Get Cyber Smart: How to Make Sure Recovery Plans Align with Information Security Needs
Recovery plans and strategies cannot be created in a silo. Instead, they should be developed in coordination with the cybersecurity department to ensure that recovery measures do not inadvertently create vulnerabilities that can be exploited by hackers. The best way to do this is by making sure business continuity is integrated into a robust information security governance framework.
Related on MHA Consulting: Be a Hard Target: Train Your Employees in Security Awareness
A Uniquely Vulnerable Time
In the context of business continuity, the recovery period is a vulnerable one for any organization. A company that has suffered an outage or disruption for any reason, and which is in the process of recovering its systems and operations, is at a heightened level of vulnerability to every type of event.
The danger from cyberattacks grows especially acute during this period.
Thanks to bots and other types of automation, cyberattacks in today’s world are “always on.”
When organizations grappling with outages turn to such common recovery measures as having employees use their personal computers and phones, this frequently creates security gaps. Typical causes of such gaps include personal devices’ lack of appropriate antivirus software, the relaxation of the customary restrictions on data sharing, or a reduced level of monitoring.
During recovery, attack bots can sniff out these gaps and pour through them.
This is why cyberbreaches happen as often as they do: all it takes is one hole.
Integrating BC and Cybersecurity
For these reasons, it’s important that the business continuity office and the cybersecurity team work together to make sure that the organization’s recovery plans and strategies are consistent with its information security needs.
A recovery measure that opens a hole in the organization’s cyber defense is likely to do more harm than good over the long term. Continuity plans and actions need to be reviewed to make sure they conform with infosec requirements.
BC and cybersecurity need to work collaboratively to ensure that the plans and strategies intended to help the organization continue its critical operations will also preserve information security.
Information Security Governance
“Information security governance” is the term used for the framework of policies and procedures companies develop to protect their information assets.
This governance can be broken down into eight key areas, ranging from the rules governing employee use of company computers to policies on applying security patches.
Let’s look at each of these eight areas from a BC perspective—and specifically from the point of view of making sure that recovery measures do not compromise information security.
- Cyber policy. These are the company’s rules governing computer use and data sharing. This policy sets forth how employees will use the organization’s devices: laptops, phones, servers, etc. During an event, use of devices often diverges from the norm. Continuity actions need to be consistent with cyber policy, and the policy should address such matters as how exceptions will be handled during an outage.
- Risk assessment. Organizations should conduct regular, ongoing assessments of the risks that threaten their cybersecurity. As stated previously, recovery plans and strategies themselves can pose risks to the organization’s information security, so these measures need to be included in any risk assessment.
- Penetration testing. This is when the cybersecurity team or an outside firm attempts to break into the computing environment like a hacker would. Such testing typically occurs when the system is in a normal state, but it can be done when the organization is in recovery mode. This can reveal vital information about the heightened vulnerabilities that often arise during recovery.
- Cyber steering committee. The leadership team in charge of information security governance. Ideally, this group will be aware of the need to integrate cyber security and business recovery.
- Third-party controls and assessment. Addresses the use of outside services such as those from Microsoft and Google or outside experts such as consultants. From the BC point of view, recovery plans and actions that envision turning to such services need to be consistent with security requirements.
- Remote work polices and oversight. Sets forth the standards employees must follow when working remotely. Outages can also impact remote workers, so there will likely be recovery measures pertaining to those workers. Those measures need to be in alignment with the organization’s security needs.
- Physical access policies. These are the cybersecurity rules governing what people can do in physical terms: walking around in a building, accessing various rooms and equipment, and so on. Some of the measures envisioned in recovery plans and strategies might involve changing the usual physical arrangements. Physical access policies needs to ensure these changes don’t introduce new cybersecurity gaps.
- Patching polices and oversight. These polices are to ensure that devices are patched appropriately and that mitigations are implemented if the devices can’t be patched (due to age, for example). Devices that fall behind can become a major vulnerability. Mitigation strategies to address patch-related vulnerabilities should be addressed in recovery plans.
Effective information security governance is crucial for safeguarding company assets. The governance framework should recognize the BC department’s need to develop recovery plans and strategies while also making sure those measures do not compromise cyber security.
Restoring Critical Operations While Preserving Security
Organizations that are in the process of recovering from disruptions are uniquely vulnerable to cyberattacks. This is because many common recovery measures inadvertently introduce gaps in cyber defense, gaps that can be exploited by today’s relentless attack bots.
An effective information security governance framework can help reduce these vulnerabilities. By promoting the alignment of recovery measures with cyber defense needs, such a framework can enable the restoration of critical operations while also safeguarding the organization’s vital information assets.
Further Reading
- Be a Hard Target: Train Your Employees in Security Awareness
- BCM Basics: the Difference Between Business Continuity and Disaster Recovery
- The Benefits of Stressing Out: Why You Should Stress Test Your Recovery Plans
- How GRC Can Help You Gain Real Control
- Cyber Self-Defense: Prepare for the No. 1 Threat By Taking These Five Steps
Richard Long
Richard Long is one of MHA’s practice team leaders for Technology and Disaster Recovery related engagements. He has been responsible for the successful execution of MHA business continuity and disaster recovery engagements in industries such as Energy & Utilities, Government Services, Healthcare, Insurance, Risk Management, Travel & Entertainment, Consumer Products, and Education. Prior to joining MHA, Richard held Senior IT Director positions at PetSmart (NASDAQ: PETM) and Avnet, Inc. (NYSE: AVT) and has been a senior leader across all disciplines of IT. He has successfully led international and domestic disaster recovery, technology assessment, crisis management and risk mitigation engagements.
