Originally published on Rentsys Recovery Services' blog.
With cyber threats like ransomware routinely interrupting business operations around the globe, cybersecurity is not just an IT problem — it’s a business risk that needs to be accounted for in the business continuity plan.
But how do you go about doing that? That was the prevailing theme of the Q&A session during a webinar we participated in as part of the Disaster Recovery Journal Webinar Series. Here are some takeaways from the presenters, Eric Thompson, information security officer for Rentsys, and Michael Barrack, managing director at Accume Partners.
Gain Executive Support
The tone from the top drives the success of your business continuity and cybersecurity preparedness. If your organization is going to continually strengthen and insulate itself from all of the likely foreseeable — and sometimes even unforeseeable events — you need to get executive support.
It’s also important for executives to support a culture of collaboration. Business continuity owners, infosecurity officers and business units need to be transparent with each other. Sometimes that means admitting that a process under your control has to be improved. If executives support a culture of transparency, people will be more willing to reveal and troubleshoot problem areas in your organization’s processes. Down the road, this could help the organization mitigate a major vulnerability.
Evaluate Your Incident Response Plan
The traditional way of looking at business continuity is looking at the inoperability of a facility or a
particular service or a function. It’s a worst-case scenario. Cyber threats have just added a whole new world of potential ways to take down a particular operation.
Does your organization have a detailed incident response plan that accounts for the various types of security incidents your organization could face? Start with looking at how detailed the incident response plan is. Many businesses simply tack on a brief incident response paragraph — maybe even a page or two — to their business continuity plan. Be advised: That is not a comprehensive incident response plan. Make sure the plan catalogs at least the top seven to 10 security incident types that could disrupt or halt business operations. It should provide for specific responses and procedures tied to those events.
You also need to determine what incidents will trigger the business continuity and incident response plans. For example, an email phishing scenario wouldn’t necessarily shut down access to critical data or affect your ability to service your customers. In that case, you might activate your incident response plan but not your business continuity plan. A ransomware attack, on the other hand, could actually take your systems offline. Since it would leave you without access to critical data and the ability to service your customers, you might classify that as an outage requiring a business continuity response.
Test Your Plan
Just as you test your business continuity plan for worst-case scenarios, you need to test scenarios that integrate business continuity and incident response. For example, you could walk through the process of responding to a Cryptolocker outbreak that encrypts a drive or data store and requires the restoration of that data to another platform. To work through how the plans play out in a particular scenario, start with a tabletop exercise before doing a functional test.
For more advice on integrating cybersecurity with your business continuity plan, listen to the webinar recording here.