How security and Business Continuity became inseparable

How security and Business Continuity became inseparable

Aden Axen, Cloud Services Manager at Somerville, tells us the factors that used to trigger Business Continuity arrangements are no longer the biggest concern for Australian organizations.

Aden Axen, Cloud Services Manager at Somerville

Business Continuity and business security used to be two distinct and siloed processes.

However, the evolving threat landscape is a sign that organizations must change their mindset and follow a holistic approach by merging cybersecurity with Business Continuity and recovery plans.

One of the key drivers for this is the elevation of cyberattack risk as the most common ‘disaster’ type that organizations believe they will face and must plan for.

Business Continuity and recovery plans were traditionally used to get organizations and their systems up and running following natural disasters like a flood, fire or earthquake, but these kinds of risks now pale in comparison to that presented by the threat of cyberattacks.

Research by Allianz released earlier this year shows that: “Cyber perils are [now] the biggest concern for companies globally in 2022.”

“The threat of ransomware attacks, data breaches or major IT outages worries companies even more than business and supply chain disruption, natural disasters or the COVID-19 pandemic,” the insurer found.

To further illustrate the trend, 44% of respondents worried about cyberattacks compared to 25% who were concerned about the risk of being caught up in natural disasters.

Out of all cyberattack types, ransomware is seen as the most concerning or most likely to trigger Business Continuity processes. Even with backups to restore from, downtime caused by a ransomware infection can be prolonged; on some estimates, the average recovery time is two-to-four weeks, and longer spells aren’t uncommon.

In this context, it makes sense for security and Business Continuity teams to become more closely aligned, because it is only through their collective efforts that efficient recovery from a cyber incident will be possible.

Mapping out a joint response

Ultimately, the objective of a Business Continuity and recovery plan is to restore data as fast as possible, minimizing thus operations downtime and revenue loss. When everything else fails, it is Business Continuity and recovery planning that will save the day.

To develop a Business Continuity and recovery plan, organizations need to map out and understand the impact of system failures, how long they could function without key systems, what alternative methods and procedures they could use on a temporary or interim basis while regular systems are out of service, and what cost of lost productivity and revenue is sustainable.

The NIST Cybersecurity Framework and its five core functions offer some foundational guidance on how to bring business security and Business Continuity closer together:

  • Identify: Understanding your environment, what risks are associated, and how they relate with your business goals is crucial to building the required defenses for Business Continuity and recovery.
  • Protect: This function answers the question ‘What are the appropriate controls to implement to protect our assets?’. Selecting the proper safeguards can help you contain or limit the impact of a breach.
  • Detect: Time is an important factor when it comes to business recovery. The faster a cyber event is detected, the faster the repercussions can be mitigated.
  • Respond: Mitigating a cybersecurity attack and limiting the exposure of assets is important to reduce any disruptions or financial costs.
  • Recover: Timely recovery to normal operations is important to reduce the impact of a cybersecurity event. Organizations need to develop activities to increase cyber-resilience and restore services in a timely manner.

Effective Business Continuity management enables organizations to update, control and deploy plans and tools while considering organizational contingencies and capabilities, as well as business needs.

Given each organization and IT environment has its own requirements, it is recommended that a Business Continuity and recovery plan is reviewed, tested, updated and maintained on a regular basis.

Limiting potential losses

It’s worth drawing out one of the aspects of the NIST framework for further emphasis – and that element is time.

An effective Disaster Recovery solution enables failover after a disaster and ensures an organization is back up and running in optimal time.

How ‘optimal’ is defined will vary from organization to organization, but there are two useful measures that organizations should understand.

These are the recovery time objective (RTO), which is the time taken for a system to be recovered and ready for use again by the business; and the recovery point objective (RPO), which is the time when the last backup of data was made (reflecting how much data could be lost during a Disaster Recovery initiation).

These will vary depending on the mission-criticality of the system. There are some systems where an RPO of weeks might be acceptable because reversion to manual processes or alternate systems is possible. For systems crucial to day-to-day operations, such as networks, servers or Active Directory, the RPO is zero minutes, and well-defined and well-tested contingencies will be needed.

Organizations will inevitably be exposed to a variety of risky situations in their operational lifespan.

The key is to plan for them and have options when these eventualities play out. Specialist assistance, such as that offered by a managed services provider, is valuable as an additional risk mitigation in this space.

Such relationships can make all the difference, ensuring the best cloud-based security, backup and Business Continuity solutions are in place for the job, as well as access to a team of experts who live and breathe business recovery best practice in a critical time of need.

Browse our latest issue

Intelligent CISO

View Magazine Archive