By Brandon Tanner, Rentsys Recovery Services, and Rick Phillips, Stickley on Security:
With malicious threats such as ransomware continually in the news, it’s hard to deny the reality that cybersecurity is one of the top issues facing businesses today. A cyber attack can happen anywhere and anytime. In fact, in a single year, 80 percent of businesses experienced a cyber attack, and more than 70 percent of targeted businesses were infected.
However, while business continuity planners and business leaders recognize cybersecurity as a concern — 87 percent say it’s the number one threat — they struggle to translate this risk into an effective business continuity strategy. Plus, planners don’t always have the technical knowledge required to engage IT personnel and support them during an attack.
So how do you incorporate cybersecurity into your business continuity program?
- Identify the information security roles that need to be involved in the business continuity response. These personnel might include the CEO, CIO, information officer, information security architect, system administrator and end users. For support, you may also choose to include auditors, disaster recovery staff or human resources staff.
- Identify foreseeable cyber threats that affect business continuity. Traditionally, business continuity interruptions were classified as events such as natural disasters, power outages or technical failures. Now, some cyber events are crossing over into the territory of business continuity. These events include ransomware, a data breach or a cyber attack on the supply chain.
- Define information security needs for backup sites and alternate communication networks. Your production environment is likely configured to meet a certain level of security. It’s essential that the backup environment and alternate communication networks mirror these same controls. Otherwise, your organization leaves itself vulnerable in the event that it has to bring up the backup environment. Work with your IT and information security teams to evaluate security protocol for the following:
- Hardware — mainframe, mid-range, servers, network, end-user equipment, operations processing equipment and office equipment
- Software — applications, operating systems and utilities
- Communications — network, telecommunications, data files and vital records
- Develop policies and procedures. To develop an effective business continuity response to cyber incidents, you first need to gain executive support and engage those responsible for information security. Working together, the business continuity and information security teams can determine the types of cyber events that will trigger the incident response plan and/or business continuity plan. The teams should collaborate to determine procedures for post-incident follow-up and remediation. Finally, the business continuity plan should be tested using one of the cyber scenarios identified as a trigger for the plan.
- Take steps to avoid cyber threats. Prevention is always better than cure. Are your policies and procedures enforced with technology, training and education? Common weak areas include the following:
- Improper storage or handling of confidential information
- Unauthorized transmittal of wires or W-2s
- Opening or responding to unfamiliar or unexpected email links and attachments
- Unfiltered web access
- Unsegmented network
- Internet of Things devices
Technology can mitigate some of these threats (e.g., encryption, email and web content filtering, remote device wiping). However, you also need an ongoing cybersecurity training program. Employees need to know how to respond to common cyber threats like phishing attempts (phishing tests can help you gauge how effective your training is).
To maintain the top-level support you need, executives and board members need to be apprised of the latest security threats, IT technology and security issues. Be sure they receive the results of any IT security-related audits and assessments.
You might be thinking, “I’m on board with handling the business continuity response to a cyber incident, but cybersecurity education isn’t really my responsibility.” In fact, cybersecurity is everyone’s responsibility. Regardless of which department “owns” the cybersecurity awareness training program, get involved and do what you can to improve your organization’s preparedness.
As threats become more sophisticated, the risk of a cyber incident bringing your operations to a halt increases. Don’t delay making cybersecurity a part of your business continuity plan.
About the authors:
Brandon Tanner’s technology experience spans software, hardware, and service solutions for financial institutions and other regulated industries. He is the senior manager for Rentsys Recovery Services, where he is responsible for the company’s business continuity and disaster recovery products and services.
Rick Phillips has more than two decades of experience creating disaster recovery solutions and services for financial institutions. He partnered with Jim Stickley in 2014 to launch Stickley on Security to help companies prevent and address cybersecurity disasters such has data breaches and malware attacks.