Building cyber-resilience by design

Daryl Flack at Avella Security offers a strategic mandate for commercial organisations

 

In the wake of recent high-profile cyber-attacks on major brands such as M&S, Harrods, Cartier, Dior, and the Co-op, it’s clear that commercial organisations are increasingly becoming attractive targets. Cyber-criminals aim to cause maximum disruption, erode customer trust, and extract financial gain, often by exploiting gaps in cyber-resilience.

 

These incidents signal a critical truth: commercial enterprises must adopt the same strategic approach as Critical National Infrastructure (CNI) operators if they want to become a harder target to compromise. This means moving beyond reactive fixes and compliance checklists toward a model where resilience is embedded from the ground up, from design, build and test across implementation, operations and ongoing service improvements. Vitally, this needs to permeate throughout the culture of the organisations.

 

 

Why “resilience by design” is business-critical

While all UK organisations are bound by certain regulations such as UK GDPR, those in regulated sectors like finance, healthcare, energy and utilities, transport, and telecommunications carry heavier burdens. 

 

While placing lesser cyber-security burdens on non-CNI sectors may have once seemed reasonable, many of those organisations are now discovering, often too late, that they are facing the same threats and attackers as CNI sectors.

 

Unfortunately, even where non-CNI businesses do follow good practice frameworks, this is often seen as an IT concern or a compliance obligation, treating audits as box-ticking exercises rather than opportunities to build genuine resilience.

 

The key differentiator between CNI and non-CNI entities is not just infrastructure or impact, it’s the fear of enforcement. CNI entities face stringent obligations, and punitive penalties should they be found to be in breach. This compels them to mature their cyber-capabilities.

 

Commercial organisations, in contrast, often lack the same level of external or internal pressure and in many cases, aren’t fully aware of the risks they carry. This lack of consistent pressure to improve contributes to strategic underinvestment, weak incident preparedness, and, more generally, UK PLC being a desirable place to target by attackers.

 

As a result, many take a reactive approach to cyber-threats, underestimating both the likelihood and impact of attacks. Budgets are limited, security teams are stretched, and board-level understanding of cyber-risk remains inconsistent.

 

“Resilience by design” demands a shift in mindset. It involves architecting systems and services with built-in resilience from day one, prioritising risk based, proactive security, cultural alignment, and strategic investment. It’s not just about avoiding breaches; it’s about ensuring operational continuity when breaches happen.

 

 

The seven steps of resilience by design

To close this maturity gap, organisations must embed resilience into every stage of business and system design. These seven iterative steps provide a roadmap:

 

1. Identify critical assets and services

Understand the impact of loss of service. Engage stakeholders, map business processes and create a prioritised list of assets and services based on their criticality to the business and the impact of them not being unavailable.

 

2. Identify how things can fail

Assess your system as a whole (including dependencies on 3rd parties) rather than its individual component parts. Identify interactions within and between systems and undertake scenario and threat modelling to anticipate how failures and attacks may occur.

 

3. Embed security and resilience

Ensure controls are designed in (ideally from the start). Apply secure-by-design principles, review controls regularly and monitor and alert for anomalous events and unusual activity.

 

4. Cyber-aware culture

Situational awareness and preparedness. Align incentives and KPIs with resilience goals, ensure all staff members are aware of the cyber-threat and impacts and provide tailored and targeted awareness training.

 

5. Prepare to respond and recover

Design and test incident response capabilities. Develop playbooks, regularly rehearse using tabletop and live exercises and ensure recovery from backups is achievable by testing it regularly.

 

6. Continuously improve

Learn from tests, near misses and incidents (not just your own). Perform root cause analysis, use threat intelligence to inform changes to business and risk models and security controls, and track resilience metrics and performance.

 

7. Ongoing governance and assurance

Hold yourself to account. Undertake regular cyber-risk reviews and independent security testing and carry out internal and external audits against frameworks like NCSC’s CAF, ISO 27001, or NIST.

 

 

CNI-inspired measures for the commercial sector

In addition to the seven steps, commercial organisations should embrace practices proven in the CNI space:

• Zero trust architecture: Trust nothing by default. Continuously verify users and devices before granting access.
• Segmentation: Limit the impact of breaches by segmenting networks, systems and even processes into isolated zones.
• Supplier risk management: Evaluate and monitor third-party security postures, especially in complex supply chains. 

These measures help transform theoretical security plans into actionable strategies that improve over time.

 

 

Case Study: UK Smart Metering

A powerful example of “Resilience by Design” in action is the GB Smart Metering System, a national programme developed to provide secure and reliable energy data exchange across millions of homes.

 

The Department for Energy Security and Net Zero (DESNZ) and the Government Communications Headquarters GCHQ designed the Smart Metering System with proportionate, practical security controls with one clear guiding principle: no single point of failure should compromise the entire system.

 

The Department for Energy Security and Net Zero (DESNZ) and the Government Communications Headquarters GCHQ designed the Smart Metering System with proportionate, practical security controls and one clear guiding principle: no single point of failure should compromise the entire system. Resilience was embedded across all layers of the system’s architecture, following rigorous risk analysis and strong governance.

 

Key elements of the architecture were as follows:

• Threat and risk assessments: Having a tailored, detailed and up to date threat and risk assessment ensures that smart metering security controls are targeted, appropriate and proportionate to the current threat landscape and the business models that are in operation.
• End-to-end trust model: The system uses a Public Key Infrastructure (PKI) to authenticate and encrypt key communications between smart meters, the Data Communications Company (DCC), energy suppliers, and authorised third parties. Trust modelling begins by identifying how entities interact and where trust needs to be placed and enforced.
• User privacy by design: Meters are configured to trust only the supplier (or authorised agents) with sensitive consumption data. No third party, including the DCC, has visibility of granular usage data without explicit user consent. This privacy-preserving model is enforced technically and contractually, demonstrating how trust boundaries can be codified and protected.
• Device assurance: Smart meters are evaluated by National Cyber Security Centre (NCSC) assured test labs to ensure they meet the strict security requirements needed to allow installation into people’s homes.
• Tamper detection, monitoring and alerting: Smart meters include mechanisms to detect and report physical tampering. Meters and their supporting systems can detect and respond to digital anomalous events. These alerts enable early intervention and help preserve system integrity.
• Assurance: Ongoing independent third party assurance activities for devices, organisations and the DCC are undertaken regularly to ensure the system evolves in line with the threat landscape whilst complying with regulatory obligations.
• Governance: Smart metering has a strong, independent and overarching governance model that is responsible for all aspects of cyber-security. It monitors and maintains assurance activities to ensure the smart metering end to end architecture remains current and fit for purpose.

 The GB Smart Metering System exemplifies how resilient architecture, secure-by-design principles, and collaborative governance can secure a national digital service. While commercial organisations may operate on a smaller scale, the principles of threat, risk and trust modelling, resilience by design, and strong governance and assurance are all broadly applicable.

 

Commercial enterprises looking to emulate this model should begin with a clear understanding of assets and trust boundaries, threat actors, and mission-critical processes, embedding resilience into both architecture and operations from the outset.

 

 

From compliance to confidence

Cyber-attacks are inevitable. The true differentiator is how well an organisation anticipates, absorbs, and recovers from them. Compliance alone doesn’t deliver resilience. Culture does.

 

Commercial organisations must decide: continue to rely on certificates and check box exercises to prove their security, or lead the way by adopting a proactive, CNI-inspired approach.

 

---

 

Daryl Flack is a Partner at Avella Security

 

Main image courtesy of iStockPhoto.com and NicoElNino