DRJ Spring 2020

Conference & Exhibit

Attend The #1 BC/DR Event!

Winter Journal

Volume 32, Issue 4

Full Contents Now Available!

Thursday, 17 May 2018 14:59

At the Corner of Cyber and BCP

Written by  RON LaPEDIS

I can certainly say the common person is aware of cyber security. As for companies protecting themselves? Well, I think we still need some more work.

I have been preaching linking cyber security with business continuity planning (BCP) since my DRJ Fall World 2012 session more than five years ago. There are dozens of actions which can be taken to help organizations recover from a cyber incident. However, I believe these six are the most important:

  1. risk assessment (RA)
  2. business impact analysis (BIA)
  3. business continuity strategies
  4. incident response
  5. business continuity plan exercise, assessment, and maintenance
  6. coordination with external agencies


LaPedis1Why did I select these six? Look at the illustrations below. Figure 1 shows the Mean Time to Identify and the Mean Time to Resolve a cyber incident are both reduced if BCP is involved. Figure 2 shows that there is a substantial reduction in the cost of a cyber breach if a trained incident response team exists, business continuity management is involved, and your data has been pre-classified.

RA and BIA

LaPedis2In the simplest terms, a risk assessment defines what can hurt your organization, while a business impact analysis details how bad it can be.

The RA and BIA easily can be extended to cyber security. What are the risks to your organization’s information, and what would happen if it was stolen, modified, or destroyed? Would you end up like the package shipping company which documented a quarterly impact of over $300M because it was hit by the NotPetya malware attack? Or would you be more like the CIO of the ocean shipping company which asked IT to turn off its main systems but was afraid to bring up its backup systems because he had no idea what would happen if he did?

There are plenty of books and articles on how to perform both of BIA and RA (and plenty of arguments as to which should be done first), so I won’t spend any more time on this subject.

Business Continuity Strategies, Exercise, Assessment, and Maintenance

Once you have your BIA and RA in hand, you need to determine how you plan to mitigate the risks. If your proposed mitigation costs significantly more than the impact to your organization (including soft impacts, such as reputation), you may be overspending.

And when you start to exercise your strategies, you might find out that some of your goals are either too expensive or unattainable. If this is the case, you may need to go back to the drawing board or evaluate new technologies.

I’m guessing the CIO of the ocean shipping company might have been more willing to bring up the backup systems if they had planned for this risk and done some “live fire” exercises to determine the outcome.

Finally, just going through the steps of planning, exercises, and maintenance will give your employees some “muscle memory” before an incident occurs.

Incident Response

This is where everything comes together, and the 2017 Ponemon study shows that having an incident response team in place generates the maximum savings after a breach.

How do you train your team and keep them in shape? At least one Silicon Valley company has a red team  which sits in their own building away from the rest of their employees. The red team’s sole responsibility is to hack the mothership in any way possible through public interfaces, including website attacks and social engineering of their helpdesk.

But you need to have the basics in place before running red team exercises. That means your data is classified as to its importance, risk assessment, and BIA are done, data protection and incident response strategies are in place, and you have run tabletop and friendly live fire exercises with real-time injects to build up your defenses.

Think of the red team as a massive case of the flu while everything you do to prepare for their attack is like getting your flu shot. If you need help with creating exercises, I can recommend “Cyber Breach: What If Your Defenses Fail? Designing An Exercise To Map A Ready Strategy,” by popular DRJ speaker Regina Phelps.

Coordination with External Agencies

The last piece is coordination with external agencies. When hit by a cyber-attack, you want to have the name and phone number of someone in law enforcement tasked with cyber response. In the United States, this would be the FBI. If you are outside the USA, you might want to do the research before you get hit. I’m not saying that calling them should be the first action that you take, but it should be somewhere on the Top-10 list.

The Ponemon report also calls out threat sharing as a way to lower the costs of a breach. In the United States, the premier cyber threat sharing organization is InfraGard, a partnership between the FBI and members of the private sector. InfraGard provides a vehicle for seamless public-private collaboration with government that expedites the timely exchange of information and promotes mutual learning opportunities relevant to the protection of critical infrastructure.

To Sum Up

LaPedis3Looking at Figure 3, you can see that organizations in Germany, Japan, and Canada lead the way with BCM involvement in cyber recovery, USA and UK are almost there, but it is problematic in other countries.

The Ponemon study proves that real money can be saved in the event of a cyber breach, so why isn’t every organization investing in bringing the two teams together? When we examine the evidence, the actual expenses from recent high-profile breaches at Sony, Target, and Home Depot amount to less than 1 percent of each company’s annual revenues. After reimbursement from insurance and minus tax deductions, the losses are even less. But what about reputation and lost sales? Sony’s bottom line actually wasn’t hurt by the hack.

In the end, it is consumers who are hurt when their information is disclosed, but it seems like few are voting with their wallets, thus minimizing the incentives for companies to better protect their systems and invest in incident response.

At some point consumers will revolt, and companies which do make investments in cyber security and BCP will be well-positioned to take market share from those who don’t. Or not – will you play your part in educating your co-workers, friends, and relatives?

LaPedis RonRon LaPedis, a Distinguished Fellow of the Ponemon Institute and global enablement specialist at Micro Focus, has more than 25 years of information security and business continuity experience. In addition to his business skills, he has extensive training and experience in emergency response and active shooter training, and is a first responder with his local Sheriff’s search and rescue unit. LaPedis holds several certifications including AFBCI, MBCP, CBCV, CISSP-ISSAP and ISSMP.

Illustrations taken from the Cost of Data Breach Study – Impact of Business Continuity Management Research conducted by Ponemon Institute and sponsored by IBM.