This article is divided in two parts. First, it guides you into thinking about cyber-resilience: What is it about? What are its characteristics and its differences with the more traditional cases of unavailability of information technologies? The second part proposes an exploration of responses through the development of a “Cyber Resilience Plan” integrated with the other plans of the Business Continuity Management System.
The question is no longer when you will be impacted, but how you will react when faced with three major risks:
- Your data is destroyed or corrupted
- Your activities suddenly stop
- Communication is no longer possible
Thoughts on Cyber-Resilience
For some, cyber-resilience is only a subset of business continuity, but if it shares many aspects with it, it requires special attention because in the end, this digital risk changes the paradigm and our response to the crisis. In this article, we would like to ask you to reflect upon what you believe is safe, and what is not, ultimately requiring you to review your Crisis Management Plan as well as your Business Continuity Plan.
The word cyber has invaded the digital world for about ten years now, but clearly it is the democratization of the smartphone that has made it so popular – so much so that we need to question ourselves on many levels: first, on a personal level – for the integrity of our identity and the confidentiality of our privacy concerns, and second on a professional level – for the security of our identity and our privacy (again) entrusted to the good will of the company; and the capacity to protect its CISO (mainly related to his/her ability to convince the management to get the necessary budgets) but also when it comes to the economic model of each of our companies (knowledge, know-how) if they were to be attacked. Some of the most difficult characteristics to apprehend about cyber-attacks are:
- Its geographic extent: it is located outside the computer borders that we perceive, or even suspect.
- Its epidemic character: contagion comes from associations.
- Its relative impunity: it escapes any form of sovereign, national or other legal protection.
- Its stealthy character: it is sometimes discovered only 6 months after its effects.
- Its destructive character: it sometimes leaves the company without any solution.
It is clear that it is not only focused on business and sectoral activity, but also extends systemically throughout the interdependent environment of the company. So what to do? Isn’t there a resilience solution to drama?
Cyber-resilience is often defined as “the expected ability of a company (or an individual) to identify, prevent, detect and respond to technological or process-related failures resulting from an attack coming from the cyberspace and to recover by minimizing negative impacts on its customers, reputation damage and financial losses.”
As you know, the security of an information system must be multi-layered and cover people, processes and technology. “Cyber-Resilience is nothing without Cyber Security” or a Continuity Strategy! Is the cyber crisis a simple occurrence of a crisis of unavailability of Information Security (IS)? Or is it more complex because it is more diffused? Do we need to think of it differently?
Think about a plan B; be responsive to the crisis, or even accept to lose a portion of the IS in order to protect the essential part of it.
Unlike the IS unavailability scenario usually treated in BCPs, the cyber crisis is distinguished by a more specific level of sophistication and attack surface. They are more difficult to define and require a number of investigations that are sometimes not compatible with business continuity and recovery requirements.
For instance, a functioning IS can be subject to a strict “stop measure” for protection in case of a partial compromise (data leak, ransomware). But who will negotiate with the core business entities? In addition, the systems’ recovery takes longer because it is necessary to ensure the exhaustive integrity of services (Reminder: the infectious agent and/or the attacker can switch to sleep mode making the recovery of activity sensitive).
It is therefore essential to revise your own Data Recovery Plan in order to be cyber-resilient. The development of a Cyber Resilience Plan (CRP) that is complementary to the Business Continuity Plan (BCP) must, therefore, be requested from entities delivering IT services with a priority objective of protecting sensitive assets (Availability, Integrity, Confidentiality, Proof) and strategic business.
If we look at the business environment, we see that the presence of cyber risk-sensitive services has exploded for several years: the SaaS model, agile developments, autonomous vehicles, connected objects, disruptive technologies with their complex algorithms (blockchain), smart cities. All these elements require a level of expertise in their discovery, their understanding and thus, their security in case of attack.
If we look at the business environment, we see that the presence of cyber risk-sensitive services has exploded for several years: the SaaS model, agile developments, autonomous vehicles, connected objects, disruptive technologies with their complex algorithms (blockchain), smart cities. All these elements require a level of expertise in their discovery, their understanding and thus, their security in case of attack.
The Internet does not exist anymore: you are the Internet. The multitude of services allowing access to information makes it necessary to rethink the models so that each portion, each data link is secure on its own. If we return quickly to the ecological origin of the term, it is interesting to remember that in nature, resilience operates through certain constants, such as cooperation, which opposes competition. History is marked by these unlikely partnerships (Apple/ Microsoft); mutual solidarity established to ensure the viability and the persistence of our structures. “It is by protecting the weak that the human species has survived and has become ‘superior’ to the others because it had to put in place survival strategies”. It would seem urgent to do the same by targeting these links of data that are so important us.
Is this cyber-resilience? A state of mind combining meaning and simplicity in the art of action: preparation, prioritization, agility and adaptability; a state that ultimately increases the confidence, agility, and therefore the capacity of companies.
Cyber Resilience Plan (CRP): A New Plan in the BCP Family
Cybersecurity can’t be totally effective at all times. Despite the constant efforts made by IT security, a strategy must be defined to ensure the execution of critical business activities after a cyber-attack. One of the ways to prepare for it gradually is to develop a Cyber Resilience Plan. It should be broken down into an “IT” part, and a “Business” part, limited to the activities declared as critical by the Top Management.
Like all Business Continuity Plans, a Cyber Resilience Plan is intended to deal with a disruptive event that may be, for example: massive unavailability of workstations and servers due to a compromise of the Active Directory; loss of data integrity; simultaneous attacks on the production site and the backup site; compromise by an attack of common resources between the production site and the backup site, for example, the single production cockpit, spread of viruses on the backup site, loss of integrity of restored data from backups, loss of access to applications related to a technology (Microsoft for example), and so on.
The occurrence of these disruptive events requires the implementation of a cyber crisis unit that manages, in addition to communication, the recovery of IT activity and the business continuity of critical core processes. Depending on the cyber-attack, the crisis-management unit can activate a Cyber Resilience Plan. The preventive measures that should be taken before the effects of the cyber-attack are identified include the assessment of the maturity of IT security in a recurring way, knowing that it is impossible to be constantly at the top of resilience. Other preventive measures include: validation of critical activities from Top Management and have the Top Management decide on a cyber strategy; prevention measures and protective measures, including the Cyber Resilience Plan (e.g. doubling of some highly critical applications developed differently and exploited on another isolated sites, functionally controlled at several levels by different business lines).
Other activities that are included in the development of a Cyber Resilience Plan are: constant increase in the level of security (regular update of software) by reinforcing its internal processes and/or by investing in new solutions, continuous observation, assessment and reports of incidents. Another important activity is the control of the functional integrity of backups after a data compromise. They can include elements of compromise: malware, base camps, modifications made by the attackers. In addition, it is crucial to set up ultimate backups of critical activities at a secure remote site that cannot be compromised. These backups can be used for disaster recovery at another backup site.
It is important to involve the entire organization by conducting continuous security awareness sessions for all employees, with a special focus on crisis teams and employees working in the most critical activities that deal with cyber crisis scenarios.
After the observation of the effects of the cyber attack, it is important to undertake the following activities: decide quickly with all of the field experts (partitioning); activate the use of critical means like workstations provided contractually by a supplier, minimum backup messaging, etc. Also, it is required to execute prepared and tested plans regularly for rebuilding the IT capacities needed for critical applications, like safe recovery backup, USB-device workstations loading key, cloud-based workstations, etc. Software such as RVR Parad allows these plans to be created, maintained and executed during exercises and in case of a cyber disaster. It should not be forgotten that implementing these measures requires upgrading the entire crisis management and business continuity process, and reviewing the roles of the Chief Information Security Officer, the Risk Manager, the Business Continuity Plan Manager, the internal and external Communication Manager, the Legal Manager and so on, and the role of the crisis management unit during a cyber-attack.
There is no ready-made, universal Cyber Resilience Plan – it must be adapted to the context of the organization to ensure its security and survival.
