Three Steps to Integrating Cybersecurity With Business Continuity
With cyber threats like ransomware routinely interrupting business operations around the globe, cybersecurity is not just an IT problem — it’s a business risk that needs to be accounted for in the business continuity plan.
But how do you go about doing that?
Gain Executive Support
The tone from the top drives the success of your business continuity and cybersecurity preparedness. If your organization is going to continually strengthen and insulate itself from all of the likely foreseeable — and sometimes even unforeseeable events — you need to get executive support.
It’s also important for executives to support a culture of collaboration. Business continuity owners, info security officers, and business units need to be transparent with each other. Sometimes that means admitting that a process under your control has to be improved. If executives support a culture of transparency, people will be more willing to reveal and troubleshoot problem areas in your organization’s processes. Down the road, this could help the organization mitigate a major vulnerability.
Your BC and incident response plans should each include:
- Classification of various security incidents.
- Criteria for triggering the plan.
- Employee roles and responsibilities.
Clearing these obstacles with many employees working remotely could be tricky, especially if there are connectivity issues. This brings us to our next point.
No matter where they work, employees need to have access to the resources they need to do their jobs: voice and data communications, power, phones, computers, etc. After major “perfect storms” (which are becoming the new normal), cell phone, power and internet connectivity might not be available.
For example, after Hurricane Harvey hit Rockport, Corpus Christi and Port Aransas in Texas, wind damage knocked out power and communications. WFH wasn’t even an option for businesses in those areas.
In Houston, WFH seemed to be an ideal strategy. Countless roads closed, floodwaters lingered for days, and offices were destroyed. Although the city experienced record levels of flooding, the communications and power infrastructure proved resilient. For many companies, it just made sense to have employees work remotely. But many businesses hadn’t thought through the logistics of the entire company working remotely. The sudden influx of remote employees taxed company resources: VPN licenses, bandwidth availability of VPN concentrators at the home office, etc.
How would you handle your entire business working remotely? Think about how you’d respond to the following potential issues:
- Employees might not have the right equipment, whether because they weren’t issued company-approved hardware in time or because it’s trapped inside the home office.
- Internet connectivity in employees’ homes isn’t always reliable.
- A significant increase in remote workers can overload the VPN.
- Employees not used to working from home might have trouble logging in.
- Company phone systems might not be compatible with employees’ personal devices.
- Vulnerable network connections increase the risk of sensitive data exposure.
- Employees are more likely to use personal devices without appropriate security settings.
The higher your ability to address potential connectivity challenges, the more likely WFH is to succeed. But that’s only one part of the equation.
Evaluate Your Incident Response Plan
The traditional way of looking at business continuity is looking at the inoperability of a facility or a particular service or a function. It’s a worst-case scenario. Cyber threats have just added a whole new world of potential ways to take down a particular operation.
Does your organization have a detailed incident response plan that accounts for the various types of security incidents your organization could face? Start with looking at how detailed the incident response plan is. Many businesses simply tack on a brief incident response paragraph — maybe even a page or two — to their business continuity plan. Be advised: That is not a comprehensive incident response plan. Make sure the plan catalogs at least the top seven to 10 security incident types that could disrupt or halt business operations. It should provide for specific responses and procedures tied to those events.
You also need to determine what incidents will trigger the business continuity and incident response plans. For example, an email phishing scenario wouldn’t necessarily shut down access to critical data or affect your ability to service your customers. In that case, you might activate your incident response plan but not your business continuity plan. A ransomware attack, on the other hand, could actually take your systems offline. Since it would leave you without access to critical data and the ability to service your customers, you might classify that as an outage requiring a business continuity response.
Test Your Plan
Just as you test your business continuity plan for worst-case scenarios, you need to test scenarios that integrate business continuity and incident response. For example, you could walk through the process of responding to a Cryptolocker outbreak that encrypts a drive or data store and requires the restoration of that data to another platform. To work through how the plans play out in a particular scenario, start with a tabletop exercise before doing a functional test.