This week Charlie talks about the links between cyber security and business continuity.
Yesterday I went to an excellent seminar, organised by the Scottish Business Resilience Centre, called ‘Trading Security for Business’. It was all about the threats to mobile devices and how to secure them. By the end of the day all I felt I could do to protect myself from hackers, was to switch off my phone, secure it in a faraday cage and then throw it in the deepest part of the sea. Even after all that, I know someone will still be able to hack into it and steal all the information to sell on the dark web!
As you do at these events, the first thing I looked at was the delegate list, hoping to see a few familiar faces or at least someone to chat to at lunch. What I was struck by was the complete lack of anyone I knew or anyone who had a business continuity role. Most of the people at the seminar were either law enforcement, cyber product retailers, academics or a few people from large organisations with cyber responsibilities. There was not one person who I had met before or who had attended a similar themed day a couple of weeks earlier, at the Scottish Continuity Group Resilient Scotland 2016 event. It appears that business continuity people are happy to learn about cyber security if the seminar is billed as a business continuity event, but it is out of their comfort zone if the event is billed as a cyber event.
After the event I spoke to Keith McDevitt, Cyber Integrator at Scottish Government, who spoke at both events, and when I remarked on the lack of business continuity people at the seminar he said, and I quote:
“We need to get the (business continuity) guys more engaged in this…”.
Most business continuity people seem to be comfortable working with IT people on disaster recovery, but they seem to shy away from engaging with them on cyber security. Perhaps it is seen too ‘techy’ to have any synergies with business continuity. Again, as with last weeks’ blog on emergency response, business continuity people risk marginalising themselves if they do not embrace, and get involved in cyber security.
The most obvious area to get involved in is the area of incident response. As guardians of the strategic/crisis plan, a cyber incident is just another possible scenario in the long list of incidents we should be prepared to deal with. The techies will manage the technical response, but there are huge issues for the strategic team to manage which deal with basic reputation management:
- When do you declare to your stakeholders that you have had a data breach?
- Do you know how bad the breach is and what you have lost?
- How do you manage communications to your interested parties?
- How do you frame your communications, do you portray yourself as a victim or are you the villain as you have not taken adequate care to protect the interested parties data?
Most of the issues associated with a cyber breach are no different to any other reputation issue.
One of the other areas where there is a large crossover with cyber security is in the area of data and information. As part of our BIA threat assessment we identify the critical data and documents within the organisation. We look at the criticality of their paper documents and make recommendations to ensure that they are more secure. As part of our review of IT, which underpins priority activities, we identify the critical data and applications which are required to recover the activities. Within the current BIA process it would not add much more work to identify the sensitivity of the data held by different departments such as key intellectual property, personal/financial information and customer lists. This information could be presented to senior managers and then provided to IT to use their technical expertise to ensure that the information receives additional or appropriate protraction.
Cyber security is considered one of the biggest threats to organisations at present and we as business continuity people have to adapt to the threat landscape and ensure that we play a key role in responding and mitigating the threat.