Keeping a business up and running during a problem takes the right people for the job. When it comes to cyber resilience through tough times, many things come down to the human factor. We focused on that in the first piece in this series, but it also makes a big difference to the second topic: business continuity. So, how do you make sure that your business processes and functions keep running during a disruption?

Where Cyber Resilience Meets Business Decisions

First, what is a business function? Information security managers and staff need to know because it’s important for them to be comfortable with the language of business. Doing so is simply a part of creating and managing a strong cybersecurity program. Part of that language includes knowing the nuances between business continuity, disaster recovery and continuous operations. The IBM System Storage Business Continuity: Part 1 Planning Guide provides some very helpful guidance in Section 1.1 showing these nuances. For work, you may have to be able to explain them. They could come in handy when you start looking for internal backing for your cyber resilience efforts.

In essence, a business function is the set of tasks a department performs to produce an output. This is a very basic explanation, different for different jobs. But for our purposes, it suffices. A business process is often a set of chained tasks performed by people or equipment to produce a service or a product.

Together with disaster recovery and other resilience strategies, sound business continuity planning helps spot stakeholders. It also better positions your group to respond to incidents that could impact your finances, brand, reputation and value.

Therefore, whatever cybersecurity framework you end up using, business continuity plays a key role. After all, you need to be acutely aware of what services and products your business offers. In other words, while it may be your job to keep the network going and the data at hand, it is a good idea to know why you have do that. The answer is you need to keep offering the service or product during a disruption.

Plans, Plans and More Plans for Cyber Resilience

If you are unsure where to start when it comes to the business continuity game, two great go-to resources are NIST 800-34 Contingency Planning Guide for Federal Information Systems and ISO 22301:2019. NIST 800-34 is very helpful. It specifies differences between various distinct, but closely related, plans. These include business continuity plans, continuity of operations plans, crisis communications plans and more visible at the link.

Maybe your organization can develop and execute all of the above plans. If so, your cyber resilience posture is likely quite strong, with the following caveat: plans without testing are just documents collecting dust. Therefore, you need to test your plans. And testing without security mindfulness or culture means you’re just checking the boxes. Therefore, remember that plans are just the first step.

Process Contingency Strategies

Over the past year and a half, some of us were fortunate enough to work from home. This is a unique example of a process contingency strategy. Business process shifted to remote because of a disruption.

Below are some of the more common process contingency strategies. Picking which one is right for you and your business is a function of criticality, practicality and risk tolerance.

Process Transfer: As the name says, the process gets transferred to another person or piece of equipment. You could transfer it in-house, but do not rule out a managed service provider, either. This is where formal contracts and memorandums of understanding need to be in place already.

Also, pro tip here: throughout the cyber resilience journey, if you are relying on a third party, make sure you know what your prioritization is. Remember, a disruption may impact more parties than just you, and that third party you are relying on may be supporting many others. Any cyber resilience roadmap development requires you to know what your resources are. Third party functions and service offerings fall into that category.

Alternate Site: The process is carried out at an alternate location. It is worth noting in this case that an alternate site may or may not be owned and operated by your organization. Again, you need to be up to speed with what your third party contract agreements are.

Remote Work: There is a nuanced difference here between alternate site and remote work. The perfect example for many is working from home. After all, you are not really working at an alternate site in this case.

Follow the Sun: You will see this strategy for organizations that normally have a global footprint. This doesn’t apply to every company, of course. But it’s useful for large enterprise resources spread throughout the globe. In the most basic form, the follow the sun model means that offices in different time zones pass processes between them. It sounds very practical in theory, but in practice it may be a bit more difficult. After all, it requires different regions to handle not only their local processes, but those of the region that has been disrupted. This may require some extra coffee pots.

Depending on your business model, you may be able to come up with some more contingency strategies for your processes, but practicality needs to come into your decision-making. A small business, for example, may not be able to transfer a process because they have limited staff. This is where succession planning comes into play. But what you should begin to notice is that there are a lot of pieces moving here and more to come on the cyber resilience journey.

Putting the Puzzle Pieces of Cyber Resilience Together

In the next article in this series, we will talk about disaster recovery and identifying interdependencies.  Disaster recovery is an interesting topic because of the cloud. Briefly, much of the literature and practice surrounding disaster recovery was written during the time of data centers and colocation sites. So, stop by next time to see how the cloud is changing the disaster recovery discussion.

More from Intelligence & Analytics

The 13 Costliest Cyberattacks of 2022: Looking Back

2022 has shaped up to be a pricey year for victims of cyberattacks. Cyberattacks continue to target critical infrastructures such as health systems, small government agencies and educational institutions. Ransomware remains a popular attack method for large and small targets alike. While organizations may choose not to disclose the costs associated with a cyberattack, the loss of consumer trust will always be a risk after any significant attack. Let’s look at the 13 costliest cyberattacks of the past year and…

What Can We Learn From Recent Cyber History?

The Center for Strategic and International Studies compiled a list of significant cyber incidents dating back to 2003. Compiling attacks on government agencies, defense and high-tech companies or economic crimes with losses of more than a million dollars, this list reveals broader trends in cybersecurity for the past two decades. And, of course, there are the headline breaches and supply chain attacks to consider. Over recent years, what lessons can we learn from our recent history — and what projections…

When Logs Are Out, Enhanced Analytics Stay In

I was talking to an analyst firm the other day. They told me that a lot of organizations purchase a security information and event management (SIEM) solution and then “place it on the shelf.” “Why would they do that?” I asked. I spent the majority of my career in hardware — enterprise hardware, cloud hardware, and just recently made the jump to security software, hence my question. “Because SIEMs are hard to use. A SIEM purchase is just a checked…

4 Most Common Cyberattack Patterns from 2022

As 2022 comes to an end, cybersecurity teams globally are taking the opportunity to reflect on the past 12 months and draw whatever conclusions and insights they can about the threat landscape. It has been a challenging year for security teams. A major conflict in Europe, a persistently remote workforce and a series of large-scale cyberattacks have all but guaranteed that 2022 was far from uneventful. In this article, we’ll round up some of the most common cyberattack patterns we…