With cyber-attacks increasingly aiming to create business disruption, it is important for organisations to ensure that cyber security and business continuity management teams work together says Terry Storrar. Here he outlines the advantages of integration between these two protective disciplines.
The growing range, frequency, and sophistication of cyber-attacks has not only underlined the vulnerability of today’s IT networks, but has increased the pressure on business continuity planning.
A glance at the headlines on any given day illustrates the point. For example, the recent attack on IT management software vendor, Kaseya, resulted in a malicious update containing ransomware being sent to around 50 of its managed service provider (MSP) customers.
From there, some 1,500 customers further down the supply chain were also impacted. Some saw their data encrypted with the inevitable disruption that brings, and media reports spoke of ransom payments being made for access to decryption keys that didn’t release all the locked data.
Given the stealth exhibited in designing these attacks, pragmatic organisations and their security teams now take the view that attacks on their infrastructure and risks to their data are no longer a case of ‘if’ but ‘when’.
This mindset is sensible but requires some joined-up thinking to deliver an effective mitigation and response strategy. While keeping attackers and malware out is still the foundation of most approaches, protecting customer data is taking on greater importance.
Integrated Planning Pays Off
This is where security and business continuity managers need to work hand in hand. While high levels of security will deter (almost) anyone, most organisations tolerate a range of vulnerabilities and it’s vital that data is recoverable so they can quickly and efficiently resume normal operations after an attack.
Here’s where pragmatism continues to play a role. Deciding how much time and investment to put into business continuity processes and technologies should be based on individual businesses weighing up their appetite for risk. No one has a limitless capacity for spending, so IT and security teams need to be smart about their resources and risk levels.
In practical terms, taking steps such as replicating data, comprehensive security policies, and removing vulnerabilities are all minimum requirements for continuity planning. Take replication, for example, which can help ensure any infected environment can be repaired and restarted while the business still continues.
Don’t forget, the primary aim of a ransomware attack is to disrupt normal ways of working. The more critical, sensitive, and operational data that can be replicated and supported by good structure and policies, the better the chances of mitigating the damage an attack can cause. The fundamental point that many organisations miss is that this is integral to business planning and illustrates why cyber security and business continuity work more effectively when they are integrated.
Think of it this way: when organisations reverse engineer continuity risks to identify what technologies, data, and processes keep them in business, they stop looking at the issues from the outside in and focus on business continuity priorities. Imagine a situation where someone has their car broken into - while it’s an inconvenience, it’s only really damaging on a day-to-day basis if the owner also left their laptop and phone in there as well. Every organisation has an operational equivalent of that scenario and should create a strategy that minimises avoidable damage and losses.
Circling back to the challenges that organisations face on a daily basis, businesses should also focus their approach on their technology supply chain and work with partners and service providers that can match their security and continuity priorities. In the MSP context, for instance, look for providers with the scale, resources, and accreditations to protect multiple customers. Other important questions should focus on their security and continuity track record and also their willingness to share customer references. They should also demonstrate an ability to understand the unique needs of customers operating in niche markets, whose risks may be very different from those in the business mainstream.
These choices are particularly important for larger businesses who may need specialist security to make it as difficult as possible for cybercriminals to cause damage. These are wise investments; organisations who spend money on recovery after the fact almost always see a worse outcome than those who understand the close relationship between security and continuity. Instead, planning with the assumption that an attack will, at some point, succeed, doesn’t devalue the importance of keeping attackers out, but accepts the reality that business continuity is an essential part of security and vice versa.