A CISO can feel confident they have the best cybersecurity system in place. The organization's employees get regular security awareness training. The security team is strong and built solid partnerships with vendors.
The CISO and the organization have done all the right things to prevent a cyber incident, but what plans are in place to keep business operations running after an incident occurs?
No matter what your plans are, something unique will happen to take your company offline or put the company in jeopardy, according to Bryan Scanlon, principal with Look Left Marketing, and speaker at the Insights S2021 virtual conference.
"You are in an incredible race against time to solve a problem and communicate the resolution and deal with all the inputs and outputs that are happening. Time is really the enemy here," Scanlon said.
In that limited amount of time, while businesses need to move quickly to mitigate the cyber event, they're also starting from behind. Once an incident happens, businesses have to catch up. What often prevents a quick and coordinated effort to address the cyber incident is the lack of communication across the organization during the crisis.
"Some companies won't communicate at all until they have it all figured out. That tends to be a problem because you are impeding management," said Scanlon.
Communication has to take place in tandem with incident response, where all members of the team are on the same page so mitigation isn't hampered, while business operations are able to continue as close to normal as possible while customers are alerted in a timely manner.
This failure to communicate efficiently is frequently due to friction between the security team and business teams.
"Less experienced security teams often see controls and policies and black and white, rather than shades of gray," said Jake Williams, co-founder and CTO at BreachQuest, in an email to Cybersecurity Dive.
When security teams take the time to understand the business, they work together with business unit stakeholders to ensure operations are performed in the most secure manner possible.
"When they don't, the same security teams become marginalized and known as the people who say 'no' to every requirement," said Williams.
Biggest risks to business continuity
The breakdown in communication is often due to a failure to have a plan in place when business interruptions take place.
"This means that on top of responding to a hectic situation they have to remember all the technical pieces and procedures necessary to keep operating," said John Bambenek, Threat Intelligence Advisor at Netenrich, in an email interview.
In a crisis, even the most well-rehearsed actions are forgotten or crucial steps are skipped. This leads to mistakes when the organization can least afford to make them.
Organizations that lack a mitigation plan also tend to lack a plan that deals with potential disruptions. An area that all companies should have a continuity plan for is a ransomware attack.
"At its core, ransomware is a business continuity problem. If you can recover business operations quickly and effectively, paying ransoms is mostly not an issue," said Bambenek. "The fact that we see all these ransomware incidents and disruptions is that many organizations aren't following business continuity best practices largely unchanged since the 90s."
The problem is that most organizations think ransomware recovery is an easier process than it really is. Because ransomware kills many processes when encrypting data, files are already corrupted. Not only does the organization need to recover the encrypted files, but it must also address the failures and vulnerabilities across the entire infrastructure.
Business continuity when systems fail
Data is what keeps businesses moving forward, so beyond having documented continuity plans in place, there needs to be backup and data recovery (BDR) systems.
A proactive approach is needed to be more resilient, according to Dave LeClair, Sr. Director, Product Management with ConnectWise. You want to be able to keep the applications up and running during an incident without the end users realizing there is a problem. BDR today is more about business continuity and resiliency, as much as having secondary files if data is lost.
Because so much BDR is done through the cloud, it is vital to know what the cloud provider does during an emergency and how the provider tests the BDR system regularly to make sure it can seamlessly go online if needed.
"You need to think through all the different scenarios in advance before the incident takes place. You don't want to do it when something bad is starting to happen," LeClair said during an IT Nation Secure conference session.
"Being resilient is being resilient to anything that could happen to your business," said LeClair.
But businesses can mitigate the downtime and keep operations in motion if they prioritize prevention and BDR controls. Cyber incidents will happen, but the impact should never cripple the organization.