The Four Keys to Ensuring Continuity of Operations During a Cyberattack

SolarWinds, Microsoft and FireEye are large organizations with extremely well-developed cybersecurity programs in place, yet a group of Russian attackers executed a successful cyberattack that impacted each of them. Another group of attackers, presumably backed by the Chinese government, also successfully attacked SolarWinds. Considering Microsoft and possibly SolarWinds provide software, patches and updates which most organizations use to operate, executives should be concerned. While these trusted sources deliver software that is critical to many organizations, the software they provide may have been compromised allowing malicious attackers access to another organization’s operations.

No one can overstate the significance of cyberattacks and the threats they present to every organization. If the SolarWinds attack has taught us anything, it’s that every organization, whether public or private, large or small, should act now by conducting an immediate review and evaluation of its current information security program and the risks to their organization’s business assets.

As executives consider the many recent successful attacks in the news and their own organization’s risks, the idea of properly securing systems and assets can seem overwhelming. After all, if Microsoft can’t do it, how can their organization?

Cybersecurity, however, is not only about preventing successful attacks. Reacting to and recovering from cyberattacks should be a major part of an organization’s continuity of operations plan (COOP). In the same way an organization’s COOP provides preparation and response plans for natural events such as hurricanes and blizzards, the COOP should have preparations and incident response plans for cyber events. Security experts say it’s not a question of if an organization’s systems will be penetrated, it’s a question of when. 

Ensuring continuity of operations in the event of a cyberattack consists of four key elements: executive buy-in, determining key assets and the risks to them, creating a security team and developing a security plan. Each of these elements consists of multiple steps, which step an organization is on will vary. For example, one organization may have completed risk and gap analyses and identified key assets but lacks executive support and can’t develop a security team. Another organization may have strong executive support but lacks the necessary staff with the skillset to complete an asset risk assessment and develop a security plan. Further, some organizations will have completed the steps and be prepared to appropriately react to an incident and suffer minimal loss of operational functionality. Regardless of an organization’s cybersecurity maturity, these four areas should be reviewed and updated as part of an ongoing COOP process. Executives should understand that, even with a well- developed cybersecurity program, there is no guarantee that an organization will not suffer a successful attack.  That’s why it’s critical to have a continuity of operations plan with specific incident response plans for cyberattacks.

Secure executive buy-in

Developing executive support and maintaining executive support are two separate efforts. A strong cybersecurity program with executive backing takes work, but demonstrating how a cybersecurity program supports the organization’s strategic goals helps achieve that buy-in. Executives understand risks and the need to mitigate them to an acceptable level. Highlighting the mitigation value of a strong cybersecurity program is often enough to gain executive support.

Maintaining that support is the next step. Just as every business unit must demonstrate how it fits into the organization’s strategic plan and goals, the cybersecurity program must do the same. When a cybersecurity program is working, there is little to be seen from an executive level, so reporting that “nothing significant happened today, this week, this month…” does little to justify the budget allocated for cybersecurity. When security leadership validates costs in business terms that executives normally deal with, maintaining support at that level is easier to achieve. 

Determine key assets and their risks.

Once executive support is in place, a standard Continuity of Operations approach includes assets and risks. What is necessary for the business to continue operating in the event of crisis? Secure the human element and the revenue stream and ensure the ability to pay creditors and employees. Each system or process should be categorized based on the risk to the organization—high risk systems need more security and controls than low risk systems. Security is not a one-size-fits-all affair.

Create a security team.

While determining the assets, an organization can be reviewing the security team, modifying and training as needed. As an organization changes, the security team will need to change too. Matching the skills of the security team to the needs of the organization is also important. For instance, a company migrating systems to public, cloud-based systems needs to add skills in cloud security.

Develop a security plan.

With executive support, a good understanding of the organization’s operational needs and a security team in place, developing or updating the security plan may be the easiest part of the process. Security frameworks are available to use as models or templates and can be customized to match an organization’s needs. Government organizations often build from the National Institute of Standards and Technology (NIST) cybersecurity framework and the ISO 27001 framework.  While these are the most commonly used, organizations should review the framework options available to determine which one meets their needs best.

As with any maturity model, an organization will not go from having no security program at all, to a fully mature, comprehensive program overnight. It takes time, planning and support and will have a cost. Information security isn’t a revenue source for any organization. It should be viewed as a commodity, much like electricity— necessary for operations.  

Each step in reviewing and developing your cybersecurity program will be examined in greater depth in individual articles to be presented in the next few weeks on our thought leadership platform, Beyond Engineering.