Time to rethink business continuity and cyber security
By Warwick Ashford
Business continuity and cyber security remain largely in separate silos, but changes in the IT and cyber threat landscapes mean there is an urgent need for organisations to alter their approach. Business continuity has come into sharp focus in recent months as organisations have had to find ways of keeping things going under the unprecedented circumstances presented by the Covid-19 pandemic.
Business continuity is about maintaining critical business functions, not only during a disaster or crises, but afterwards as well. Traditional business continuity plans consider potential disruptions such as natural disasters, fires, disease outbreaks and cyber attacks. However, the trend towards digital transformation and an increasing reliance of organisations on IT for critical business functions and data means that cyber attacks are the most likely threat to business continuity, and cyber threats also tend to feed off of such crises, as we have seen with the Covid-19 pandemic, with cyber attackers attempting to capitalise on all the opportunities it has presented.
As cyber attacks continue to increase in number and ability to cause significant damage to IT infrastructure, organisations must ensure that efforts to secure IT operations are closely aligned with efforts to maintain/restore IT operations in the event of a cyber attack, with a focus on risk management, resilience to maintain system and data availability, recovery of systems if they go down, and contingency planning for varying degrees of IT failure, up to and including total IT failure.
Cyber attacks inevitable and likely to be destructive
A comprehensive approach has become necessary as attacks by nation states or those supported by nation state-level development capabilities become more destructive in nature, capable of disabling access to systems and data or even destroying IT infrastructure. Cyber attacks and breaches of cyber defences have become inevitable as attackers become increasingly well organised and funded, often with nation-state backing. All organisations of all sizes are a potential target of cyber attacks as sources of information or potential means of access to larger organisations in the supply chain. The drive to digital transformation, mobile working and cloud-based services is continually expanding the attack surface, further increasingly the likelihood of attack.
Early detection, response and recovery are extremely important in the light of the growing trend towards destructive cyber attacks that could threaten business survival. Cyber attacks have emerged as the top risk to business continuity because they are increasingly more likely than fires, floods or other disasters to disrupt operations. In the digital era, the increasing reliance of IT and the increasingly destructive and disruptive impact of cyber attacks means businesses need to adopt a new approach to business continuity planning and cyber security that centres around a much closer working relationship between the two.
Business continuity and cyber security need to work in tandem
Organisations need to integrate their cyber security and business continuity teams to ensure aligned technology investments, and incident response and recovery processes. Business continuity and cyber security need an integrated approach to key areas such as access management, incident response and disaster recovery. Key benefits to greater collaboration between cyber security and business continuity teams include continuity-focused technology investment, a shift to DevSecOps, a greater focus on threat detection and response, and clear playbooks of who needs to do what in the event of a cyber attack. Organisations should review their approach to business continuity management (BCM) and extend the focus beyond datacentres and IT assets to maintaining/restoring business operations. Cyber security and business continuity teams must collaborate across the whole business with a focus on recovery, including people, processes and physical and virtual environments for operational technology (OT) as well as information technology (IT).
The means of achieving the goals of business continuity and cyber security are closely intertwined. There can be no successful business continuity strategy without involving cyber security and vice versa. An integrated approach, for example, means that instead of simply using disk mirroring technology to maintain up-to-date copies of data in geographically dispersed locations, business continuity and security teams will work together to protect data and connections against the most likely forms of cyber attack, as well as develop contingencies for maintaining and restoring backups that do not rely on the same IT infrastructure and will work even if there is a total IT infrastructure failure. NotPetya showed that standard online backup alone is not enough. Organisations must assume that anything attached to their network is vulnerable and plan accordingly for offline, offsite backups.
To support a broader, recovery-focused, integrated and aligned approach to BCM and cyber security, organisations need to act in three key areas:
1. Planning – Restructure BCM and cyber security teams to ensure greater integration and collaboration in terms of operations, processes, procedures, responsibilities, and technology investments.
Establish crisis communication procedures, especially for company leaders, that include several independent communication channels.
2. Technology – Plan for the worst in terms of detection, response, recovery and improvement of both security and continuity capabilities. This includes ensuring data backups are well protected against a range of attacks and allow for rapid recovery. Assume there will be cyber attacks and that network defences will be breached. To limit the impact of a breach, segment network resources to limit lateral movement and consider a zero-trust security model. Also Ensure some intelligence inside the perimeter to identify malicious activity by investing in security intelligence platforms and other artificial intelligence-supported (AI-supported) systems.
Impact of a breach can be limited even further by virtualising workspaces so that they can be restarted in a safe state. It is important to identify all critical systems/services and ensure they can be restarted in a consistent/reliable state. Containers and microservices can help achieve this.
3. Policy – Implement and enforce stringent privileged access management (PAM) controls to help enforce a policy of least privilege. Consider allocating admin privileges only when needed. NotPeya also highlighted that PAM is extremely important in the context of business continuity, underlining the importance of strict access controls and the value of enforcing a principle of least privilege and even allocating privileges only when necessary. Even where organisations were patched against the Eternal Blue exploit, NotPetya was able to use another one of its array mechanisms to propagate.
In general, it is important to understand where data resides, how it is protected, and how you can recover to a safe state. Make it policy to move to cloud infrastructure for better security and easy restart of virtual machines/services, but ensure there is a backup strategy if connectivity is lost or cloud service providers are unavailable.
There is a growing number of mitigating tools, techniques, processes and architectures that organisations can deploy to reduce the impact of cyber attacks on business operations. Organisations should aim to deploy those approaches that are mature and will have the most impact, starting with the most effective. These include business continuity planning, zero-trust security model, offline and offsite backup, endpoint detection and response, PAM, and crisis communications procedures. Next, keep an eye on existing deployments of distributed denial of service (DDoS) mitigation, security intelligence platforms and automated threat sharing to assess their continued value and possible replacement. At the same time, pay attention to emerging winners with the highest potential impact, such as integration of BCM and cyber security teams, DevSecOps, ransomware mitigation, and workspace virtualisation as strong candidates for adoption. Organisations should also keep an eye on future winners such as AI-supported anomaly detection, AI-supported decision making, AI-supported threat analytics, and automated decision making to assess whether any of these are candidates for early adoption as they mature. Most of these are AI-supported technologies that could all potentially have a high impact on reducing the risk of cyber attacks to business continuity, and could even replace some more established solutions.