Plan for the Worst: Cyber Contingency Planning
By: Bryan T. Newlin, CPA.CITP, CISA
It’s election day. We hope you voted, but here is something to read that has nothing to do with the election.
It’s no surprise that the issue of cybersecurity has boiled its way to the top of the pot of “things that keep us up at night” stew. The drumbeat of “protect your system” is loud, especially in regulated industries.
The deTECH team anticipates growing oversight around cybersecurity. Bankers are familiar with the FFIEC Cybersecurity Assessment Tool; in September, the FFIEC updated the Information Security section of the Information Technology Examination Handbook, and the agencies are heavily recruiting IT professionals. With this growing wave of oversight we are anticipating two areas that have historically been independent of each other becoming closely aligned-business continuity planning and incident response programs.
Data breaches have, to delight of the bad guys, become an afterthought to many of us. I received a letter in the mail recently that my information may have been compromised, and that I could enroll in free credit monitoring for a year. Yawn. I don’t even recall the company. I wish this were hyperbole. It’s not.
But this apathy comes fro
m the perspective of a consumer. For businesses, data compromises like lost email addresses, mailing addresses, and phone numbers now pile on with more sophisticated attacks like crypto-locker and distributed denial of service (DDoS). These attacks move beyond just implementing the incident response program. Responding to these attacks will need to include implementing components of your business continuity plan.
Consider crypt-locker. Also known as ransom-ware, this is a nefarious little piece of malware that automatically encrypts not only the compromised computer, but also mapped network drives, requiring a victim to pay a ransom to the bad guys who **might** provide the decryption key. The immediate response will be to implement the incident response plan. But if network drives were maliciously encrypted, important files are no longer accessible. Employees cannot perform their daily tasks. And if the issue is not stopped quickly backup files could also become encrypted and inaccessible. A well designed and tested business continuity plan would include provisions to handle an event like this, and have backed up data that is out of reach of a crypto-locking attack.
Similar issues arise with a DDoS attack. DDoS is a coordinated effort of botnet (zombie) computers sending huge numbers of requests to single websites or systems. You may have read about a recent DDoS attack that impacted several large internet companies. The most likely scenario for the deTECH readers is that a DDoS attack would occur at a DNS company or the vendor hosting key applications for your business. In this scenario, an incident response plan would only provide limited guidance because the problem is outside of your sphere of control, but employees cannot access key systems or service customers. Again, a well-designed business continuity plan would be enacted, manual operating procedures would begin, and both incident response and business continuity communications would occur.
So the takeaway this week-when the BCP refresh cycle comes around, Cybersecurity should be on the list of things to consider. Put it in the risk assessment, add provisions to respond to cyber incidents, include references to the incident response plan.
Learn more about our Risk Advisory Services Team
