The distinction between cybersecurity and business continuity planning is a subtle one. In today’s threat-filled online environment, a security breach is just as much a potential disaster as a natural disaster, and probably a more likely one.
Strong information security results in stable networks and reliable operations— a goal that is identical to continuity and disaster recovery planning in most organizations. Conversely, solid continuity planning can provide security for an organization’s operations and data. This means that resources that are valuable to cybersecurity teams often emerge unexpectedly from efforts put into business continuity and recovery planning.
Cybersecurity professionals often focus on distinct security threats and may not always have a clear picture of how those threats affect business continuity planning. This can be worrisome considering the fact that there is usually a lot of overlap between general business continuity planning and information security contingency planning. This creates a situation in which it makes sense for teams that traditionally approach these different functions from different angles to join forces.
Integrating the planning and response processes is generally a job for the CIO (Chief Information Officer) and CISO (Chief Information Security Officer). A CISO is likely to be involved directly in both functions as part of their general responsibilities.
Where Business Continuity Planning and Network Security Efforts Intersect
Many of the things considered during disaster contingency planning are identical to the things information security analysts routinely evaluate:
- Threat evaluation
- Risk assessment
- Mitigation planning
- Service prioritization
It’s no surprise that many common business continuity practices can also be leveraged to improve a company’s cybersecurity posture. As such, many of the same steps undertaken for disaster recovery preparation can also serve as security features:
- Robust backup and restoration strategies
- Independent network connections
- Off-site resource caches and recovery hot sites
Planning for Ransomware and DoS Attacks
Consider the increasingly widespread encryption blackmail attacks, or “ransomware” being leveled against public and private organizations. Hackers penetrate internal networks, usually via worm virus, and encrypt all the data it encounters on servers and workstations using a key that only they hold. When the encryption has been successful, the hackers contact the organization and demand a bribe to decrypt the data.
Ransomware attacks increased by 300 percent from 2015 to 2016 and there’s no sign the trend will change anytime soon. Although many victims never come forward with the details, Department of Justice reports suggest that payouts average between $200 and $10,000. However, one Los Angeles hospital paid out $17,000 to unlock vital data, and the University of Calgary paid out around $20,000 to deal with a ransomware attack.
But if the data has been backed up to a secure container, free from the encryption virus, then there is nothing to hold hostage— the company can simply clean its systems of the virus, restore the known good copy of the data, and continue on about its business. The backup, in this instance, is a security feature, not simply a disaster recovery safeguard.
Two German hospitals hit in early 2016 with ransomware attacks shrugged them off with moderate annoyance and only lost access to data for a few hours after restoring it from recent backup files.
In a similar vein, denial of service (DoS) attacks can be used for purposes of extortion, or simply to shut down business communications for other malicious purposes. But an organization with solid business continuity plans will have alternative methods for getting servers and services back online, allowing it to sidestep DoS attacks.
According to a 2014 study published by the Ponemon Institute, a privacy and security research group, organizations that integrate the cybersecurity function with business continuity planning are five percent less likely to suffer a data breach and spend about $10 less per stolen record in recovery costs.
Information Security is Vital to Disaster Recovery Planning
If disaster recovery planning has benefits for cybersecurity professionals, cybersecurity also has a role to play in disaster recovery planning.
In fact, because security breaches are both more common and receive more attention than run-of-the-mill disasters, cybersecurity teams might have better funding and more leverage than business continuity planners. And without sufficient regard to information security principles and practices, some business continuity efforts can inadvertently create gaping vulnerabilities in business systems.
Avoiding the Error of Using Second-Rate Back-Ups
Disaster recovery preparation often involves redundancies– duplication of data and systems, both in terms of backups and the failover equipment itself. The same attention to security that goes into production systems is not always lavished on their backup counterparts, however.
Spare servers may be powered down, sitting offline waiting for an incident that requires their use, but while they are on the shelf, they are not being patched and secured to the same standards as the live gear.
Disaster recovery hot sites can sometimes be neglected in information security preparation. Often lightly occupied, they may be ripe for physical penetration. Running outside the main corporate network, they may not be as frequently evaluated for vulnerabilities.
Even worse are poorly secured backup data. While backing up company information is critical for both business continuity and security, ironically the backups themselves may be relatively insecure: unencrypted files stashed in poorly maintained archives that offer one-stop shopping for any hacker looking for corporate data that is – by virtue of the fact that its located on a back-up server – important enough to be worth saving.
Security analysts should be involved at every step of the disaster recovery planning process, probing for potential vulnerabilities. Additionally, information assurance engineers may be brought in to perform the necessary tasks of locking down, encrypting, and hardening systems used for disaster preparedness.
It is ultimately the responsibility of the CIO to integrate the cybersecurity and business continuity functions inside and outside the IT department.
No cybersecurity effort is complete without user education and coordination; likewise, no business continuity plan can expect to succeed without users who both have input on important components of the plan and who are well-versed in its execution.