top of page

Cyber security vs cyber resilience – what’s the difference?

One of the things that the WCRC focuses on is the importance of cyber resilience, and the reason for this is that we want to promote more than just cyber security.

So is there a difference?

Yes, cyber security focuses on preventing, detecting and responding to attacks on an organisation’s network. And there are numerous methods deployed as part of an organisation’s cyber security such as firewalls, antivirus software, maybe encrypting sensitive data, which all then contribute towards a strong cyber security position, which we hope will keep the criminals at bay.

But cyber resilience is more than just setting up these technical measures, being resilient is ensuring that your organisation can withstand and recover from a cyber incident. This means not just relying on preventative barriers, but putting in place policies, processes, and raising awareness among employees of the potential methods of attack. A focus on cyber resilience means minimising the impact of a cyber-attacks, ensuring that systems can recover quickly and continue operating effectively, ensuring you are limiting the impact on your business continuity.

Both cyber security and cyber resilience are important to your organisation, but put simply, while cyber security focuses on preventing breaches, cyber resilience recognises that despite investing in security, breaches can still occur. For this reason, it’s important to combine your approach so you protect yourself from an attack, but where a breach does occur, you are in a position to quickly recover and minimise the impact of that attack.

Cyber security and cyber resilience are crucial elements for creating a strong cyber security strategy. If we use a castle as an analogy, think of cyber security as being the walls, castles often have multiple ringed walls, with a centralised strong area known as a keep. This defence in depth is a concept recommended within cyber security.

Cyber resilience would then equate to the ability of that castle to withstand attacks and rebuild a breached wall if needed. So this, in our analogy, would be the occupants of the castle, whether as an archer, knight, or being responsible for wall maintenance. And there is no doubt that the better trained they are in those roles, the more resilient the castle would be to an attack – which is a transferable concept to businesses and organisations in the modern world.

The National Cyber Security Centre is the leading authority on cyber security in the UK, and it advises taking a comprehensive approach which incorporates both cyber security and cyber resilience. It recommends assessing the risks to your organisation’s information and systems with the same vigour you would for legal, regulatory, financial or operational ones. This needs your business to create a risk management regime across your organisation, with support from your management board and senior managers.

The 10 Steps to Cyber Security is a great starting point, and recommends measures such as producing user security policies covering acceptable and secure use of your systems; staff training to maintain an awareness of cyber risks; establishing an incident response and disaster recovery capability and testing your incident management plans.

By recognising the distinctions between cyber security and cyber resilience you can implement a comprehensive strategy that integrates both, making you better positioned  to protect yourself against cyber-attacks and minimising their potential impact.

This is where the CRC for Wales can help you. As well as providing guidance on measures that can be implemented to reduce your vulnerability to an attack, we also provide cyber security services at a discounted rate delivered by our CyberPath team. This includes security awareness training, which is delivered without using technical jargon, vulnerability assessments to provide reassurance that you have an appropriate level of security in place and a policy review service.

If you’d like to become a member of the WCRC and receive regular threat updates, national guidance, resources and more, sign up for our FREE core membership programme. If you have additional cyber requirements, there are options to upgrade to one of our affordable packages.


The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for Wales is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for Wales provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.

The Cyber Resilience Centre for Wales does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for Wales is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page