“To expect the unexpected shows a thoroughly modern intellect.”
Oscar Wilde, Irish playwright, novelist, essayist, and poet. 1854-1900
Preparing for the 'unexpected' is not a new idea. Over the last 50 years, the business continuity industry has grown out of the need to protect businesses from the unexpected and expected interruption. However, when we stop and think about the threats business continuity professionals must mitigate in today’s business continuity (BC) plans versus 20, 10 or even 5 years ago, all agree there is a new threat landscape. Threats that are making the 'unexpected' drastically different today and unimaginable tomorrow.
Protecting an organization from an 'IT outage' is where most BC plans originated. Yet, even IT outages today have taken on a new level of complexity. We live in an 'Always on world' where complex, global infrastructures and open-source code systems join with the Internet of Thing’s 9 billion possible entry points to capture more and more data to the Cloud every minute. On top of that, we 'Bring (Y)our Own Devices' (BYOD) then capture and analyze Big Data to enable a ‘cognitive’ world. As BC planners we are asked to protect our businesses from interruptions caused by these many factors and do it faster, cheaper and with less staff to help solve the problem.
Moreover, there is now increased pressure from outright criminal activity. Yes, cybercrime. Our most precious business resource, our differentiating factor that is our competitive advantage - our intellectual property and personal information - is under sophisticated, malicious, criminal attack 24 hours a day, every day.
By the end of 2014, some estimates indicated more than one billion leaked personally identifiable information, think emails, credit card numbers, and passwords, was reported stolen1. An organization of 15,000 employees can expect to see 1.7 million security events in one week. However, typically only 1 out of every 100 security compromises actually are detected. So add two zeros to the 1.7 million and you get the picture2.
With this new threat landscape, what truths can BC Planners hold onto today?
Well we know the principles of BC, like the laws of physics, never change. However, what must change is how we apply and adapt these principles to new threats. In this world of rising crises, incidents, and organized cyber-attacks, how we apply the tried and true BC techniques we’ve practiced over dozens of years brings real benefits when teamed with security to win in this war against cybercrime. According to the 2015 Cost of Data breach Study by the Ponemon Institute and IBM, Business Continuity Management (BCM) involvement in data breach response can reduce the associated costs by $14 per affected record and reduce the time to contain the data breach by 41%3.
When business continuity and security team we apply three waves of defense: Frontline, Response, and Containment. Security prevents as much as possible with implemented frontline security services like strong security policies, passwords, encryption and personnel awareness training. Should, or when the attack comes, BC’s deep experience in incident response adds command and control, measured incident response and the 'who' needs to be involved. Lastly, if the worst happens and records are lost, our company’s reputation is protected through containment by implementing BC plans for IT outage and personnel depletion scenarios.
What would BCM and Security teaming look like in the real world?
First, establish joint representation where Security and BCM work as members of each other’s teams building the response plan. Work on each other’s teams, include BC in the response team, and involve the Chief Information Security Officer (CISO) throughout.
Second, BCM and Security work together to align cyber incident response and participate in joint testing with simulated exercises. Teams work together to validate the planned actions and educate all participants on their roles as well as the unique attributes of a cyber response.
Third, appoint crisis management representatives to coordinate BC and Cyber security efforts during and after the breach. Cyber response like BC response requires clear roles, responsibilities and communication. Joint roles defined in a communication plan delineate who can answer the tough questions.
Yes, threats are changing every day and cyber is just one of the many threats from which we must protect our businesses. Now, you are armed with hard evidence and three simple actions to start, or strengthen your BCM program from a cyber event and realize real value for your organization.
Linda Laun is the Chief Continuity Architect at IBM Global Business Continuity.
1IBM X-Force Threat Intelligence Report 2016, pg. 2
22014 Cost of Data Breach Study, Ponemon Institute and IBM
32015 Cost of Data Breach Report, Ponemon Institute and IBM