By Gabrielle Lamarche, CBCI, ACRP (special collaboration)
There’s no denying that IT security incidents are becoming increasingly frequent. Such incidents can have a wide range of consequences within an organization. Indeed, the repercussions can affect the availability of information, its confidentiality, the integrity of data, and even the availability of essential equipment, in each case with consequences for an organization’s ability to maintain operations.
What do 3 situations, each of which took place in 2024, reveal?
- In July 2024, the IT incident involving Crowdstrike, the source of the Microsoft outage, made international headlines. Indeed, several organizations around the world were hit by the impossibility of accessing their computer systems creating notably the cancellation or postponement of several flights in the United States.
- In May 2024, a cyberattack targeting a College’s servers caused an interruption to their operations. The consequences of this cyberattack restricted not only computer access to the various College platforms, but also physical access to the 4 establishments.
- In early 2024, an ambulance service’s dispatch system had to activate business continuity procedures following a IT security incident, resulting in a loss of access to crucial information transmitted between dispatch centers and ambulance computers. In particular, the priority codes essential for determining interventions and the locations of vehicles in the territory were no longer accessible, which had an impact on the ability of teams to respond to situations reported to the dispatch center.
These three distinct examples highlight the variety of consequences that IT security incidents can have, directly affecting the ability to maintain operations. It can be seen that all types of organization can be targeted and impacted by this type of incident. But how can an organization prepare, and what do they need to consider in order to be properly prepared?
One concept that embraces these questions is cyber resilience. This principle aims to establish collaboration between various teams with a view to integrating notions of cybersecurity measures into business continuity documentation and processes.
In this article, we focus on the importance of incorporating cyber resilience into your business continuity plans. As such, we will limit ourselves to certain aspects, by dissecting the definition of cyber resilience as put forward by the Disaster Recovery Institute Canada (DRI Canada).
What is cyber-resilience?
According to DRI Canada, cyber resilience is the ability of an entity to continuously deliver its products and services, despite adverse IT incidents, by actively protecting against known or potential threats; planning for application and data recovery; adapting to evolving threats; effectively training staff on existing threats; and ensuring that response plans are kept up to date and exercised .
First of all, to achieve the goal behind this definition, it’s essential to develop and strengthen multi-sector collaboration between IT teams, such as cybersecurity, and the teams responsible for business continuity within the organization. Here are some essential elements of cyber resilience to think about:
“The ability of an entity to continuously deliver its products and services, despite adverse IT incidents.”
- Are the organization’s priorities known by each team? It is important that priority activities have been identified and communicated, so that the various teams are coordinated in their efforts to restore the affected activities. It is by developing business impact analysis that these activities can be identified.
“By actively protecting against known and potential threats”.
- What risks is the organization exposed to, and what measures are in place to limit them? This aspect highlights the importance of developing a risk analysis in partnership with the IT teams involved, to understand the risks and the measures in place for this component. This will help determine priorities in terms of preparedness, organizational protection and continuity strategies to be developed.
“By planning application and data recovery”.
- This comprises two strategic strands, the first focusing on cybersecurity measures to recover affected instances and resources. The second involves developing business continuity measures to enable business to continue, possibly in degraded mode.
- Can the strategies developed be used by users? It’s not uncommon to find that the strategies proposed involve switching to a new system or reusing old paper forms. However, these choices need to be questioned further, by validating that stakeholders will know how to use these methods. Implementing these measures requires prior support for users, so that they can be deployed as quickly as possible.
- What are the dependencies, and will they be able to adapt to the strategies put in place? Although strategies have been designed and developed for the organization, it is also important to know whether external partners will be able to adapt to them. So it’s important to establish relationships with them before an incident occurs, to communicate and validate that it will be possible to maintain activities in the event of an IT incident.
“By effectively training staff on existing threats”.
- Are employees aware of the impact of an IT security event, and prepared to detect it? Education and preparation of employees and responders remain a first line of defense and deployment of measures to limit the effects of this type of incident for an organization.
“By ensuring that response plans are kept up to date and exercised”.
Can the plans be deployed and exercised? One way of checking whether the measures put in place will be realistic and adequate is to carry out tests and exercises involving all the organization’s stakeholders. This includes all stakeholders who could be involved, as well as external partners if possible. It’s also an opportunity to continually improve response strategies and structures.
Limitations
When beginning the process of increasing an organization’s cyber resilience, certain realities and factors need to be taken into account that could influence the decisions, workarounds and even strategies to be deployed.
- Network integration: This refers to the interweaving of certain functionalities within the technology, such as surveillance systems, access control via a system, or the use of IP telephony, which may no longer be used in the event of a computer security incident. An inventory of these integrations will enable us to anticipate the issues at stake and the systems impacted in the event of an incident.
- Technological dependence of processes: The processes required to produce goods and services are in most cases dependent on some form of technology. In such cases, we need to anticipate possible impacts and protect ourselves with more resilient systems, taking into account requirements in terms of availability, integrity and confidentiality of the information processed for these processes. The different types of backup methods, such as backups and secondary systems, need to be thought through in relation to the organization’s internal and external needs.
- Technological knowledge: Considering that technology and systems are an integral part of processes, it’s only natural that users should be trained, accustomed to and dependent on this technology too. Indeed, many trades integrate these technological realities into their training programs. However, this implies that, in the event of losses, it is not possible to assume that pre-technological methods, or rather old working methods, will be familiar to all and can be easily deployed in the field.
- Stakeholder dependency: It is not uncommon for the technology deployed to enable liaison with external partners, whether for the receipt and dispatch of purchase orders, for example, or for the transmission of transaction-related information. This type of dependency may not be compensated for or maintained with an internally developed solution such as sending paper forms or faxes. Indeed, the partner may not be able to accept the solutions for various reasons, such as its protocols not allowing it, or even the volume of exchanges being too great to be able to integrate them. In such cases, it’s essential to communicate with your partners and take them into account when considering workarounds.
In conclusion, a liaison between the teams responsible for an organization’s continuity and those responsible for IT is essential to increase an organization’s cyber-resilience. The need to build and maintain this relationship must be emphasized in order to increase preparedness for this type of event. In addition, integrating this aspect into the organization’s business continuity documentation also helps to strengthen preparedness for these incidents, which are becoming increasingly frequent.
If you’d like to start or continue thinking about how to increase your organization’s cyber resilience, or even plan tests and exercises as part of your preparedness process, contact Benoit Racette Services-conseils inc. today at [email protected]!