Cyberattacks have various consequences such as ransom payment, remediation expenditure, penalties, lawsuits, and disruption of operations. Every organisation should have a Business Continuity Plan (BCP) to mitigate the impact of a cyberattack, and many medium-sized and large organisations do have one. But how effective are they at handling cyberattacks that are becoming increasingly sophisticated? Let us look at two headline grabbing instances of dislocated operations following a cyberattack:
- Colonial Pipeline – A ransomware attack caused fuel shortages, spike in prices, and consumer panic
- JBS – A ransomware attack on the world’s largest meat processor caused a halt to operations in the US, Canada, and Australia and threatened meat shortages around the world
Businesses operating at any scale depend heavily on digital infrastructure, and therefore a cyberattack can have a significant adverse impact on business continuity as BCPs may not anticipate every eventuality or unusual combination of circumstances. Nevertheless, a comprehensive BCP is critical to organisational survival. The 157-year-old Lincoln College was forced to close after a ransomware attack hindered admission activities and blocked the college’s access to crucial data it used to project its academic and economic future.
How will businesses cope with the cyberattacks of tomorrow if they face such challenges today? To answer that question, let us examine 4 elements of a robust Business Continuity Plan: Managing Communications, Adapting to Developments, Optimum BCP Coverage, and Cyber Insurance.
Critical Aspects of an Effective Business Continuity Plan
1. Managing Communications
Calm crisis management is essential to mitigating the impact of a cyberattack and keeping shareholders, employees, partners, customers, and other stakeholders well-informed is essential both to crisis management and being perceived as an organisation that can manage the crisis. A communications strategy that can be quickly implemented in the event of a cyberattack should be framed in advance and include:
- Reassurance – Stakeholders should be convinced there is no need to panic and the organisation is adopting necessary measures to counter the attack. Discussing the cybersecurity measures that are in place and the preparations that have been made in anticipation of a cyberattack will help reassure them that the organisation is in safe hands
- Injunction – End users with access to enterprise IT resources should be warned to proceed with caution when accessing those resources, and should be instructed to
- Change passwords if their systems are accessible
- Avoid including confidential information in any communication even if replying to someone who appears to be a member of the organisation
- Avoid using unsecured networks
- Disable remote access
- Avoid using wireless networks and only use wired networks even within the office
- Report suspicious activity on the device or within the premises (cyberattackers may attempt physical access to the facility)
- Install all available security updates and patches for their personal devices if the organisation has implemented Bring Your Own Device (BYOD). The IT team will install updates and patches for enterprise devices
- Employ cascading vertical and horizontal communication channels to communicate guidance
- Utilise established hotlines to report incidents and receive feedback
- Individual Responsibility – Stakeholders should be urged not to discuss the cyberattack with anyone outside the organisation, or post about the cyberattack on social media. All employees including management should avoid speaking to media about the cyberattack unless explicitly authorised to do so. Customers should also be requested not to speak to media until the cyberattack is investigated and resolved
- Public Responses – Spokespersons who are authorised to speak on behalf of the organisation should be provided with standard responses that have been prepared or vetted by the CISO and BCP committee prior to the cyberattack. Such responses should be generic to avoid compromising remediation measures and to avoid the legal consequences of making statements that may be interpreted as the official company position on the cyberattack or affect stock prices
- The BCP should include a public relations strategy emphasising proactive communication with media agencies and platforms to ensure the organisation’s perspectives on the attack receive wide coverage and to avoid negative reporting
- Organisations that operate in multiple regions should segment their audience and create communication that complies with regulations in each jurisdiction where required
- The BCP should also include appropriate responses when data has been breached with processes in place to evaluate which data of stakeholders has been compromised and to communicate the same to each affected stakeholder
- Training – Internal and external spokespersons should be trained in different crisis scenarios to be able to communicate effectively during a cyberattack when leaders will be primarily occupied with containing the attack and have limited time to oversee communications
2. Adapting to Developments
Cybersecurity is a moving target and a Business Continuity Plan for cyberattacks cannot be static. It needs to evolve along with the threat landscape. Organisations should follow the process outlined below to update their cyberattack BCPs:
- The BCP should be reviewed every quarter or as defined by your organisation’s Information Security Manual (ISM) and updated as required based on cybersecurity trends, industry standards, learnings from previous attacks, and best practices followed by other companies
- Inputs on updating the BCP should be obtained from all concerned internal stakeholders, including the IT Team, Sales Team, Product Design (to protect Intellectual Property), and external stakeholders including Vendors, Partners, and Enterprise Customers as permitted by their respective contracts
- The Endpoint Security (EPS) vendor’s expertise in defending organisations across a wide spectrum of industries should be leveraged when updating the BCP
- The discovery of significant vulnerabilities like Log4j, zero-day attacks, and similar events should trigger immediate changes to the BCP along with risk assessment and formulation of an incident response plan
- Updates to the BCP should be approved by the CISO and shared with management and the ISM owner
3. Optimum BCP Coverage
As discussed above, Business Continuity Plans may not anticipate every eventuality but an organisation needs to ensure the BCP addresses a sufficiently wide range of potential cybersecurity incidents to be effective. The determination of an optimum BCP is specific to each organisation and must consider:
- Prioritisation – Corporate decision making understandably revolves around a cost-benefit analysis but maximising the benefit-cost ratio should be balanced against the need to maintain cyber hygiene. It should be remembered that the benefits of comprehensive cybersecurity are truly understood only when such cybersecurity is absent and a cyberattack is successful
- Probability – BCP elements are prioritised based on the probability of occurrence of an adverse event. The probability of a cyberattack should be estimated as close to 1 as is practical, as every organisation is sure to experience a successful cyberattack at some time. The opportunity cost of investments in cybersecurity should also be evaluated on a similar basis
- Risk Assessment – Risks associated with cybersecurity events should be estimated based on the financial impact (loss) caused by a successful attack and the probability of such an attack occurring. BCP measures should be formulated based on this risk assessment. Defining each cyber risk based on the Risk Assessment Matrix below can help formalise this evaluation:
Risk Assessment Matrix
- Risk Categorisation – When categorising risk by assessing impact and probability, it is critical to assign higher impact to risks associated with Intellectual Property and Regulatory Compliance to avoid losing competitive advantage or suffering regulatory scrutiny and penalties
- The standards, certifications, and regulatory compliance (such as ISO and GDPR) required by stakeholders should be listed in the ISM or in customer contracts
4. Cyber Insurance
Once we accept that we can prevent most, but not all, cyberattacks, and that a successful cyberattack is inevitable, we must ensure that our organisation’s insurance cover extends to cyberattacks. Any organisation that has a computing system, network, website, app, or utilises an online payment mechanism requires cyber insurance. The cyber insurance policy should cover
- Data breaches
- Extortion
- Legal support
- Reimbursement of losses caused by business interruption
- Legal liability
- Counselling services
- IT consultant services
In addition to other cyberattacks, the cyber insurance must cover:
- Identity theft
- Cyber stalking
- Malware
- Phishing
- E-mail Spoofing
The complexity of modern digital infrastructure, the expansion in the attack surface due to increase in digital touchpoints, and the acceleration in cyberattacks have resulted in organisations facing greater cyber risk than ever before. Contact Us to improve your organisation’s cyber defences against the cyberthreats of today and tomorrow by benefitting from K7’s 30-year expertise in cybersecurity.