Role of Business Resiliency in Addressing Cybersecurity Risks

Kevin Finch, a Senior Business Continuity Architect at Sayers, discusses the importance of business resiliency and its relationship with cybersecurity. Business resiliency is defined as the ability to adapt, change, or absorb the impact of a business interruption while continuing to provide a minimum acceptable level of service. 

Cybersecurity is an integral part of business resiliency, as it helps organizations withstand cyberattacks and recover from them effectively. Kevin emphasizes the need for organizations to define their minimum acceptable level of service and construct their business continuity and cybersecurity programs around it. He also highlights the importance of secure isolated recovery environments in mitigating and recovering from cyberattacks. 

Additionally, Kevin emphasizes the role of employee training programs in enhancing the effectiveness of cybersecurity and business resiliency efforts. He recommends regular recovery testing and participation in business continuity exercises to improve preparedness. 

Finally, Kevin discusses the evolving intersection between business resiliency, disaster recovery, and cybersecurity in the age of remote work and distributed teams. He emphasizes the need for organizations to secure their operations in this new landscape and ensure systems availability to meet the needs of a remote workforce. 

What is Business Resiliency?

People hear resiliency and think business continuity, and that’s got to be a part of it. According to the Disaster Recovery Journal’s Glossary, Business Resiliency is defined by as the ability to adapt or change or absorb the impact of a business interruption while continuing to provide the minimum acceptable level of service.

If you think about that in context, if some sort of business interruption or adverse condition comes along, resiliency is going to be the ability of the business to adapt to that adverse condition or to absorb the impact.

The Relationship Between Business Resiliency and Cybersecurity 

When you develop your business resiliency program, it is important to figure out what that minimum acceptable level of service is. Generally companies will conduct a business impact analysis. They’ll look at important business services that individual departments or the business as a whole provide and figure out what those minimum levels need to be that the business is capable of absorbing.

Doing a BIA is part of best practices for both business continuity and cybersecurity. Once you have those minimum levels of service, you can construct your business continuity and cybersecurity programs around meeting those minimum levels of service.

Cybersecurity is an integral part of being able to withstand those business interruptions, because if you’re not prepared and don’t know what those minimum levels of service are, then you’re not going to be able to absorb the impact properly.

Mitigating and Recovering from Cyber Attacks with Business Resiliency

Once you’ve defined what those minimum service levels are for your business to be able to function and meet its requirements and obligations, you can take a look at what technology and people you need to invest in. This ensures you meet those Recovery Point Objectives (RPO’s) and Recovery Time Objectives (RTO’s).

These days everybody seems to be worried about ransomware, as they should be. Having an appropriately developed business resiliency plan and technology in place is vital for the business surviving an attack.

Adapting Resiliency Strategies for Emerging Cybersecurity Risks

Everybody worries if they are able to recover lost data. Ransomware recovery needs to be done securely so that the data is restored in a timely manner and is separate from your production systems that are infected. This extra layer of security prevents recovered systems from getting reinfected.

The days of being able to have your systems down for a week to recover are gone. I recommend creating a Secure Isolated Recovery Environment (SIRE) as a part of the recovery strategy. You create a separate and secure area to recover your systems into and bring them online separate from your production systems. That allows you to keep your production systems that maybe aren’t infected running and to provide a minimum level of service.

More importantly, it allows you to selectively recover systems before the point they were infected by a ransomware attack. This way you can individually recover those systems to the exact point in time that you need and bring them back online without any danger of reinfecting systems that are in your production environment. 

It can also help the performance of your recovery efforts because you have this isolated environment. It’s not going to be burdened by record locking, network traffic, application requests, etc. that are generally going on in your production environment. Production inevitably has problems, and if you’re recovering into this isolated environment, you’re not going to have those issues. If you have a Secure Isolated Recovery Environment constructed, you can do your systems restore testing much more easily. This helps your cybersecurity, business continuity and disaster recovery efforts. With a Secure Isolated Recovery Environment built, you can do testing anytime you want to, as often as you want to without interrupting production. Some companies test one or two times per month just because they have the capability to do so. The more times you test your recovery process, the better you get at it and the smoother the process is when you need to do it.

Testing Your Recovery Process

The minimum recommendation in best practices is to test your recovery process annually. However, the more you test the better you get at the recovery process, and the faster you are able to do it. 

Every business has a dynamic environment: new systems are added, network configurations are updated, and new data, new employees, new permissions and new files are being added all the time. If you’re only doing recovery testing once per year, you’re not as likely to be successful simply because of the number of changes that have occurred.

Employee Training Programs Enhance the Effectiveness of both Cybersecurity and Business Resiliency Efforts

Many companies have annual cybersecurity training. For example, the training might explain what signs to look for to avoid clicking on emails and to make sure they are legitimate. Some companies will send sample phishing emails to see how well things are caught to raise employee awareness. The more aware employees can be of attacks coming against the business and the types of attacks that are potentially coming, then the more prepared they can be to deflect those. Training and awareness is absolutely an essential part of cybersecurity, and Business Continuity is very much the same way. 

If you ask yourself, “How can I improve this process? How can I make this process more recoverable? What are the key pieces of this business process that I perform that I need in order to do my job?” Then the more prepared the business is going to be when the time comes to actually push the button and recover from something.

Participating in business continuity exercises is crucial. For example, a tabletop exercise or a recovery walk through exercise allow people to understand how they should react when an adverse event occurs.

Adversarial Attack Simulations

There are both advantages to having an external party come in and doing it internally.

If a company insider is working on the exercise, they can make more pointed business references and, you can do a better job of bringing those sorts of points to bear as a part of the exercise.

For example, including specifics related to recovery of a particular system or physical security in a particular building in the exercise makes it more realistic. Somebody that knows internal vulnerabilities can also bring them up during the exercise and highlight them as how the business could potentially be interrupted by those vulnerabilities being exploited.  Even if you’ve hired an external party to help with your exercise, you’re going to want to have an insider working with you to create those exercises for those very reasons.

However, having an external company come in and perform those exercises, the advantage that gives you is that you get an external and unbiased point of view on your internal business systems.  Your exercise is being run by someone that isn’t entrenched, isn’t biased by internal politics, or aware of situations where something currently functions differently than the way it’s documented.  If somebody does an exercise to test the quality of recovery documentation and your process isn’t documented, you want to know about it.  You don’t want the knowledge of your recovery process walking out the door when somebody leaves the company. That kind of documentation gap can be better highlighted by having an external party come in and doing recovery testing for you.

The Evolution of Business Resiliency, Disaster Recovery and Cybersecurity in the Age of Remote Work

Since the pandemic, everybody is thinking about resiliency differently. They have a much better handle on what parts of their business can and cannot be handled remotely. They also have a much better handle on the technology that needs to be in place in order for that to happen. That’s all part of remote work and distributed teams.  The pandemic forced everyone to have a big lesson in business continuity overnight. Everyone questioned if they had the systems and technology to let people work remotely. The strategies that organizations needed to employ were different than those with everyone in an office.

From a physical security standpoint, if you have an office, you can put a lock on the door and you can put a lock on the network and not have to worry about it as much. But, if you have 50 people and 50 homes, then physical security is an entirely different problem. You can’t go around and put locks on everybody’s doors. However, you can go through and make sure that the desktop systems that your people are using (whether they use a remote desktop, Microsoft Teams remotely on their own personal hardware, or an issued laptop) has secured software. This ensures that your company’s private business information and data is secure.

Another good example is if someone is using a web-based e-mail product and they add browser plugins, then are those browser plugins exposing your business data to third parties? Are those plugins interacting with their calendar or their e-mail? Does some employee’s web-based grammar checker on your web-based e-mail mean that some third party is reading all of your e-mail? That’s a cybersecurity issue that lots of companies are struggling with right now.

As that relates to Business Resiliency, you want to make sure that your systems are secure so that somebody doesn’t infiltrate your systems and create a resiliency issue. Systems availability is more critical than ever because you have so many people working remote. Employees work different hours based on their lifestyle now, so you can’t shut things off at 5:00 PM when you have people logging in at midnight, 1:00, 2:00, and 3:00 in the morning. Especially when you have people doing creative work or programming. Figuring out a strategy that allows your systems to have higher availability in order to meet the needs of your workforce is definitely something that needs to be considered.

If you would like to learn more about what you can do to ensure and optimize business resiliency in your own organization or to chat directly with Kevin, contact us.