Capping a growing trend over the last decade, 2020 was a boom year for cybersecurity breaches, with 36 billion records exposed in the first half of the year alone, and 88% of organizations reporting some form of spear-phishing attempts the calendar year before. There’s a reason the information security market is expected to reach $170 billion next year as companies of all sizes attempt to reduce risk across all surfaces.
But with 95% of breaches caused by human error and the technology needed to eliminate human intervention limited without impacting productivity, there will be attacks. The best way to address these risks is a combination of prevention and continuity planning. By focusing on resilience and the actions you take after a breach to minimize downtime, protect your business and its vital data resources, and get things back up and running as quickly as possible, you fulfill your directive to support and protect business functions.
But what should an effective business continuity plan look like? Let’s take a closer look at 4 of the key steps you should focus on to ensure minimal disruption in the event of a cybersecurity breach.
Perform a Risk Assessment
Before creating your plan, it’s important to understand what threats post the greatest risk to your business. Using a business continuity framework such as ISO or NIST to guide your risk assessment, these and other frameworks (depending on your industry), provide a methodical means by which to go through a series of increasingly granular steps.
The goal of this process is to better understand your core business objectives and the systems that support those objectives and then to identify the specific assets in your organization that support those systems and processes. When you know what the most vital elements of your business are, you can look at how something could be at risk. How can the processes and assets you have in place fail? What outside or inside factors could lead to a failure? The more potential threat vectors you understand, and the better categorized those threats are, the more effective your business continuity plan will be in responding to a disaster when it occurs.
Understand the Impact on Your Business
According to the US Department of Homeland Security, the first step in building a business continuity plan to address the risks you’ve just identified is to evaluate the impact of a breach on your business. Specifically, what happens if an outside event – either a cybersecurity breach or a natural disaster of some sort – occurs and how big of an impact on your business will it have?
Such an analysis should look at lost or delayed sales and overall income, additional expenses you’ll take on outsourcing tasks, working overtime, or repairing systems, delays in your business plan execution, losses due to contractual obligations or breaches, and a general loss in brand recognition and value with your customers. A successful business impact analysis provides a numeric score for specific risks. The higher the score for an individual risk, the greater the potential impact if there is a disruption and the greater the danger of that particular risk. This can be automated in many cases depending on what framework you are using for your risk assessment.
Create a Cohesive Business Continuity Plan
Using your risk assessment and business impact analysis, you can now develop a business continuity plan. What this looks like will depend heavily on your industry and the outcomes of your earlier assessments. For example, the nature of your IT infrastructure will directly impact how you approach backing up and protecting critical data. If you manage on-premise servers, backup data centers are an important resource in ensuring continuity, whereas a hybrid or cloud infrastructure will look very different.
It’s also important to perform the same steps outlined above for each of the third-party services and providers you work with. This includes cloud service providers and contractors who might interact with your systems and data in meaningful ways. Many companies implement policies to test the resilience of third parties on a recurring basis to ensure there are no issues.
The most important thing is to have a well-documented policy in place that is shared with all senior decision-makers and executives, as well as your operations team. If there is a disruption, everyone should know right away what their role is in resolving the issue to minimize downtime. Having such a plan and running tests periodically to ensure it is executed effectively will not only protect your business, but it will also show investors and stakeholders that you are performing your due diligence to manage risk effectively.
Practice and Monitor for Issues
Having a plan is a huge step. It will guide your response, and with regular review, become a core part of your security procedures. But it’s equally important that you run drills or tabletop exercises on a regular basis to ensure everyone in your plan responds appropriately. This is a good way to check for issues ahead of an actual disaster, ensure new employees or newly promoted members of the team are ready for their new responsibilities and check for weaknesses that could be exploited by a bad actor.
At the same time, understand that risk assessment is not a one-time thing. New risks develop almost constantly in the cat and mouse game between cybercriminals and security experts. And circumstances can change in your business. There’s a reason cyberattacks increased so dramatically in a year of IT upheaval as so many companies went to a work-from-home model. Ongoing assessment and coordinated monitoring of your systems are vital to fully understand what new threats look like before they can impact your business.
Building the Right Business Continuity Plan for Your Company
By preparing for the worst, monitoring for new and developing issues, and practicing with your team regularly, you can reduce the risk of a major disruption if and when a cybersecurity breach occurs. Whether you’re reevaluating your current plans based on recent changes to your business or creating a new plan from scratch, Bedroc’s team of security technology consultants can work with you to assess, analyze, and prepare for anything. Contact us today to learn more.