By Jeff Mansir
Over time and through experience, we have learned that cyber-attacks will happen, some will be successful, and the ability to recover from a successful attack is something that must be considered and addressed. Defensive measures should no longer realistically be expected to safeguard an information network alone. An attack will happen; what will you do when it does?
Business continuity plans often rely on physical segregation between production data and backup facilities, assuming a disaster affecting the production network will not adversely affect a backup facility located off-campus. This is naïve, as cyber-attacks are (by definition) not limited by geography. A cyber-attack can target several facilities at once, including backup sites or third-party backup site hosts, challenging our assumptions regarding which data and resources will be available in a disaster. If there is a consistent Achilles’ heel in business continuity plans that manifests itself in testing or practice, it is faulty or inadequate communication links between sites.
Questions to ask include:
- Does your current plan include an assumption that all sites and communications amongst them will remain operable?
- Does your plan focus on highly impactful scenarios from the 1900s (fire, flood) at the expense of more likely disruption from cyberspace?
- Do you effectively air-gap your logical network from critical systems that do not need to be, and should not be, networked?
Cyber threats can be launched by a disgruntled employee or a person placed in the financial institution deliberately to carry out a cyber-attack. Often, these employees perpetrate their attacks using authorized access, albeit with excessive privileges. You need to consider the possibility that a knowledgeable insider may cause a disruptive event, and the potential impact of the event on business resilience. Employee screening, dual controls and segregation of duties are some examples of controls that can help to mitigate the risks of an insider attack.
You’ve contracted with a renowned and capable vendor to provide data hosting and the space needed to carry out your business continuity plan. The vendor is a known entity and receives sterling references in your area — so good, in fact, that everyone within 100 miles uses the vendor for their contingency planning.
Nobody wants to declare a disaster and show up in the parking lot of their disaster recovery site to a scene from Hunger Games because the host maintains 200 seats for their 650 clients. We tend to be good at evaluating vendor capabilities using financials and third-party audit reports and less aware of concentration risk — overreliance on a few key vendors, often specific to our location or industry.
Questions to ask:
- Are you using a key vendor or service provider because everyone else does?
- What would be the impact of a local disruption of power or connectivity to your critical vendors? How available will they be when you really need them?
Let’s say your monitoring systems worked as designed, alerted you to a security incident in progress, and you quickly enacted contingency plans to keep business operating as usual. You aren’t sure exactly what happened, however. As a result, you aren’t sure precisely how to fix the issue.
This is what happens in a cyber-attack. You tend to focus on the symptoms of the issue, restoring data and accessing backup systems as needed. You test these steps as part of your existing, annual business continuity plan. But what caused the issue? Did you eradicate the malware? Did you patch the network vulnerability? Is the attack still happening?
An organization experiencing a cyber-attack will likely need to simultaneously investigate an ongoing security incident and execute disaster recovery strategies. Have you considered retaining third-party forensic and incident management services? If you choose to go it alone, do you have dedicated resources that can investigate an incident while recovery efforts are occurring?
Ensuring “resilience” is the critical bridge between having a business continuity plan and having a plan that ensures business continuity. There is no substitute for asking hard questions of your planning and assumptions, challenging existing knowledge and thinking strategically when the initial impulse is to dive into details. Don’t be afraid to leverage partners with a different perspective. Be skeptical, be wise, but above all — be prepared!
Jeff Mansir, CPA, CISA, is a senior manager in the Risk and Business Advisory Practice specializing in AICPA SSAE 16 at Baker Newman Noyes (www.bnncpa.com).