • They have a comprehensive set of information security policies in place, including acceptable use policies, data encryption policies, and social media policies.

One-third of businesses surveyed describe their boards as highly engaged with information security risks. This is a five-point increase from the 2016 survey. Protiviti’s survey report notes that this positive trend “reflects the fact that the [information security] issue is not merely about technology, but rather represents a top strategic risk” for today’s businesses.

Fostering more meaningful discussions

In addition to seeing security as just an IT’s problem, another reason many boards fail to have meaningful cybersecurity discussions is the sheer complexity and tremendous scope of the issue. Technology touches almost every aspect of the business, and cyberthreats that target systems and data are growing in sophistication. IT teams themselves struggle to understand the rapidly evolving cyber risk landscape.

Another problem: Boards are often provided information about cybersecurity risks that is far too technical. Cyber risks and recommended solutions for addressing them are not being described by technology leadership in business terms that the board can swiftly analyze and make decisions on.

In our 2017 Security and Privacy survey report, we recommend that technology leaders take care to clearly communicate relevant security matters to all stakeholder audiences. For boards, in particular, they should provide information in nontechnical terms to the extent possible, and prioritize discussion of issues based on the business risks that each risk poses to the organization.

By the same token, Protiviti’s security experts who authored the survey report advise boards to start “asking more, and more detailed, questions about organizational security efforts.” These questions, which should be posed to business, technology and internal audit leaders alike, should include:

  • Do we know how the company’s critical data is collected, stored and analyzed?
  • What framework or activities does the business have in place, or is it developing, to help protect our data and our intellectual property?
  • How is the success of those activities measured?
  • If the organization experiences a significant breach, what is the response plan?
  • How are employees trained on cybersecurity issues, how often and by whom?

These are just some examples of baseline questions that can help boards at technology, media and communication companies begin to have more productive and forward-looking conversations about cybersecurity with the business. More important, these questions will help to lay the groundwork for proactive discussions about emerging risks around digitization and the IoT — the next major technological challenges that technology, media and communication businesses must be fully prepared to face if they are to survive.

Some Considerations for Manufacturers as U.S. Lawmakers Work to Peel Back Regulations

Sharon LindstromBy Sharon Lindstrom, Managing Director
Manufacturing and Distribution Industry Leader

 

 

 

It took the new Trump administration essentially no time to start issuing executive orders and presidential memoranda designed to ease regulations on U.S. businesses. Certain changes the administration is advocating would be welcome news for manufacturing and distribution companies, such as:

  • A presidential memorandum that is intended to streamline federal permitting processes for, and to reduce regulatory burdens that affect, domestic manufacturers.
  • An executive order that orders a review of the Dodd-Frank Wall Street Reform and Consumer Protection Act (DFA). Scaling back these financial regulations, which were instituted in 2010 following the financial crisis, would reduce reporting requirements for many businesses.

Potential Suspension of DFA Section 1502

One DFA-related change that the Trump administration is reportedly considering could benefit many manufacturing and distribution companies: suspension of Section 1502. The so-called Conflict Minerals Rule requires certain public companies to disclose whether they use specific conflict minerals that originated from the Democratic Republic of the Congo or nine adjoining “Covered Countries.” Conflict minerals, such as tin, tantalum, tungsten and gold, are used to manufacture products across a wide range of industries, including technology and consumer products. Section 1502 required companies to assess whether any manufactured products contained such minerals and determine whether these materials originated in the Covered Countries by conducting supply chain due diligence and reporting annually.

Overtime Exemption Rule on Ice

The future is also uncertain for the controversial Fair Labor Standards Act overtime rule, which was introduced during the Obama administration and was supposed to go into effect on December 1, 2016. The rule increased the threshold for overtime pay whereby salaried workers who earn less than US$47,476 annually would be eligible for overtime pay when they work more than 40 hours a week. Companies must either compensate these workers with overtime pay or raise their salaries so they are above the threshold.

The National Association of Manufacturing’s Center for Manufacturing Research has estimated that overtime costs for manufacturers will reach $24 billion within the next 10 years under the Obama overtime regulations. However, the final overtime exemption rule under the Fair Labor Standards Act was blocked by a federal court in Texas one week before its effective date. In January, the Trump administration essentially put the rule on ice following a regulations freeze.

Regulatory Risk: It’s Still Out There

Manufacturing and distribution executives must consider the potential risks that accompany regulatory changes that are already in the works or that may be on the horizon. Industry executives who took part in the latest Executive Perspectives on Top Risks Survey from Protiviti and North Carolina State University’s ERM Initiative cited the following as a top risk for their companies in 2017: Regulatory changes and regulatory scrutiny may heighten, noticeably affecting the manner in which our products or services will be produced or delivered.

Change takes time, and many of the regulatory changes proposed in recent weeks could take years to fully play out. As The Wall Street Journal noted in a recent article about Trump’s executive order stipulating that government agencies eliminate two regulations for each new regulation they introduce: “[Any] effort to scrap a regulation triggers its own process, complete with draft rules, comment periods, and regulation rewriting. That process [also] can be subject to litigation.”

While certain changes would be welcome by manufacturing companies, the changing global trade landscape must be monitored vigilantly, as well. The Trump administration’s approach to trade and negative view toward multinational trade agreements are likely to create previously unanticipated challenges, costs and risks for manufacturing and distribution companies inside and outside of the U.S. For some of these businesses in the U.S., any potential regulatory relief may be offset, at least in the short term, by revisions to free trade agreements that could impact the ability to conduct business with trusted partners in other countries.

Still, for now, manufacturing and distribution companies have a lot to be optimistic about. Even before Trump took office and started taking steps to ease regulations, there were signs that the U.S. manufacturing industry was beginning to grow again. The Institute for Supply Management Index hit 56 percent in January, rising 1.5 percentage points from December and exceeding many economists’ expectations. This is the fastest pace of growth in more than two years.

Building Cyber Resiliency Is the Path to Better Brand Protection for Consumer Products and Services Companies

Rick ChildsBy Rick Childs, Managing Director
Consumer Products and Services Industry Leader

 

 

 

Last week, I wrote about customer loyalty, and how a strong cybersecurity program can help ensure the trust of consumers. Here are some fresh stats about the business impact of cyber threats that consumer products and services executives should know about: In 2016, one in five businesses lost customers due to a cyber attack. Nearly 30 percent lost revenue. About one-quarter lost business opportunities. And when a breach occurred, brand reputation was one of the top areas of the organization to be affected, right behind operations and finance.

These unsettling findings are from the Cisco 2017 Security Capabilities Benchmark Study, featured in Cisco’s latest cybersecurity report. Combine these data points with all the news about recent hacks and breaches involving major retailers, restaurants, hotels, and other consumer products and services companies, and it becomes crystal clear why industry executives are extremely concerned about cyber threats.

In the latest Executive Perspectives on Top Risks Survey from Protiviti and North Carolina State University’s ERM Initiative, which I referenced in my recent post, respondents from consumer products and services businesses also cited the following risk among the top five for their industry group in 2017:

Our organization may not be sufficiently prepared to manage cyber threats that have the potential to significantly disrupt core operations and/or damage our brand.

The research also shows that the risk score for this concern increased significantly from the 2016 survey.

Consumer respect and trust are at stake

For consumer products and services companies that spend millions of dollars annually to cultivate and promote their brand image, a hack or a data breach can be devastating to their reputation — and their bottom line. These events can lead not only to long-term brand damage, but also the loss of the public’s respect and trust. This is especially true if customer data is compromised or stolen, leaving people at risk for financial loss and identity theft. Even if a company can recover quickly from such an event and make things right with its customers, its image will likely remain tarnished for some time to come.

Unfortunately, cyber threats (and privacy concerns) will become only more severe as businesses and consumers increase their reliance on technology in all aspects of their lives; digital commerce and mobile payments continue to grow; and the emerging Internet of Things (IoT) expands. Over time, consumer products and services companies will need to significantly increase the data they collect to provide highly customized products, services and experiences to their customers.

These trends underscore why consumer products and services businesses must make improving cybersecurity and building cyber resiliency even higher priorities — starting now.

Developing a world-class response to a high-profile crisis

Most executives today understand that a cyberattack is not a matter of if, but when, for their organization. Taking steps to prevent hacks or breaches should always be a high priority for any business, of course. But what is even more important is creating a well-thought out and tested action plan that will allow the company to respond swiftly to a cyber incident, mitigate the impact of that event on the business and its customers, and protect the brand.

A recent issue of Protiviti’s Board Perspectives: Risk Oversight offers some insight that can help consumer products and services companies better protect their brand reputation in an increasingly treacherous cyber threat landscape. One of the “10 essential keys” to risk management outlined in the document —developing a “world-class response to a high-profile crisis”— is particularly relevant to the cyber threat discussion.

Creating a world-class response requires that the board of directors and executives ensure, long before a crisis hits, that:

  • The risk assessment process has been designed to identify areas where preparedness is needed.
  • A crisis management team is in place and prepared to address a specific sudden crisis scenario; otherwise, a rapid response will be virtually impossible.
  • Response teams are supported with robust communications plans that emphasize the importance of transparency, straight talk and effective use of social media.
  • Response teams update and test their rapid response plans periodically.

These actions can strengthen organizational resiliency. When developed with cyber threats specifically in mind, they help to build cyber resiliency. Preparing to reduce the impact and proliferation of a cyber event is paramount for any modern business. For consumer products and services companies, it can make all the difference in maintaining their customers’ trust, preserving the long-term health of their brands, and being able to confidently face the future.