Media organizations, multinational companies, and government agencies have all been victims of recent cyber attacks. February’s highly publicized 60-page Mandiant report entitled APT1: Exposing One of China's Cyber Espionage Units, revealed evidence of cyber data theft of nearly 141 organizations. It was “beyond a shadow of a doubt” that the Chinese government and military is behind growing cyber attacks against the United States, said House Intelligence Committee Chair Mike Roger.
The 2013 Global Risk Report ranks cyber attacks in the “Top Five” of highly probability occurring incidents within the next ten years. According to the report, cyber attacks and critical system failures are considerable technological risks to companies and organizations across the globe.
As technology dependencies become more ingrained in company operations, it is essential to institute company-wide best practices for computer security, downloads, and backups in order to secure necessary technologies and communications networks. A company’s business continuity plan (BCP) should include processes related to critical technologies that may be lost or suspended during an incident. A BCP is a vital tool that companies can use to plan for the restoration of normal operations after a business-disrupting incident. Incidents can create a temporary or permanent loss of infrastructure, critical staff, software, and/or vital records.
Identifying the procedural details of computer backups, data restoration methods, and minimum software requirements are crucial to re-establish technology related critical business processes. The Department of Homeland Security’s Cyber Exercise Program (CEP) can assist companies in developing protocols to evaluate their cyber incident preparation, mitigation, response, and recovery capabilities.
Companies should address the following DHS cyber security points to ensure business continuity:
- Is cyber preparedness integrated with your current all hazards preparedness efforts?
- Who are your cyber preparedness stakeholders (public, private, non-profit, other)?
- Are cyber security risk-based policies established in your organization?
- Does your organization ensure that service providers and vendors that have access to your systems are following appropriate personnel security procedures and/or practices?
- Does your organization integrate cyber security into the life cycle system (i.e., design, procurement, installation, operation and disposal)?
- Are audits conducted on cyber security systems?
- Are cyber security plan requirement in place and are they being adhered to?
- Are all systems compliant to company and/or cyber security plan requirements?
- Does your organization have an asset inventory of all critical IT systems and a cohesive set of network/system architecture diagrams or other documentation (e.g. nodes, interfaces, and information flows)?
- Upon being notified of a compromise/breach of security regarding an employee:
- Who is notified?
- What steps are followed to ensure this individual’s access to facility and/or equipment has been terminated?
- What steps are followed?
- Should legal representation be sought and at what point?
- Who determines if the employee should be held criminally responsible?
- Are there policies (formal and informal) pertaining to removable storage devices?
- What is the priority of cyber preparedness, including cyber security, in your organization?
- What level of funding and/or resources is devoted to cyber preparedness?
- What are your estimated losses if a cyber attack were to terminate system functionality?
- What are your critical business unit software requirements?
- What are the procedures for backing up and restoring data?
- How often are security patches updated?
Cyber exercises are an essential tool for organizations to evaluate their cyber incident preparation, mitigation, response, and recovery capabilities. The exercise environment allows stakeholders to simulate real-world situations, to improve communications and coordination, and to increase the effectiveness of broad-based critical infrastructure protection capabilities without the consequences of real cyber event. These types of exercises can also be used to educate employees on technological policies and procedures used to offset cyber attack strategies. DHS identifies two types of exercises that can aid in the advancement of cyber security.
Discussion based exercises:
- Familiarize participants with current agreements and procedures or assist in the development of new plans, agreements, and procedures
- An effective method for bringing together key response team leaders common in mid- to large-scale cyber events
- Easier to conduct, especially when multiple response team leaders participate using a variety of collaboration and video teleconferencing technologies
Operations based exercises:
- Validate agreements and procedures, clarify roles and responsibilities, and identify resource gaps in an operational environment
- May include the use of simulated network environments, “live-fire” events, and active adversary forces to produce realistic scenario inputs and effects
- Generally involve mobilization and response as opposed to policies and procedures
By exercising key areas of conjunction between IT and other corporate response elements, company cyber security and incident response operations gaps and shortfalls can be identified. In order for business continuity, there must be a mutual understanding between IT personnel and crisis managers regarding their respective roles, available resources, and response measure during events caused by cyber disruption.
For tips and best practices on designing a crisis management program, download Tips for Effective Exercises.