Some experts say there is a thin line between disaster recovery and business continuity planning (BCP). The first is owned by the computer operations or IT department, while the second is usually owned by the line of business. Unfortunately, BCP and cyber security are, more often than not, separated by a gulf larger than the distance between the Atlantic and Pacific oceans. This article is meant to be a Panama Canal of sorts. A link between the two disciplines of BCP and cyber security, or cyber for short.
Business continuity planners have memorized the BC Planning Model promulgated by DRII. That is, project initiation, functional requirements, design and development, implementation, testing and exercising, and maintenance and updating.
Figure 1 has a version of BC Planning Model that I developed for cyber. It starts with rules and regulations, such as HIPAA (Health Insurance Portability and Accountability Act), EUDPD (EU Data Protection Directive, PCI (Payment Card Industry Data Security Standard), etc. The other phases are named differently, but are similar in operation to the DRII phases. Two of the phases have two names. The top names are more familiar to cyber practitioners, while the bottom names are more familiar to BC planners.
In my experience, the cyber planners (who probably don’t exist within your organization) do not test and exercise, nor do they perform maintenance and updating based on testing and exercising. Cyber updates tend to be made when patches and software updates are released.
Risk Analysis and Business Impact Analysis
Just like BC planners, cyber planners should be performing both a BIA and RA. What is your most important information? Is it properly managed? Is it safe from cyber threats? Is everyone aware of the likely targets? What is the impact on your company’s reputation, share price, or existence if sensitive internal or customer information were to leak or be destroyed? Have you developed crisis response strategies by line of business, time, and severity of impact?
Types of Cyber Crime
There are 4 basic categories of cyber-crime: espionage, war, hacktivism and plain old crime. Do you know which one(s) your company is most likely to face? Does your organization develop products that are interesting to your competitors or to foreign governments? Knowing your attacker, and how powerful they are, need to be part of the risk analysis.
Policies and Procedures
Besides the standard, “we will install and monitor a firewall, spam filter and antivirus software,” what other cyber policies have been implemented? Is responsibility for cyber risk assigned to a single person? Is anyone making sure that cyber policies and procedures dovetail with BC policies and procedures? Is there a program to identify hardware and systems with default user names and passwords and ensure that they are changed – and changed again every time someone who knows them leaves the company?
Did you know that a number of process control systems have well known default passwords that cannot be changed or they stop working? These are systems that should be cyber-secured as tightly as possible and should not be anywhere near the internet. And speaking of that, do you perform audits to find systems that are on the internet that are not supposed to be on the internet? Look up the Shodan tool. You may be surprised at what you find.
What are your organization’s policies around background checks before an employee’s initial hire and after they return from sick leave, leave of absence or a long vacation? The FBI notes that many attempts are made to recruit key employees by foreign agents while on vacation overseas.
Do you perform social engineering tests on your own employees to learn who is susceptible so that you can offer increased training where required? For example, have someone call the help-desk pretending to be an irate executive who forgot her password. Threaten the helpdesk person with termination if they don’t fix the problem N-O-W. Does your helpdesk staff stick to their procedures for authenticating a caller, or do they cave and give away passwords to anyone who threatens to fire them? Or send phishing emails to key personnel trying to get them to click on a link or open an infected document. In real life their PC would be compromised. Your link should take each person who clicks on it to a training site that details how to recognize bogus emails and what to do when they receive one.
If your organization is based in the United States, do you take advantage of the information sharing opportunities afforded by the FBI InfraGard program? InfraGard can help you gather intelligence on who may be targeting your company. It is also a safe place for your employees to share information with other companies to benchmark, learn from others, and help identify emerging threats.
In the BCP world, a crater where your building used to be is a good sign that it is time to activate your plan. In the cyber world, the indications are much more subtle and time needs to be spent on developing “muscle memory” through intensive testing and exercising. There are many ethical hackers (or white hats) who will come in and attack your systems. You can also build your own “red and blue” teams to attack each other.
There is a reason that so much time and money is spent by the military, fire and police on “live fire” practice. You want your employees to have plenty of experience when a real attacker shows up, and this is the only way to ensure it.
But how do you know when you are under attack? It may be a sixth sense, it could also be that your Firewall or Intrusion Detection System (IDS) throws a message, or maybe someone received a threat via a phone call or social media (yes, threats have been made on Twitter – is your social media team tied in with your Cyber and BCP departments? Do you even have a social media team?) What would you do if you saw the tweet in Figure 2, your IDS notified you that an SQL injection attack took place overnight, and your cyber team tells you that it could have been successful? Hint: Figure 3 is a flow chart to help you determine your own “I’m under attack” triggers.
How could a cyber-attack possibly cause you to evacuate a building? As mentioned above, many process control systems have default passwords that cannot be changed. It is possible for an attacker to release hazardous chemicals, disable building control systems, shut down the power, or create other mayhem that requires a building evacuation. Assuming that you have one in the first place, does your workforce continuity program cover cyber-attacks? See Figure 4 for a recommend cyber response timeline.
For the past 20 years, BC planners have been performing RAs and BIAs, and have been writing, exercising and improving their plans, while at the same time, cyber planners have not. This article suggests why it is so important for cyber and BC planners to join hands so they can build, exercise and improve their plans in concert with each other.
While we normally think of our BC plan being deployed due to natural or man-made disasters, we also need to be thinking about a cyber-attack that forces systems offline, sends employees out of the building, or causes severe damage to our organization’s reputation.
About the Author
Ron LaPedis is the senior product manager overseeing SunGard AS’ workforce continuity business. Ron is a Master Business Continuity Professional (MBCP), a Member of the Business Continuity Institute (MBCI), and a CISSP with ISSAP & ISSMP endorsements. He can be reached at firstname.lastname@example.org .