Cyber Resilience: Make a Practice of Revisiting Assumptions

February 2016

Over time and through experience we have learned that cyber-attacks WILL happen, some WILL be successful, and our ability to recover from a successful attack is something that must be considered and addressed. Defensive measures should no longer realistically be expected to safeguard an information network alone. An attack will happen; what will you do when it does?

Simultaneous Attack

Business continuity plans often rely on physical segregation between production data and backup facilities, assuming that a disaster impacting the production network will not adversely affect a backup facility located off-campus. This is naïve, as cyber-attacks are (by definition) not limited by geography. A cyber-attack can target several facilities at once, including backup sites or third-party backup site hosts, challenging our assumptions regarding which data and resources will be available in a disaster. If there is a consistent Achilles’ Heel in business continuity plans that manifests itself in testing or practice, it is faulty or inadequate communication links between sites.

Does your current plan include an assumption that all sites and communications amongst them will remain operable?

Does your plan focus on highly-impactful scenarios from the 1900’s (fire, flood) at the expense of more likely disruption from cyberspace?

Do you effectively air-gap your logical network from critical systems that do not need to be, and should not be networked?

Insider Threats

Cyber threats can be launched by a disgruntled employee or a person placed in the financial institution deliberately to carry out a cyber-attack. Often, these employees perpetrate their attacks using authorized access, albeit with excessive privileges.

Consider the possibility that a knowledgeable insider may cause a disruptive event, and the potential impact of the event on business resilience. Employee screening, dual controls, and segregation of duties are some examples of controls that can help to mitigate the risks of an insider attack.

Concentration Risk

You’ve contracted with a renowned and capable vendor to provide data hosting and the space needed to carry out your business continuity plan. They are a known entity, and they receive sterling references in your area – so good, in fact, that everyone within 100 miles uses them for their contingency planning.

Nobody wants to declare a disaster and show up in the parking lot of their disaster recovery site to a scene from Hunger Games because the host maintains 200 seats for their 650 clients. We tend to be good at evaluating vendor capabilities using financials and third party audit reports… and less aware of concentration risk – overreliance on a few key vendors, often specific to our location or industry.

Are you using a key vendor or service provider because everyone else does?

What would be the impact of a local disruption of power or connectivity to your critical vendors? How available will they be when you really need them?

Fatigued Response

Let’s say your monitoring systems worked as designed, alerted you to a security incident in progress, and you quickly enacted contingency plans to keep business operating as usual. However, you aren’t sure exactly what happened, and as a result, you aren’t sure precisely how to fix the issue.

This is what happens in a cyber-attack – you tend to focus on the symptoms of the issue, restoring data and accessing backup systems as needed. You test these steps as part of your existing, annual business continuity plan. But what caused the issue? Did you eradicate the malware? Did you patch the network vulnerability? Is the attack still happening?

An organization experiencing a cyber-attack will likely need to simultaneously investigate an ongoing security incident AND execute disaster recovery strategies. Have you considered retaining third-party forensic and incident management services? If you choose to go it alone, do you have dedicated resources that can investigate an incident while recovery efforts are occurring?

Ensuring ‘resilience” is the critical bridge between having a business continuity plan and having a plan that ensures business continuity. There is no substitute for asking hard questions of your planning and assumptions, challenging existing knowledge, and thinking strategically when the initial impulse is to dive into details. Don’t be afraid to leverage partners with a different perspective. Be skeptical, be wise, but above all – be prepared!

If you have any questions or would like to discuss this further, please contact your BNN advisor at 1.800.244.7444.

Disclaimer of Liability: This publication is intended to provide general information to our clients and friends. It does not constitute accounting, tax, or legal advice; nor is it intended to convey a thorough treatment of the subject matter.