With volume of cyber breaches going up and, organizations lose millions of dollars to recover from a cyber-attack and suffer damaged reputations. To proactively address these cyber threats, organizations need to continuously monitor potential cyber risks and develop strategies on a continual basis.Download a Insight
Many times over, we have heard business leaders say they agonize over managing cybersecurity risk and shielding their organizations from an attack. We have seen the sophistication and volume of cyber breaches go up, and, following a breach, organizations lose millions of dollars on recovering from a cyber-attack and suffer damaged reputations. To proactively address these cyber threats, organizations are continuously monitoring potential cyber risks and developing response strategies on a continual basis. However, there is a need to integrate these response strategies to the organization’s business continuity program, so in the case of an event, the organization can respond with a well-coordinated plan.
According to the 2016 Ponemon Study on the cost of a data breach, organizations that weave in cyber security within business continuity management (BCM) plans significantly reduce the mean-time to address a data breach, as well as the likelihood of experiencing a similar incident in the near future. Additionally, a well-defined business continuity program helps cut the costs of a data breach by an average of $9 per record by keeping business operations up and running.
In the case of the 2012 LinkedIn data breach that resurfaced in 2016, where more than 117 million email and password combinations were stolen and used by hackers, more than the traditional preventive and defensive measures covering firewalls, malware detection, and antiviruses, there was a need for a greater focus on an agile and rapid strategic response.
The increase in the number of these attacks require diligent attention from information security and business continuity management (BCM) leaders, since cyber-attacks can cause prolonged disruptions to their critical business operations. These leaders can overcome these challenges by adhering to the below 8 point strategic and tactical plan.
THE STRATEGIC PLAN SHOULD:
Involve leadership teams in managing the response strategy
The main challenge in aligning business continuity and cyber security responses lies in getting the appropriate organizational leadership together to formulate a response strategy and make timely decisions. Both the BCM program managers and the CISOs need to have periodic status updates on the true business impact of the incident, in addition to the details on the IT impact of the event.
The leadership would be able to have better control of the situation if they have a key stake in devising appropriate continuity strategies, show active involvement and be accountable during emergency procedure drills, and ensure that the recovery plans are triggered as soon as the continuity plan is activated. They would also need to ensure that the continuity team has the necessary plans in place to respond to and recover from events that cannot be controlled or mitigated.
Employ a cloud-based business continuity program
A cloud service ensures that an organization’s critical data, applications, and BC/DR processes are secure off-site on the cloud service provider’s servers. An organization can then leverage lower specification systems as replication targets for data, applications, or systems.
Using cloud helps the organization to quickly ramp up their systems in the case of a disaster, deploy the BC/ DR applications faster, and size up and down based on the demand. In addition, keeping in mind that cloud operates on the pay-as-you-use model, it allows organizations to significantly lower their costs of cloud-based BC/DR as compared to redundant hardware and data storage hosted in a remote facility.
In an age where a few minutes of down time can mean hundreds of thousands of dollars of revenue loss, cloud based business continuity ensures interruption-free data flow for maximum productivity.
Align business continuity and cyber security responses
In order to protect against evolving cyber threats, organizations have to be fully prepared to embrace and implement a streamlined cyber resilience program as a part of their business continuity planning process.
Worryingly, the Business Continuity Institute’s (BCI) Horizon Scan Report ranks cyber-attacks and data breaches such as skimming, insider threats, corruption of sensitive data, and critical infrastructure disruptions as the top threats to business continuity in organizations.
Organizations would do well to ensure that their continuity plans encompass and address factors such as systems and applications that secure the organization’s cyber-security perimeter, as well as processes related to critical technologies that can be disrupted in case of an event. Moreover, these measures work well when they are not restricted or defined by a series of checklists, but are a continual process.
Develop a supply chain business continuity framework
Taking accountability for continuity planning across the supply chain lies with the organization’s business continuity management program. The program would need to prepare in advance to unexpected environmental, political, and financial events that could disrupt the supply chain.
Deloitte’s global survey on “Third-party Governance and Risk Management” stated that close to 87% of the respondents have encountered a disruptive incident involving a third party in the last 36 months, which lead to loss of critical data or inability to deliver the product or service when required.
This requires organizations to assess their business continuity responses across its supply chain by identifying their key suppliers and associated risks. Managing and monitoring continuity risks from their suppliers are imperative to executing continuity strategies in an appropriate manner. This also means that organizations will need to have clear visibility of risks in their supply chains.
THE TACTICAL PLAN SHOULD:
Address post incident responses comprehensively
After an incident has been remediated, there is a need for imposing stronger security measures in order to combat evolving threats and vulnerabilities. The leadership and the relevant teams would need to take responsibility for changing the existing IT security policies or enhancing advance strategies for effective risk mitigation procedures.
Post-incident strategy improvement needs to include updating the documentation on the business continuity program regularly, which also includes lessons learnt. Regular exercises on conducting a cybersecurity assessment will ensure that the IT and leadership teams are communicated to clearly and frequently.
Relate cyber risk management to business continuity plans and exercises
Organizations need to be aware that cyber security risk management is a key catalyst to effective business continuity planning and exercising. By developing, implementing, and testing risk management strategies, they can provide their businesses with a level of resiliency and operational insurance to withstand unexpected threats.
This involves identifying “crown jewel” information assets, performing and including explicit risk assessments in the continuity risk management process, and identifying the operational controls gaps. This helps organizations develop appropriate tactics to determine how they can achieve continuity and recovery in the event of a data breach.
Devise an effective crisis communication plan across stakeholders
It is important for leadership and crisis and emergency management teams to be prepared to deal with disruptions such as cyber-attacks, data breaches, security incidents, and IT systems failures. Emergency notifications need to communicated to the intended audience through alerts via mobile, and other channels to employees and stakeholders. He/she should be able to clearly understand the effect of this information and the required follow up actions. Moreover, the crisis team should have a team in place to control social media to avoid any reputational impact in case the event is externally visible.
Include business impact analysis as an integral part of the cyber risk management process
The business continuity planners and cyber-security teams could work together to play a key role in the BIA process - right from planning to execution. This would include identifying the most critical assets (functions or applications) and cyber-related disaster scenarios, and evaluating the effect of the incident to business operations as a result of a disaster or an emergency. The teams should also analyze the impact across various dimensions such as financial stability, third-party impact, employee impact, downstream and upstream process impact.
Organizations also need to identify the third parties engaged and the potential impact in the case of a third-party disruption. Another important point to keep in mind is to ensure that response strategies to address the potential impact are in place by the functions and lines of business. The two teams would need to have a detailed work-around to gain access to critical applications in the case of an incident.
In short, a robust and streamlined approach to plan for cyber-attacks as an integral part of the business continuity blueprint should include: identifying key roles and responsibilities, developing response protocols, cyber-risk assessments, crisis team training, emergency notifications capabilities, and proactive incident response. A “one team, one dream” approach enables organizations to deter the impact of likely disruptions with faster responses to cyber incidents, as well as quicker recovery.
5 Point Checklist to Assess Cybersecurity as a Key Dimension in Your Organization’s Business Continuity Management Process
- Are cyber-attacks included as a top threat to business continuity in your organization?
- Are business continuity plans triggered in case of a cyber-attack?
- Do you evaluate the effectiveness of the business continuity plan in the context of a cyber-attack?
- Do you include cyber incident response as a part of the crisis management process?
- Are joint exercises planned with information security and business continuity teams to validate plans and collaboration activities?