A cyber attack is a street fight
A successful cyber attack can shut down operations, not just for a few hours, but for days and weeks. The collateral damage, such as information leaks, reputational damage and so on, can continue for much longer.
Organisations realise that more cyber attacks are to be expected in the future, and that they will grow in scale and sophistication over time. Organisations rarely know that their IT environments have been breached until it is too late. At that point, an organisation could have much of its IT infrastructure infected with malware, be subject to ransom demands for its data or other such destructive attacks that result in compromised or lost data.
In the time between the initial breach and detection, the hacker team is likely to have compromised many systems and applications, systematically worked to elevate its privileges in the environment and compromised, destroyed or encrypted data.
To ensure effective enterprise-wide risk containment, cyber security and business continuity management leaders must align their processes. This requires two distinct phases, a planning phase that identifies the best practices to apply before you experience a cyber attack, and a response and recovery phase that identifies the best practices that apply once you are in crisis model.
Even organisations that do have a cyber incident plan sometimes assume that an incident is an orderly affair, following a well-defined procedural pathway. Authors of these plans often assume that the attacker will have one mode of attack, that the incident will be a relatively simple and brief affair, and be similar to a typical technology failure.
The reality is different. A cyber attack is a street fight. You are not dealing with a technology failure, although a manufactured technology failure might be one of the methods used against your enterprise. Rather, a motivated individual or groups of individuals that have decided to target the organisation have left your business with a messy, chaotic and long-term event.
Cyber attacks must be viewed as large-scale business operations crises and, therefore, must be handled from an enterprise continuity of operations perspective. Integrating established business continuity management best practices into the existing computer security incident response process can boost the organisation’s ability to control the damage of a cyber attack, speed up the efforts to get back to normal operations and, therefore, reduce some of the financial impact of the cyber attack.
- Business impact analysis can quickly identify if impacted IT services, operating locations, and partners, suppliers, third parties are mission-critical to the organisation.
- Crisis communications processes and automation set up for traditional business continuity management disruptions can be leveraged for a cyber attack.
- Business recovery and resumption plans can be used if IT services are shut down by the cyber attack and while waiting for cleansed IT services to become operational.
- IT disaster recovery procedures can be used to restart systems and restore data in the right sequence.
- Crisis management automation can be used to manage the organisation’s overall response and recovery from a cyber attack.
The business continuity management and computer security incident response team alignment ensures that there is collaboration through proactive team development and cross-team representation throughout the organisation. It also means that both disciplines are involved in all phases of the incident cycle, planning, budgeting, strategy development, exercising, event response, programme management and governance.
Roberta Witty, Research Vice President at Gartner and Rob McMillan, Research Director at Gartner.