Ride out the cyber storm with continuity planning

As cybersecurity professionals, we spend much of our time exploring the best ways to avoid security incidents.

After all, if you can manage cyber risk effectively, you’re much less likely to suffer a breach. But no organisation is ever 100% safe from hackers. The last few months have underlined that attacks can hit anyone, from telecoms giants and big security names to national agencies. 

Incidents may have headline-grabbing impacts such as stolen data or ransomware payments. But the disruption to your organisation’s core functions can be more far more damaging than any direct loss. Unexpected downtime can cripple your business, and recovery is often costly and time-consuming. Effective continuity planning can help your organisation smooth the fallout from a cyber incident – but it needs to be optimised to your business, to be regularly tested, and to have buy-in across your organisation. 

 
Continuity means maintaining your critical functions as an incident unfolds 

You’ll hear two terms commonly used in this area: business continuity and continuity of operations. They’re sometimes used interchangeably, but they refer to different aspects of continuity. Business Continuity Planning (BCP) focuses on keeping your business and its ability to serve customers (and profits) intact, perhaps with the help of third parties. Continuity of Operations Planning (COOP) concentrates primarily on keeping your existing systems and processes running, building up the resilience of your own operations. 

The Australian Cyber Security Centre (ACSC) defines business continuity as “a set of planning, preparatory and related activities which are intended to ensure that an organisation's critical business functions will either continue to operate despite serious incidents or disasters that might otherwise have interrupted them, or will be recovered to an operational state within a reasonably short period.” Related plans include disaster recovery (which focuses on recovering systems data) and incident response (which include communications and other next steps). 
 

Continuity of operations is becoming a key part of business planning 

Businesses have always had to plan for climactic events, from fires to pandemics, but in light of growing cyber risks, the market for continuity planning solutions is growing rapidly. According to research by Acumen, the Global Business Continuity Management Market Size accounted for USD 510 Million in 2021 and is estimated to achieve a market size of USD 1,811 Million by 2030. 

Cybercrime is growing year on year (the ACSC recorded an attack every seven minutes in 2022, an increase of 13% from 2021) and ransomware is evolving into more dangerous variants. Key impacts include unplanned downtime, reputational damage and lost data and systems. In many regulated sectors such as finance, continuity plans may even be mandatory. 

With criminals circling, regulations tightening and customers increasingly expecting on-demand services, it’s not enough to have a continuity plan on paper – you need to continually ensure it is fit for purpose in practice. 
 

A continuity plan should lay out a full range of scenarios 

A continuity plan will lay out clear responses to different scenarios of varying degrees of severity, including a full breach, malware incursions, denial of service attacks, insider incidents and emergency patching. It should cover containment, eradication and recovery. And the planning process should involve your whole organisation, including the C-suite, communications, legal and IT teams. It should be informed by an audit that can identify potential vulnerabilities and mission-critical functions so these can be focused on while less crucial services remain offline. 

Your continuity plan will be more effective if it is: 

1. Honest and realistic about the time and resources needed to hit its objectives. 

2. Regularly tested against a wide range of scenarios, based on past incidents and threat intelligence. 

3. Clear on which incidents need to be reported and escalated, and what the next steps are, with all contact information and relevant stakeholders listed 

4. Wise to wider incidents that might begin with suppliers, cloud services or other third-parties. 

5. Aligned with security and IT functions, such as monitoring. If those functions change, your plan should be updated, and vice versa. 

6. Informed by relevant regulatory frameworks. 
    

The continuity plan is only the beginning 

A continuity plan is just one aspect of cyber resilience. Lessons learnt during regular testing should feed into your workflows and strategy. Indeed, if you design essential functions and infrastructure with resilience in mind, you can bake continuity of operations into your systems. Key measures here include: 

1. Frequent backups of historical data. 

2. Data replication, in which critical data is stored in multiple repositories for quicker recovery. 

3. Storing “gold image” templates of critical systems as well as source code and executables to make rebuilding them easier. 

4. Building surplus capacity into your network. 

5. Segmenting IT and OT (Operational Technology) networks to stop attacks spreading and ensure key operational systems can be isolated or managed manually. 

6. Making agreements with third parties to restore functionality (such as Disaster Recovery As A Service, DRAAS) or take on business functions after an incident. 

1. The use of automated solutions, such as cyber recovery testing and validation to accelerate recovery. 

2. Tightly controlling user and application access using a model such as zero trust frameworks that can limit the damage attackers can cause by validating access to every service and data point. 
     

Responding in the heat of the moment can be risky 

The ACSC breaks down a set of responses if you are affected by a cyber incident and has a list of reporting guidelines and next steps. Immediate measures include isolating any infected systems and disabling their networking capabilities, before powering off and segregating other devices that share the network and ensuring (ideally with an antivirus scan) that your backups are secure. 
 
This can only happen if there are well-rehearsed systems and processes already in place. Organisations that rely on their instincts are much more likely to make wrong call in the heat of the moment, resulting in very costly and time-intensive fixes down the line. 
 
Incident response and disaster recovery plans will cover the immediate steps after disaster strikes, and should be aligned with (or even nested within) your continuity plan. The next steps should be mapped out, with relevant teams and stakeholders primed to get critical functions back online fast. 

Preparation is the best defence 

However you prepare, you must do it well. The ACSC, CERT NZ and the Business Continuity Institute (BCI) all offer advice. But while boilerplate templates are a great place to start, to be truly resilient organisations must run continual audits, risk assessments and test scenarios. That will help you get critical functions running again to limit the damage to customers and shareholders, as the rest of your organisation gets its breath back.