The last several years have continued to see an increase in the sophistication and volume of cyber threats, with a 42% increase in targeted attacks in 2012 (as reported by Symantec, in its 2013 Internet Security Threat Report). The range and types of threats vary greatly as well; in June 2013, InfoSecurity magazine listed the top five specific IT cyber security threats as: data breach, malware, DDoS, mobile threats, and industrialization of fraud – each of which requires a different preventive and response approach. An Ipsos survey for Lloyds Risk Index 2013 indicated that cyber risk is the third biggest concern for CEOs when assessing organizational threats, jumping nine spots from the previous year’s ranking of 12th.
In most organizations, monitoring and response has continued to develop and mature within IT to proactively address vulnerabilities. That said, there may be opportunities to better integrate IT’s response to such illicit activity with the organization’s business continuity program and structure, so that if an event does occur, the organization ensures a timely and coordinated response. After all, cyber security incidents can have business continuity implications and impacts that extend far beyond IT.
This perspective provides an overview of the current information security standards landscape and highlights different actions an organization can take now to better align business continuity and cyber security efforts and increase organizational resilience.
Overview of Information Security Standards and IT’s Role
There are several standards that IT groups typically adhere to when developing response strategies. Some of the most common security best practices include NIST, ISO 27001, ISO 15408, and RFC 2196. Many industries also implement industry-specific guidelines to enhance their approach and address unique threats or nuances; examples include those for government (FIPS), critical infrastructure/key resources (CI/KR), banking (FFIEC), electrical grids (NERC), and manufacturing (ISA/IEC-62443).
Each of these standards outline best practices and specific procedures IT should consider (and align to as necessary) when working to prevent or respond to cyber security threats. Specifically, when:
- Developing a security program and defining access controls
- Identifying and tracking breaches
- Logging and backing up data to avoid destruction of evidence
- Shutting down unauthorized access
- Recovering and restoring system operations
These standards typically include guidance for how IT should respond to assess the breadth and severity of information accessed, control the situation, and communicate cyber-attack incident impacts, strategies, and outcomes to leadership. However, these standards may have too narrow a scope in helping an organization determine impacts and make appropriate decisions. More importantly, IT often applies the concepts in these standards to just IT groups.
Aligning Business Continuity and Cyber Security Response
Even when an organization’s IT cyber security response fully aligns to IT best practices and has performed well during past events, if a corporate crisis management structure exists, there are benefits in utilizing or integrating IT’s response into the existing business continuity structure, rather than having two separate response models. The following sections highlight some of the ways organizations can better align the two response structures to increase the effectiveness of response and strengthen organization recovery.
Enhance Leadership Teams and Align Response Strategies
One opportunity to align business continuity and IT cyber security response involves providing the appropriate organizational leadership the information necessary to enable effective response and decision-making. The leadership roles typically highlighted to receive periodic status reporting in IT-focused standards tend to be IT or Security focused, but may not include all areas of business operations that may ultimately be affected by an IT incident. Updates to leadership may also highlight specific IT impacts from the event but may not assess or enable the group to determine true business impacts that could result from the incident.
Most existing business continuity structures have identified leadership from each area of the business to serve as the crisis management team, so this group is ideal to utilize for cyber incidents. This group has the appropriate perspective to assess business-specific impacts and recommend appropriate actions to enable continuity of business operations or prepare for disruption, as well as influence any decisions or timing to shut down systems.
Align Touch Points and Response Procedures
In addition, rather than trying to maintain and execute the IT cyber security and crisis management plans in silos or have duplicative or contradictory strategies, plans should be complementary and expansive upon IT’s response. It is typically most effective to maintain the existing IT plan and strategies to enable effective IT response, but also integrate touch points between the two plans. This takes advantage of the existing crisis management process, ensures leadership receives timely information, gives insight and ownership of impact assessment and stakeholder communications response efforts to the leadership already responsible for these activities in response to all other events, and ensures adequate executive leadership and participation. This early coordination will also provide IT with business insight on potential impacts and enable authorization for actions as necessary.
Timely involvement of all business area leadership is crucial, as any sort of external visibility on an incident, whether resulting from insider or external forces, could raise a host of immediate issues that requires decision-making. For example, if a data breach does occur that requires taking a critical system offline, the business may have to continue operations without its availability for an extended period of time.
As such, ensure that plans highlight activities performed by IT and define specific communication touch points between IT and leadership, including periodic situation updates, response options, and the potential business repercussions of implementing certain strategies. Ensure that procedures also push management to consider and respond to potential cascading business effects to proactively mitigate impacts.
Integrate Crisis Communications
While standards typically provide guidance for executing regulator and consumer notifications that are legally required by regulatory agencies, these strategies do not take into consideration the external communication necessary to immediately deal with incoming inquiries for externally visible incidents. External inquiries could inundate customer-facing groups with questions on the situation, impacts, and response. While IT standards focus on the technical side of the response and legally mandated communications procedures, it is important that appropriate leadership be prepared to deal with business-oriented topics such as system downtime, inability to provide contracted services, sympathy to customer impacts, a summary of organizational response efforts, and potential restitution. If a security incident is externally visible, leadership may also need to immediately control social media and other online outlets that could have substantial reputational impacts. As such, procedures need to ensure that crisis management leadership has the information necessary to develop and distribute authorized external messaging outside of (and often in advance of) these mandated communications, as well as monitor external activity.
Some additional resources on crisis management leadership and crisis communications include:
- Crisis Communications: An Organizational Balancing Act
- Program Roles & Responsibilities in a Business Continuity Management System
Address Post Incident Strategy Improvement
Even after an incident is resolved, the response is not yet complete. A breach of a system could motivate customers to demand more stringent security measures in place for other critical applications. Any customers who feel that risk mitigation, preparedness, response, and/or recovery are insufficient may move future business to competitors, affecting current and future revenue and market share.
Even if such demands or business loss do not occur, there may still be a need for leadership to assess and change information security policies or enhance strategies to further mitigate risk and prevent recurrences. As any of these events could require decision-making and investment, leadership must be prepared to discuss and make decisions regarding long-term strategy changes and investment.
In addition, following an event, the organization should update business continuity program documentation to integrate lessons learned and address program gaps. Organizations should also periodically conduct a cyber-security exercise to enable both IT and leadership to practice within their response roles and ensure all communication and decision-making occurs as necessary to control response and impacts.
While addressing cyber security is clearly an IT risk and issue, it is not ONLY an IT issue, as organizations are now far too dependent on technology to survive such situations unscathed. Organizations should approach cyber security as they do any other business risk – certain subject matter experts may deal with the immediate response and tactical details, but leadership is still responsible for identifying and controlling the cascading financial, reputational, and operational impacts, as well as ensuring effective and accurate crisis communications throughout all stakeholder-facing business areas. By integrating SME response into your existing leadership response strategy, you’ll ensure leadership has the information necessary to assess and control the overarching business impacts, while also ensuring IT has leadership’s support in rolling out selected response strategies.
If your organization would like assistance integrating business continuity into existing IT cyber security strategies, please contact us. We look forward to hearing from you!