Cybersecurity Needs To Be Integrated Into Business Continuity Plans

by Anastasios Arampatzis

Business continuity and cybersecurity used to be siloed processes, but the evolving cyber threat landscape dictates the need for organizations to change their approach and merge cybersecurity into business continuity plans.

Traditionally, a Business Continuity and Disaster Recovery plan is in place to get businesses and their infrastructures up and running following disasters like a flood, fire, or a hurricane. Business continuity is about sustaining critical business functions, not only during a disaster or crisis, but afterwards as well. The way organizations responded to the coronavirus pandemic demonstrated in the most profound way the necessity of business continuity plans.

Digital transformation trends and the increased dependence on a highly interconnected technology for enhancing critical business functions have expanded the threat landscape of organizations. Criminals and adversaries are exploiting novel challenges and vulnerabilities and cyber-attacks have become the most likely threat to business continuity. Cyber criminals always try to capitalize on all opportunities, such as those introduced by the Covid-19 pandemic.

As cyber-attacks continue to increase in number and sophistication, causing significant disruptions to business operations and damages to corporate infrastructure, organizations must ensure that efforts to secure operations are aligned with procedures to maintain/restore these operations in the event of a cyber-attack. The focus of these efforts should be on risk management, resilience to maintain system and data availability, recovery of systems, and contingency planning for all possible scenarios.

Cyber-attacks are likely to be more destructive

A comprehensive approach and the integration of cybersecurity into business continuity plans has become a necessity because the adversarial capabilities and capacities are evolving and becoming more advanced. These capabilities become more destructive in nature, affecting both the physical and the digital world, disabling access to systems and data or even destroying infrastructure.

Cyber-attacks and compromises of established cyber defenses and security controls have become inevitable. All organizations of all sizes are a potential target of cyber-attacks. Small and medium enterprises (SMEs) are usually used as a launching pad to breach larger organizations further down in the supply chain. Digital transformation, remote workforce and cloud-based services blur traditional “castle and moat” security perimeter, further increasing the likelihood of an attack.

Detection, prevention, response and recovery are extremely important to safeguard businesses against the impact and consequences of cyber incidents and data breaches. These consequences can be reputational damage, lost revenue, legal penalties for violating regulatory requirements, and decrease in production efficiency. It is no wonder that the World Economic Forum has ranked cyber-attacks as a top risk for doing business, second only to natural disasters because of the climate change.

In the digital era, the increasing interdependence on IT and the destructive and disruptive impact of cyber-attacks requires businesses to adopt a new approach to business continuity planning and cybersecurity that centers around a close working relationship between the two.

Business continuity and cybersecurity need to work in tandem

Organizations need to integrate their cybersecurity and business continuity teams to align technology investments, and incident response and recovery processes. Business continuity and cybersecurity need an integrated approach to key areas such as access management, incident response and disaster recovery.

The integration and collaboration of cybersecurity and business continuity teams will benefit organizations in many ways, including:

  • Continuity-focused technology investment
  • Shift to DevSecOps processes
  • Focus on threat detection and response
  • Clear roles and responsibilities on who needs to do what in the event of a cyber-attack

Organizations should review their approach to business continuity management and extend the focus beyond data centers and IT assets to maintaining/restoring business operations. Cybersecurity and business continuity teams must collaborate across the whole business, focusing on people, processes and cyber-physical environments for both operational technology (OT) and information technology (IT).

The means of achieving the goals of business continuity and cybersecurity are closely intertwined. There can be no successful business continuity strategy without involving cybersecurity and vice versa. Successful organizations view cyber risks in the same way they do other critical risks. This approach is required for two reasons:

  • The complexity and sophistication of cyber threats has grown dramatically and continues to evolve. The effects of cyber-attacks are expanding well beyond data breaches or business disruption and they have a severe impact on operational safety and reliability, on local communities and on the environment.
  • The competitive need to deploy emerging technologies to lower costs, improve customer experience, and drive innovation is stronger than ever.

Executives need to understand and approach cybersecurity as a strategic, enterprise risk, not just an IT risk. Over the last several years, technology and data have moved out of their supporting roles and taken center stage as critical drivers of strategy. Executives and board members in organizations of every size and sector now recognize that they need to respond to transformational forces that are, according to EY, “global and highly complex, encompassing new business models, new entrants and new markets—and always with the looming prospect of next-wave technology disruptors.”

How to include cybersecurity in business continuity planning

To include cybersecurity in business continuity plans, – helping to respond to one risk, without creating another, organizations could follow the steps below:

  1. Involve the cybersecurity team: Involving the CISO or the cybersecurity team in business continuity planning ensures the consideration of appropriate concerns.
  2. Implement basic security controls: Basic security controls, such as remote working policies, mobile device management and VPN technology, should be included in the business continuity plan.
  3. Emergency access: Ensure appropriate access is granted to third-parties during a crisis to safeguard the continuity of your business operations.
  4. Automate: Automation can make sure that adequate cybersecurity tasks are performed even during an emergency.
  5. Drill the plan: Business continuity plan should be tested as often as possible to ensure it is appropriate.
  6. Train the staff: Training should be the basis of business continuity to make people aware of threats like phishing mails and how to respond to them.
  7. Embed security: Security teams should be embedded in crisis and business continuity planning at all levels of the enterprise to ensure consistency of measures.
  8. Crisis communications: While getting up and running is crucial for business operations, it is just as important to effectively communicate with internal and external stakeholders during a cyber event

How ADACOM helps

ADACOM offers assurance and resilience services to develop and enhance business continuity and disaster recovery plans. We assist organizations to prepare for compliance with ISO22301-Security and resilience — Business continuity management systems. We also perform training on business continuity management issues and facilitate maintenance and testing of their business continuity plans through consistent and comprehensive drills and exercises.

Below are some of the main activities that ADACOM carries out relating to business continuity management: 

  • Identification of legal and regulatory requirements
  • Identification of requirements from stakeholders and business partners
  • Business continuity strategy
  • Business continuity plans, incident handling and communication plan
  • Development of documentation required for business continuity at Customer to ensure recovery
  • Training and awareness for business continuity
  • Testing and exercising the business continuity plans
  • Effectiveness measurements of the business continuity plans
  • Continual improvement of business continuity in Customer

To learn more, contact our experts.