In most organizations, cyber security incident response (IR) and business continuity (BC) or disaster recovery (DR) are still considered as separate functions and distinct disciplines. This is clearly a missed opportunity to maximize resources since they are two sides of the same coin. These disciplines share the common goals of protecting the organization’s reputation and ensuring continuity of operations. Therefore, it makes sense to integrate them so you can respond to attacks and data breaches faster, efficiently, and effectively.
Organizations need to start looking at cyber security IR and BC functions under the same strategic lens to better align company-wide recovery processes and procedures. But how can the two sides come together? Since people often need a motivational push to work outside of their silos, management teams should provide strategic direction to require the BC/DR and IR teams to work together for the greater good of the organization.
Here are four ways leaders can integrate a cyber security incident response plan with a business continuity or disaster recovery plan.
Conduct Regular Joint Plan Reviews
Business continuity plans and cyber security incident response plans should be linked and reviewed jointly with a similar process approach. It’s important to establish a hierarchy of your organization’s emergency plans so that everyone clearly understands how they fit together. That context will enable smoother joint review processes.
Collaborate on Defining Incident Classification and Thresholds
Too often, BC/DR remains separate from cyber security IR because team members have not collaboratively explored incident classification and response thresholds. Many BC and DR events have linkages to technology and cyber security threats. By working together, teams can identify some of the most likely scenarios and test their plans and collaboration accordingly.
Merge Exercise Program Coordination Efforts
BC and DR teams pioneered the process of conducting simulations and drills to test their plans. Cyber security IR plans need testing as well. More and more we find that organizations need additional practice to prepare for major cyber security events. BC/DR exercise planners may shy away from exercise scenarios involving technology if they do not have a technology background. And most technology people don’t know how to properly develop exercise activities. These groups need to partner.
Use a Standardized Communication Process and Tool
We still see many instances in which the BC/DR team has one set of communication tools and the IT/Information Security teams has another. However, the processes around communicating necessary information to key stakeholders in an emergency are not unique to the different disciplines. Since the different groups don’t collaborate on requirements definition or budget allocations, these processes and tools remain the same. Again, they operate in silos. Removing those silos helps to establish a common language.
Summary
Cyber security events continue to hammer organizations and have a direct impact on the continuity of operations. Depending on the severity of a cyber-attack, a business can sustain loss of personal or financial data, disruption to operations, and significant downtime. For instance, Nuance Communications experienced more than 24 hours of network downtime, and Mondelez International’s ability to ship and invoice was disrupted for days following the Petya incident that rocked the globe in recent weeks. In addition, Merck’s IT systems were still affected four days after this ransomware attack.
Creating a unified front between BC/DR and cyber security IR can reduce redundancies, limit the confusion of responsibilities, and promote the sharing of best practices.
Learn more about our incident response and cyber exercise capabilities in our white paper, “Can Your Team Handle a Breach? How to Use Cyber Exercises to Find Out.”