Why Is Business Continuity Important?
From 2003 to 2014, I gave an annual lecture on business continuity to information security students studying for their master’s degree at the Royal Holloway University of London. On one occasion and before I had even begun the lecture, a particularly difficult student (there’s always one, isn’t there?) asked me what business continuity had to do with information security. I explained that if he listened for a few minutes all would become clear. This he did, albeit rather grumpily.
After my introductory slides, I explained with several real-world examples just what can happen to an organization when information assets are damaged, stolen, or rendered unavailable. The point I was trying to get over was that it wasn’t only about the information and the systems that held it, but everything around that as well—the computer room and its supporting infrastructure; the building and its immediate environment; neighboring buildings; the weather; the political and economic constraints; and by no means least the people, and how a bizarre chain of events can sometimes contrive to cause unexpected problems.
One of my best examples related to an explosion at an oil storage depot a little way northwest of London in December 2005.1 The explosion in itself was a major event, requiring the fire and rescue services of three counties to control and extinguish the subsequent fires, but it was a building several hundred metres away that suffered the particular information security impact. The heat from the fire was so intense that it caused a large and heavy air-conditioning unit fixed to the ceiling of the computer room to break loose and fall directly onto an even larger and more expensive mainframe which was processing extremely sensitive data. Unsurprisingly, the mainframe failed, but fortunately the disaster recovery system located about 30 miles away cut in immediately and both the data and the reputation of the organization were saved.
When thinking about protecting an organization’s information assets, it’s always worthwhile asking one simple question: “What could possibly go wrong?”
Could, for example, a loosely affiliated group of hackers take down the CIA’s website? Yes. A group known as Anonymous did so in 20122—it was not the first time this had happened. Clearly, the CIA was able to respond quickly, and although it did not suffer any financial loss as a result, it did lose face.
Could another hacking group develop a piece of malware that encrypted the hard disk drives of systems all over the world and demand a ransom to unencrypt them? Yes—the WannaCry virus (attributed to North Korea) in 2017 did just this. Many organizations were totally unprepared for this kind of attack and suffered financial, operational, and reputational losses as a result.
Could a major government department still be using personal computers running Windows XP, 7 years after it had ceased to be supported by Microsoft? Again, yes—but on this occasion, I will spare them the embarrassment of naming them!
The answer then to the question “What could possibly go wrong?” is “Almost anything one could imagine, and quite a few things one might never have even thought of.”
Twenty years ago, no one could reasonably have imagined the aforementioned examples, but today all bets are off, and nothing would surprise me anymore.
So, what is the problem? Is it a lack of understanding of the issues at senior management level? Is it a lack of investment in securing an organization’s systems and services against cyber threats? Is it a lack of training of IT and security personnel? Is it a lack of awareness of users? Is it the result of work by extremely clever attackers? Is it the poor security design of IT systems and services? Actually, it is a combination of all of these, and possibly many more.
In recent years, an unprecedented number of major business-disrupting cyber incidents have occurred. Some of the organizations affected by these have survived them; others have not. The key to ensuring that your organization remains in the former category rather than the latter is a combination of information security or cybersecurity, and business continuity management, an increasingly important aspect of business life, but one that is frequently overlooked.
Why Should You Read This Book?
This book will not teach you how to become either a seasoned business continuity practitioner or a cybersecurity specialist; only time, training, and experience can accomplish these, but hopefully the book will point you in the right direction. It should not be thought of as a substitute for formal training for which there are many excellent courses available, but more as a guide to enable you to ask the right questions and as a result to make the right decisions.
Although it is now 5 years old, the International Standards Organisation’s (ISO’s) ISO 22301 is still the widely accepted business continuity standard, and some people will say that you should get to know it as soon as possible; well maybe not quite at this stage. ISO 22301 is rather like a manufacturer’s maintenance manual in the context of learning to drive a car. You don’t need a detailed knowledge of it in order to learn how to drive—and maybe not even afterward. You do, however, need to understand the mechanics of how to make the car go (and stop), change direction, and a hundred and one other things.
Likewise, you do not need to understand how to tailor the rules of a network firewall or modify the detailed security settings within a major business application, but you will find it useful to understand what the key issues are, and at least at a high level, how to deal with them.
If, in the fullness of time, you become a key player in your organization’s cybersecurity program, or even become the organization’s business continuity manager, then you will definitely need to understand the standards—and there are quite a few that might be relevant—but for the time being we shall discuss them briefly in a later chapter and provide additional detail in the appendices.
While it does not follow either publication to the letter, this book is based somewhat loosely around the Business Continuity Institute’s Good Practice Guidelines 2018, which have been updated to include cybersecurity issues, and the ISO’s ISO 22301:2012, which deals with the requirements for business continuity management systems. This was produced at a time when cybersecurity awareness was less well publicized than it is today, and hence does not deal with the issues directly, so I have also included relevant details from ISO/International Electrotechnical Commission (IEC) 27001:2017, which addresses the requirements for information security management systems together with its partner standard ISO/IEC 27002:2017, which defines the code of practice for information security controls.
This book—as its title suggests—aims to bring into a single source the closely interrelated disciplines of cybersecurity and business continuity, deals with the effects that cyber threats can have on an organization, and recommends steps that organizations can take to mitigate the risks.
The book won’t provide the reader with the fine detail needed to prevent or minimize the problems; that can be found in other more technical books,3 but it will highlight the general steps that organizations can take, so that they are better prepared for when disruptive incidents arise and are able to deal with them swiftly, efficiently, and without there being an adverse effect on the organization’s brand, business, or public image.
What Do We Mean by Terms Related to Cyber?
While many people would imagine that it is a relatively recent term, cyber has actually been around colloquially since 1982, when the American science fiction author William Gibson coined the term cyberspace in a short story entitled “Burning Chrome”,4 but he did not define it until 2 years later in his book Neuromancer5 in which he describes it:
Cyberspace. A consensual hallucination experienced daily by billions of legitimate operators, in every nation . . . a graphic representation of data from the banks of every computer in the human system. Unthinkable complexity. Lines of light ranged in the nonspace of the mind, clusters and constellations of data.
Bearing in mind that this predates the development of the World Wide Web by Sir Tim Berners-Lee at CERN (the European Organization for Nuclear Research) in 1990 by 6 years, it is an extremely insightful concept.
The Global Cyber Definitions Database6 defines the term cyber as “almost invariably the prefix for a term or the modifier of a compound word, rather than a stand-alone word. Its inference usually relates to electronic information (data) processing, information technology, electronic communications (data transfer) or information and computer systems.”7
Cyberspace is succinctly defined by the Department of Homeland Security as “the interdependent network of information technology infrastructures, that includes the Internet, telecommunications networks, computer systems, and embedded processors and controllers.”8
Cybercrime is defined as “criminal activity conducted using computers and the Internet, often financially motivated. Cybercrime includes identity theft, fraud, and internet scams, among other activities. Cybercrime is distinguished from other forms of malicious cyber activity, which have political, military, or espionage motivations.”9
A cyberattack is “an attack, via cyberspace, targeting an enterprise’s use of cyberspace for the purpose of disrupting, disabling, destroying, or maliciously controlling a computing environment/infrastructure; or destroying the integrity of the data or stealing controlled information.”10
Cyber warfare is defined as “cyber-attacks that are authorized by state actors against cyber infrastructure in conjunction with a government campaign.”11
Cyber harassment has been defined as “the use of Information and Communications Technology (ICT) to harass, control, manipulate or habitually disparage a child, adult, business or group without a direct or implied threat of physical harm.”12 It includes cyber bullying, cyber stalking, false accusation, victimization and posting such things as racist, homophobic, defamatory, or derogatory comments.
The Encyclopedic Dictionary of Public Administration defines cyber surveillance as “a mechanism for the surveillance of persons, objects or processes that is based on new technologies and that is operated from and on data networks such as the Internet.”13
Finally, cybersecurity is “the ability to protect or defend the use of cyberspace from cyber-attacks.”14 This refers to information security as it is applied to cyberspace and is, therefore, slightly different from the wider concept of information security, which also includes tangible as well as intangible information.
Organization of the Book
The book is divided into nine main chapters. Furthermore, there are two appendices, a bibliography, and a glossary that provide additional supporting information.
Chapter 1 provides an introduction to the practice of business continuity management and its key focus in relation to cybersecurity. It describes the need for and the benefits of business continuity within organizations.
Chapter 2 provides a review of the underlying generic risk management process. A risk management approach underpins both the entire business continuity and the cybersecurity management processes. This chapter provides a review (as opposed to a detailed description) of risk management practice and explains the terminology used.
In Chapter 3, we examine the main cyber-related issues that cause business disruption—cybercrime, cyber harassment, cyber warfare, cyber surveillance, and cybersecurity failures.
Chapter 4 discusses how we might identify the organization’s information assets and their value. These information assets, together with the systems and networks that underpin them, are key to the ongoing ability of all organizations to operate successfully, and therefore a detailed understanding of them is required. This chapter describes the kind of assets most organizations possess and how to make a meaningful estimate of their value through the impact that their loss, damage, or destruction might cause.
Chapter 5 deals with the potential vulnerabilities that might enable a successful cyberattack against the organization’s assets and the threats that can take advantage of them.
In Chapter 6, we move to determine and implement an overall cyberattack prevention and response strategy. Once organizations have a clear understanding of their information assets and their value, they will be better placed to begin development of a strategy that will form the basis of action plans.
This chapter will deal with the two principal areas:
Prevention—the proactive side of business continuity and cybersecurity, which aims either to reduce the likelihood of a successful cyberattack by putting measures in place that stop such an attack or to reduce the impact of a successful attack.
Response—the reactive side of business continuity and cybersecurity, which aims to equip the organization for reacting quickly to a cyberattack that is not stopped by preventative measures but limits its impact and enables the organization to return as quickly as possible to a normal or near-normal operational status. Equally importantly, the response strategy also deals with how the organization should communicate with its customers, stakeholders, and, where necessary, government or sector authorities and regulators.
Chapter 7 examines the actual business continuity activities and solutions to cybersecurity problems. It covers the steps that organizations can take proactively to minimize or prevent successful cyberattacks, major activities such as disaster recovery, and finally how organizations should go about responding to disruptive incidents.
The chapter continues by describing how organizations should implement the preventative measures and turn the response strategies into contingency plans to be used when required.
In Chapter 8, we look at the methods of exercising, testing, maintaining, and reviewing plans relating to the cybersecurity aspects of the business continuity function.
An untested plan is not really a plan at all, and this chapter deals with various types of test and exercise that an organization might undertake in order to validate the effectiveness of its cybersecurity plans. It also covers the process of reviewing the results of tests and exercises in order to improve the plans in readiness for responding to real cybersecurity incidents.
Finally, in Chapter 9, we discuss embedding the culture of the cybersecurity and business continuity across the whole organization.
Unfortunately, some of any organizations’ greatest risks arise from individual users of information services within the organization itself. This chapter represents the final piece in the business continuity jigsaw—that of embedding the business continuity culture across the whole organization, so that it becomes a part of everybody’s daily responsibility and enables the organization’s users to be both a first line and a last line of defense against cyberattacks.
The appendices include the following:
- Information on controls suitable for treating cybersecurity issues;
- Links to national and international Standards and Good Practice Guidelines.
- These are followed by the bibliography and glossary, which is a brief description of commonly used business continuity and cybersecurity terminology.
Author’s note:
After I sent the manuscript of this book to the publisher in early 2018, the Cambridge Analytica story went from “interesting” to “sensational” in a very short space of time. I had not included any reference to it in the book, simply because at the time it did not appear to constitute a significant cybersecurity issue. In hindsight of course, it most definitely does.
As the debate will doubtless continue well beyond the book’s publication, it would be pointless to speculate about the possible social, technical, and political repercussions, but what appear to be indisputable are the links between Cambridge Analytica, its parent group SCL, Aggregate IQ, Facebook, politicians on both sides of the Atlantic, and the misuse of millions of individuals’ personal information.
While you may think that your personal information is safe, think again—it most certainly is not, and you should not be surprised if so-called reputable organizations use it in ways you neither expected nor agreed to. The individual people and corporations who are responsible for this may say “sorry”, but whether they mean it or whether they will face any form of punishment remains to be seen.
Paraphrasing the words of the philosopher George Santayana, “Those who refuse to take account of the past are destined to repeat it.”
__________________
1See http://www.hse.gov.uk/research/rrpdf/rr718.pdf
2See http://www.telegraph.co.uk/news/worldnews/northamerica/usa/9076314/CIA-website-hacked-in-attack-claimed-by-shadowy-cyber-group-Anonymous.html
3See D. Sutton. 2017. Cyber Security: A practitioner’s guide (Swindon, UK: BCS). ISBN 978-1-78017-340-5
4W. Gibson. 1982. Burning Chrome (New York, NY: Omni magazine).
5W. Gibson. 1984. Neuromancer (New York, NY: Ace books).
6See http://cyberdefinitions.newamerica.org
7See https://www.turvallisuuskomitea.fi/index.php/en/yhteiskunnan-turvallisuusstrategia-yts
8See http://niccs.us-cert.gov/glossary
9See http://www.dpc.senate.gov/docs/fs-112-2-183.pdf
10See http://nvlpubs.nist.gov/nistpubs/ir/2013/NIST.IR.7298r2.pdf
11See http://www.ewi.info/idea/critical-terminology-foundations-2
12See https://www.ipredator.co/cyber-harassment
13See www.dictionnaire.enap.ca/dictionnaire/docs/definitions/definitions_anglais/cyber_surveillance.pdf
14See http://nvlpubs.nist.gov/nistpubs/ir/2013/NIST.IR.7298r2.pdf