A cyberattack can have a variety of consequences, such as ransom payments, remediation expenses, penalties, lawsuits, and disruptions of operations. Most medium-sized and large organizations have Business Continuity Plans (BCPs) to mitigate the impact of a cyberattack. What is the effectiveness of their response to cyberattacks that are becoming increasingly sophisticated? Take a look at two recent cyberattacks that disrupted operations:
Colonial Pipeline – The ransomware attack caused fuel shortages, spikes in prices, and panic among consumers
JBS – The world’s largest meat processor was attacked by ransomware, which shut down operations in the US, Canada, and Australia. There was a threat of meat shortages around the world as a result of the attack.
The digital infrastructure of businesses at every scale is heavily dependent on cyberattacks, which can significantly adversely impact business continuity since business continuity plans may not anticipate every eventuality. It is, however, critical that an organization develops a comprehensive BCP. Due to a ransomware attack, Lincoln College, which is 157 years old, has been forced to close its doors. The college was unable to access data that was critical to its academic and economic planning.
Cyberattacks of the future will be more challenging if businesses today face such a challenge. Here are 4 factors that make up a solid Business Continuity Plan: Communicating effectively, Adapting to Change, Managing Business Risk, and Cyber Insurance.
Important Components Of A Successful Business Continuity Plan
1. Managing Communications
Maintaining informed shareholders, employees, partners, customers, and other stakeholders is crucial to crisis management and projecting the image of a crisis-ready organization to the public. Calm crisis management is essential to reducing the impact of a cyberattack. In advance, a communications plan should be formulated that can be quickly implemented in the event of a cyberattack:
Reassurance – It is important to reassure stakeholders that there is no need to panic and that the organization is taking the necessary steps to thwart the attack. It will be easier to reassure them that the organization is in good hands if you go over the cybersecurity safeguards that are in place and the preparations that have been made in case of a cyberattack.
Injunction – End users who have access to enterprise IT resources should be advised to exercise caution when using those resources and should be given instructions on how to
- If their systems are accessible, change their passwords.
- Even when responding to someone who seems to be an organization member, refrain from including confidential information in any communication.
- Prevent using unprotected networks
- Disable remote access
- Even inside the office, stay away from wireless networks and only use wired ones.
- Inform authorities of any suspicious behavior on the equipment or on the property (cyberattackers may attempt physical access to the facility)
- If the company has adopted the Bring Your Own Device policy, install all security updates and patches that are currently available for personal devices (BYOD). For business devices, the IT department will apply patches and updates.
- When communicating instructions, use cascading vertical and horizontal communication channels.
- Use established hotlines to report incidents and get feedback
Individual Responsibility – It is important to remind stakeholders not to talk about the cyberattack with people outside the organization or post about it on social media. All staff members, including management, should refrain from speaking to the media about the cyberattack unless specifically permitted to do so. Additionally, customers should be asked not to speak with the media until the cyberattack has been investigated and resolved.
Public Responses – Standard responses that have been created or approved by the CISO and BCP committee ahead of the cyberattack should be made available to spokespersons who are authorized to speak on behalf of the organization. Such responses ought to be general to prevent jeopardizing remediation efforts and to prevent legal repercussions from making claims that could be interpreted as the company’s official position on the cyberattack or have an impact on stock prices.
- To ensure the organization’s perspectives on the attack receive widespread coverage and to prevent negative reporting, the BCP should include a public relations strategy that emphasizes proactive communication with media agencies and platforms.
- Organizations that operate across multiple regions should divide their audience and, where necessary, create communications that adhere to applicable rules.
- The BCP should also have procedures in place to determine which stakeholders’ data has been compromised and to notify each one of them of the breach and the appropriate responses.
Training – When a cyberattack occurs, leaders will be preoccupied with containing the attack and will have little time to supervise communications. Internal and external spokespersons should be trained in various crisis scenarios.
2. Adapting to Developments
- A business continuity plan for cyberattacks cannot be static as cybersecurity is a moving target. It must change to reflect the threat environment. Companies should update their cyberattack BCPs by following the procedure outlined below:
- The BCP should be evaluated every three months, or as specified by your organization’s Information Security Manual (ISM), and updated as necessary based on cybersecurity trends, industry standards, lessons learned from prior attacks, and best practices adopted by other businesses.
- Input on updating the BCP should be obtained from all concerned internal stakeholders, including the IT Team, Sales Team, and Product Design (to protect Intellectual Property), as well as external stakeholders such as Vendors, Partners, and Enterprise Customers, as permitted by their respective contracts.
- When updating the BCP, the vendor of Endpoint Security (EPS) should draw on their experience defending businesses in a variety of industries.
- When significant flaws like Logo or zero-day attacks are found, the BCP should be changed right away, and a risk analysis and incident response plan should also be created.
- Management and the ISM owner should receive updates to the BCP after the CISO approves them.
3. Optimum BCP Coverage
Business Continuity Plans, as previously mentioned, may not account for every scenario, but an organization must make sure the BCP addresses a sufficient range of potential cybersecurity incidents in order for it to be effective. Each organization must determine its own ideal BCP, taking into account:
- Prioritization – It makes sense that a cost-benefit analysis informs corporate decision-making, but maximising the benefit-cost ratio should be weighed against the requirement to uphold cyber hygiene. It should be kept in mind that when comprehensive cybersecurity is lacking and a cyberattack is successful, the advantages of such cybersecurity are only fully appreciated.
- Probability – According to the likelihood that a negative event will occur, BCP elements are prioritized. Every organization will undoubtedly experience a successful cyberattack at some point, so the probability of one should be estimated as close to 1 as is practical. Similar criteria should be used to evaluate the opportunity cost
Risk Assessment – The financial impact (loss) resulting from a successful attack and the likelihood of such an attack occurring should be used to estimate the risks connected to cybersecurity incidents. On the basis of this risk assessment, BCP measures ought to be created. This evaluation can be formalized by defining each cyber risk according to the Risk Assessment Matrix below:
Risk Assessment Matrix
- Risk Categorisation – To avoid losing a competitive edge or coming under regulatory scrutiny and penalties, it is crucial to give risks related to intellectual property and regulatory compliance higher impact ratings when categorizing risk by evaluating impact and probability.
- Stakeholders’ standards, certifications, and regulatory compliance (such as ISO and GDPR) should be listed in the ISM or in customer contracts.
4. Cyber Insurance
We must ensure that our organization’s insurance covers cyberattacks once we acknowledge that we can prevent most cyberattacks, but not all. A business that has a computer system, a network, an app, or a website must carry cyber insurance. An insurance policy for cyber risk should include the following:
- Data breaches
- Extortion
- Counselling services
- IT consultant services
Additionally, cyber insurance must cover other types of cyberattacks:
- Identity theft
- Cyberstalking
- Malware
- Phishing
- E-mail Spoofing
As digital infrastructure becomes more complex and touchpoints increase, cyberattacks become more frequent, and the attack surface expands, resulting in more cyber risks for organizations. Contact Us to enhance your organization’s cybersecurity defenses against the cyberthreatseats of today and tomorrow by utilizing eScan’s 25-year experience.
