Cyber resilience beyond BCM

Business continuity (BC) and disaster recovery (DR) have long been closely related practices that help organizations remain operational after adverse events. Now, as planned and orchestrated cyber threats continue to grow in volume — and can avoid detection for weeks or months — organizations are moving from threat prevention strategies toward holistic cyber-resilient models.

“Blocking threats is still critical. However, it is equally important to be able to respond to an attack.”

Manmohan Singh

Grant Thornton Cybersecurity and Privacy Managing Director

“Blocking threats is still critical. However, it is equally important to be able to respond to an attack,” said Grant Thornton Cybersecurity and Privacy Managing Director Manmohan Singh. Organizations must be ready to mitigate damage, protect mission-critical data and enable recovery with assured data integrity for continuing business operations.

Most organizations evaluate their cybersecurity maturity according to the NIST cybersecurity framework. However, that framework is 80% focused on identification, protection and detection and only 20% on the ability to respond to and recover from a cyber breach. Accordingly, most organizations invest about 80% of their cybersecurity spending on identification, protection and detection, with only about 20% for response, recovery and business continuity.

This imbalance leaves organizations vulnerable and ill-prepared to comply with new rules proposed by the SEC that would require SEC filings to include details about business continuity, contingency and recovery plans in the event of a cybersecurity incident.

The importance of cyber resilience

NIST SP 800-172 defines cyber resilience as “The ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources. Cyber resilience is intended to enable mission or business objectives that depend on cyber resources to be achieved in a contested cyber environment.”

Cyber resilience gives executives the visibility and confidence to maintain effective business resilience, and helps answer these questions:

Are our perimeter, network, endpoint, application security measures enough to protect us from a ransomware attack?
Do we have a last line of protection, with all data/device compromise in place, in an event of cyberattack?
What is our mission-critical data?
Do we have a risk-based view that incorporates data criticality, for recovery purposes?
How do we ensure ransomware cannot alter data integrity?
Are our backup images recoverable and healthy?
Can we protect and isolate data from cyberattack penetration/influx?
How will we ensure our data sanity check is completed and analyzed for ransomware corruption?
Can we scan data and images to identify irregular patterns or changes?
How much time do we take to recover applications, in the case of a ransomware attack?
Can we perform malware-free surgical recovery, with a quarantine to recover only clean data?
How can we identify potential ransomware attack vectors and the penetration scale?
Can we identify files and data structure affected by ransomware?
Is our data protected on recovery solutions in compliance and adherence with regulations and governance rules?

Cyber resilience beyond BCM

Traditional business continuity management (BCM) programs have focused on developing strategies for the unavailability of systems, people and facilities. They have not focused on introducing new strategies that enable businesses to survive in today's high-risk environment.

Here is a snapshot of key metrics and how traditional BCM differs from today’s cyber resilience requirements:

How to evolve from BCM to cyber resilience

“When data becomes your primary focus, it’s easier to tackle your cyber resilience needs.”

Manmohan Singh

Grant Thornton Cybersecurity and Privacy Managing Director

“When data becomes your primary focus, it’s easier to tackle your cyber resilience needs,” Singh said. To build a cyber resilient environment that protects your data and is ready to bounce back quickly from attacks, there are seven steps you need to take.

7 steps for cyber resilience

Know your data: It’s imperative to know what is critical, and what you should prioritize protecting. So, you need to identify and classify the different types of data, determine where those types are stored, evaluate file access permissions, and document the data “crown jewels” for your organization.
Create a framework: Choosing the appropriate framework for your business is a strategic decision, and is one of the early steps in building your cyber resilience program. Frameworks can vary in terms of industry focus, type of requirements, number of requirements, and other complex factors. It is critical to select a framework that provides a common language for understanding, managing, and expressing cyber resilience risk to internal and external stakeholders. It also needs to help identify and prioritize actions for reducing cyber resilience risk, integrating with your enterprise risk management program.
Evaluate and implement technology solutions: There are myriad technology solutions that claim to provide cyber resilience requirements. It is important to look at your underlying environment (including on-premise and cloud data storage) and ensure the adaptability of a solution. The architecture of the solution is critical, to ensure that immutable copies of data are stored in a segregated air-gapped network along with data parameters and rules defined for replication. Document the recovery time objective and recovery point objective for a cyber breach scenario, and get approval from business owners.
Update current plans: Update all of your BC and DR plans to define a cyber breach scenario that includes loss of data, along with the steps to recovery from immutable data copies. Also update your cyber incident and crisis management plan to include triggers for data recovery during cyber breaches.
Education: Provide awareness and response training when you are establishing cyber resilience, then recurringly so that your IT teams and plan owners stay aware of the resilience scenarios and steps they must take during cyber breach.
Test and measure: Put systems and controls in place that identify suspicious activity before it becomes an existential threat. This includes monitoring user behavior and detecting anomalies in storage or file system behavior. Test your cyber response recovery plan, including operational response and automated response, every six months or more often for crown jewel systems. Define and measure your key metrics as part of the testing process.
Evaluate and update: Make sure that all team members know their responsibilities in an emergency. Your testing process should provide feedback to ensure you update your plan as threats evolve and lessons are learned in the aftermath of testing or attacks. Be sure to share all plan updates with internal and external stakeholders, so you have a cohesive response if an attack occurs.

It’s important to understand that cyber resilience is not a technology problem to solve. It needs to be a discipline woven into the fabric of an organization’s ecosystem. Remember that the goal of cyber resilience isn’t to prevent intrusions; it’s to prevent intrusions from disrupting your organization’s business operations by protecting its most valuable asset — its data.