teissTalk: Resilience as a business outcome

Please register or log-in to watch this on-demand episode

Views on news

The Washington Post was impacted too by the data theft and extortion campaign targeting Oracle E-Business Suite customers, compromising human resources data on nearly 10,000 current and former employees and contractors. The newspaper is among dozens of Oracle customers targeted by the Clop ransomware group, which exploited a zero-day vulnerability affecting Oracle E-Business Suite to steal heaps of data. Washington post couldn’t have done more as the breach happened through a third-party platform. The incident also shows that big name platforms can’t be blindly trusted either. Although you can contractually oblige your software suppliers, you can’t realistically audit every element of your supply chain. There are practices, though that can reduce the scale of damage that a zero day attack can cause: segmentation, role-based access and zero trust. Proactively searching for threats rather than waiting for a system to flag them up can strengthen defences too. There are industries, where patching is more of a challenge, as they can’t have downtime. Ideally, any organisation should have a right balance of people and technology to keep systems secure. 

More regulation or stronger guardrails

The initial steps should always be identifying critical assets and establishing which of those are exposed to high risk, as well as the risk tolerance level of the organisation and its expectations regarding recovery points and times.  Rather than shifting all the responsibility to CISOs, senior leadership should decide what cyber risks the business should mitigate, as well as take ownership of their decisions. Business impact analysis shouldn’t be a tick-the-box but an engaging, dynamic exercise. Recovery, meanwhile, is meant to be a leap forward, involving not only rebuilding systems but also delivering a more resilient and secure business. Ideally, manufacturers should have a disaster recovery area, where they can run tests without affecting production, while a wide range of non-intrusive testing tools are also available. 

As most functions are affected by downtime in their own particular way, disaster recovery must be a collaborative exercise done repeatedly to build muscle memory. Have your disaster recovery playbook ready offline and keep your minimum viable documents on hand, preferably in a physical format as well. These may help you keep going for a week or so while other things are sorting themselves out. Make sure you have the right manual workarounds and that all the key documents you need for business continuity are accessible. Businesses should also bear in mind that cyber attacks are not the only cause why a system goes down – it’s also an eventuality that a fire, for example, breaks out in a data centre, so health and safety should also be integrated into exercise plans.

 

Why switching off parts of an enterprise system is key to practising how to maintain business continuity. However, all companies can’t afford to have Netflix’s Chaos Monkey, which disables production instances randomly to check whether a particular type of failure would impact customer outcomes. But even with the best intentions and the desirable frequency of testing, there will always be certain types of attacks that can’t be anticipated. 

The panel’s advice

• One of the key steps at the start is defining minimum viable business – the functions that must be running when a cyber attack happens. You must check on an ongoing basis whether the emergency processes in fact work – including people, systems and technologies, on-prem data centres and manual workarounds.
• Non-intrusive testing tools encourage more testing and validation and can breed more confidence.
• Business continuity plans are a tactical thing, while resilience reflects an organisational leadership perspective: resilience is the outcome, while the business continuity plan is the tool enabling its delivery.  
• Tabletop exercises have some great outcomes but are purely theoretical.
• Businesses have one business continuity exercise per year on average – and many have less than that.
• Start with your key core application and keep testing and validating it to see how recovery times could be improved.