As technologies become more sophisticated, so do cybercrimes and the threat actors behind them. In 2017 alone, these types of threats made more headlines than ever before – so much so that ABC’s hit drama Grey’s Anatomy highlighted the issue in its most recent Fall finale. It’s estimated that the cost of cybercrimes against enterprises will be roughly $8 trillion in the next five years. Can your organization afford to be part of this statistic?
Despite enterprises, government organizations, healthcare systems, law firms, and even school districts across the world falling victim to cyberattacks, many businesses still operate in the mindset of “it won’t happen to me.” Unfortunately, the reality is that it’s not a matter of “if” but “when” especially if appropriate countermeasures are not in place.
I’m sure you’re thinking, “I’ve got the appropriate amount of security in place for my business, it’s safe from an attack – what else is there to do?” That’s a great start, but to truly be prepared for a cyberattack, CISO’s need to have a disaster recovery plan in place to keep an intrusion from becoming a full-fledged disaster.
Gone are the days of notepads and hand-drawn spreadsheets with most, if not all, of today’s businesses operate digitally. Understanding and building out a business continuity and disaster recovery (BCDR) plan will help save your operations when your systems are threatened. To be successful, you first need to understand what each piece of a BCDR means and how it effects your business:
- Business continuity is business-driven and implementing a plan to maintain operations and revenue generation.
- Disaster Recovery is driven by IT and is how you get systems back up and running when they become compromised.
These two pieces work collectively, and a business cannot have one without the other.
Additionally, within a BCDR exists the return to operations (RTO) time, which is a measure of how long it will take to get businesses back up and running. This time comes from negotiations between the business owners and IT’s realistic response, which is typically the true RTO. Running through simulations within your organization is essential to determine what this time realistically looks like, especially if critical systems are compromised.
Prioritizing Business Needs
The most effective BCDR plans are those that are initiated as board directives. When board members view threats as a true risk, the plan is not being developed as a cyber-incident response, but instead, as a business initiative. With cyber threats as the third largest risk globally, board members and executives should have a robust understanding of how to maintain business continuity or recover from a data breach specifically for their needs.
First step when approaching and building a BCDR plan is to develop a Business Impact Analysis (BIA). This should directly involve business owners, and focus on IT systems, the teams (i.e. sales, finance, HR) using them and answering the question, “if this system goes down, how long can this team’s operations realistically keep the overall business functioning?”
To do so, business owners and the IT departments must work together to determine a realistic answer, including the time frame, amount of money and necessary resources. It is then the CIO’s responsibility to consider this answer and what additional factors are involved to determine the actual restoration time that his team can execute against.
Keep in mind, this process should be conducted for every department in the organization, and their RTO may vary. This is extremely important as it will give business leaders the right information to prioritize based on business needs. Once all these details have been settled, it’s time to put a corrective plan in place and allocate the appropriate funds for business recovery.
Part of conducting the BIA is understanding how quickly IT can reasonably restore operations. One of today’s biggest threats and typically the number one reason why businesses need to have a disaster recovery plan is ransomware.
There are two types of incident response plans that should tie directly back to your BCDR process: a proactive incident response plan (IRP) and a reactive breach response plan.
Those who leverage the reactive breach plan almost always struggle dealing with the issue after the fact. This typically happens when there isn’t a true security culture. Alternatively, an IRP acknowledges threats and puts a mitigation plan in place ahead of a compromise.
Practice Makes Perfect
So you’ve proactively set a BCDR plan in place as a business initiative, conducted BIAs and prioritized – now what? Each business unit will have its own critical applications listed in the BIA and those managing these units need to have discussions with the CISO to understand what to expect and how to react.
To get a true sense of how prepared your organization is, “Table Top Exercises” should be performed in each unit. Walk your teams through the paces of various data breaches and what happens next for your business. Each department will have its own checklist of priorities for different scenarios regarding how to continue operations while systems are down and what to say to the parties affected. During a Table Top each step should be acted out as though it were the real thing.
The world of security never stops changing; therefore, you should consistently modify and update the IRP to stay up to speed with today’s threats. Conducting these simulations often will not only give your employees a chance to understand how and when to reach, but also allows organizations to reassess and make necessary changes to the plan based on unforeseen bumps in the road.
The key to a successful BCDR plan is to build relationships and trust across the business and amongst teams to ensure if systems go down everyone knows the plan, can effortlessly execute and mitigate issues as quickly as possible.
While every organization hopes to avoid being impacted by a data breach, being prepared for one is critical to the organization’s long-term health. Think of this as a disaster avoidance plan. A breach may happen, but it doesn’t have to be a “disaster” for your company.