How to integrate Cyber security into a Business Continuity framework

In my last blog (https://www.fifthstep.com/node/213) I wrote that Cyber Security and Business Continuity should ideally work together to streamline a well-coordinated response to any attacks or data breaches, minimise costs and protect reputation. In this blog I will look at specific pragmatic actions that would be required to achieve this integration.

These include:

Leadership involvement: Usually, business continuity leadership has representatives from each area of the business to serve as a crisis management team. So, this group is the most appropriate group to assess the business impact in case of a cyber attack as well as to influence any decisions or timing of system shut down. Hence, it is necessary to get appropriate organizational leadership to work with the IT team in order to formulate a response strategy and make timely decisions during events caused by cyber disruption.

Business Impact Assessment: Consider the most recent business impact assessment. Does it fully identify all critical IT systems, processes, data and locations that support the organisation’s revenue, customer information, trade secrets and other dimensions to aide successful business recovery? Identifying all such critical parameters of IT-related operations is the first step in mitigating and combating cyber threats. You must consider reasonable worst-case scenarios to conduct an effective analysis and establish
 a clear idea of what exactly could happen to your organisation if it were affected by a cyber security breach.

Risk Assessment: Cyber attacks are a new dimension of exposure that needs to be considered as a top threat to the business continuity framework of an organization and assessed appropriately. Cyber security is often viewed as an IT issue which is why it is not surprising that the issue is viewed from an IT perspective, with mitigation strategies based on infrastructure changes or software fixes etc.

In reality, comprehensive risk assessments of an unplanned IT or telecommunication outage due to cyber attack need to be carried out by IT in coordination with a cyber security/information security expert, Ideally this would be in consultation with business continuity leadership, in order to arrive at a technology-associated business continuity framework.

Business recovery strategy: When a breach occurs, speed and agility of recovery is critical and that comes with the proper designing of a recovery strategy. Results of BIA and risk assessment must be analysed by cross-functional teams that may include IT, business continuity leadership, and the Cyber security / Information security expert of the organisation.

Business recovery strategies must be developed taking all potential cyber security events into consideration. This should be linked to the business continuity and crisis response plans of the organisation to ensure a speedy and well-coordinated response to 
a cyber incident. There should also be a means of learning from the incident so that lessons from the event can be factored into your plans moving forward.
In addition to the best practices to bolster IT security, identifying procedural details of computer backups, data restoration methods, and minimum software requirements are crucial to re-establishing technology and continuity of critical business processes, in the event of an attack.

Communication plan: Crisis communication plans need to be updated to cover the emergency notifications as well as external communication needs during cyber attacks. It becomes necessary for the crisis management team to integrate an organization’s official/mandated response for any crisis situation, with specific communication needed to control the social media and other online outlets. This will help maintain consistency in external communication and ensure that the company’s reputation is being managed well.

Cyber & Business Continuity test/ exercises: Cyber exercises are an essential tool for organizations to evaluate their cyber incident preparation, mitigation, response, and recovery capabilities. Organizations should periodically conduct a cyber-security exercise to enable both IT and the leadership team to practice their response roles and ensure all communication and decision-making occurs, as necessary, to control the response and impacts.

These types of exercises can also be used to educate staff on technology and Business continuity policies and procedures used to offset cyber attack strategies.

Your business needs rigorous and regular testing of backup and recovery systems, which gives assurance to management that in an emergency situation, your business systems will be able to fully support any restoration or continuity needs. Testing of “Defence-in-depth architecture”- multiple redundancies established for IT and telecommunication - is the key consideration during cyber test/exercises. At the same time, availability of BCP response plans and manuals for the business recovery team members becomes the key to an effective response mechanism, which needs to be tested during such cyber exercises.

Supplier: Cyber resilience of suppliers is expected to increasingly influence organizations’ cyber resilience in turn. It is recommended to identify key suppliers and associated risks to execute continuity strategies in an appropriate manner. These key suppliers need to be involved during any BCP test/exercises to seek assurance in terms of contractual obligations and evaluate effectiveness of the BCP recovery strategy.

To find out how Fifth step can help you, please visit www.fifthstep.com

Mrudula Sakpal