“According to recent estimates, this global network of networks encompasses more than two billion people with at least 12 billion computers and devices, including global positioning systems, mobile phones, satellites, data routers, ordinary desktop computers, and industrial control computers that run power plants, water systems, and more. While this increased connectivity has led to significant transformations and advances across our country – and around the world – it also has increased complexity of our shared risk.” - Department of Homeland Security
Based on statistics from the Department of Homeland Security (DHS), it is critical for companies to establish business continuity plans associated with technology, and related applications. As technology dependencies become more ingrained in company operations, it is essential to institute company-wide best practices for computer security, downloads, and backups in order to secure necessary technologies and communications networks.
A company’s business continuity plan (BCP) should include processes related to critical technologies that may be lost or suspended due to an incident or cyber attack. A BCP is a vital tool that companies can use to plan for the restoration of normal operations after a business-disrupting incident. Incidents can create a temporary or permanent loss of infrastructure, critical staff, software, and/or vital records. According to the DHS, the increasing number of cyber attacks elevates the potential for critical data lapses or loss. Recent cyber statistics include:
- 68% increase in cyber incidents between 2009 and 2011 (Subcommittee on Cyber Security, Infrastructure Protection, and Security Technologies)
- Confirmation of cyber intrusion campaign targeting oil and pipeline companies (Janet Napolitano, DHS Secretary)
- Confirmation that the majority of companies in the energy sector had experienced cyber attacks, and approximately 55% of those attacks targeted control systems (Charles Edwards, DHS Deputy Inspector General)
- In 2012, DHS responded to 177 cyber control systems incidents, up from 9 in 2012
To counteract the increasing threat on critical technology infrastructure, DHS has developed CSET, Cyber Security Evaluation Tool. “CSET is a desktop software tool that guides users through a step-by-step process to assess their control system and information technology network security practices against recognized industry standards.” After a thorough evaluation, CSET then produces a prioritized list of recommendations for improving the cyber security and industrial control cyber systems. Each recommendation is linked to a set of actions that can be applied to enhance cyber security controls.
In 2012, over 1,000 companies utilized CSET to evaluate cyber security measures. Sectors with the highest number of self-assessments include: water and water treatment, energy, transportation, commercial and government facilities, and public health or health care. By leveraging the CSET application and Control System Security Program onsite consultation opportunities, companies can mitigate cyber security issues and increase the potential for business continuity. Some key business continuity benefits of the programs include:
- Highlighting vulnerabilities in a company’s system(s) and providing recommendations of mitigation efforts
- Identifying areas of strength and recommended practices being followed in the organization
- Providing a method to systematically compare and monitor cyber systems improvement
- Informing a risk management and decision-making process
- Raising awareness and facilitating discussion on cyber-security within the organization.
According to the Business Continuity Institute online survey conducted in December 2011, the top identified threat from conducting a thorough risk assessment was an unplanned IT or telecommunication outage. However, the top three identified threats were all related to the viability of technology, highlighting the need for technology-associated business continuity efforts.
Here are the top three threats from Business Continuity Insight survey:1. 74% - Unplanned IT and telecommunications outages
- Departments or business units should define workaround procedures, or alternate processes, to support critical process recovery until key systems and applications have been restored.
- Ensure all business documentation, records, and files necessary for resumption and recovery purposes are backed up and stored/located safely away from the primary office facility to minimize data loss.
- Identify alternate methods of communication: landlines, cell phones, satellite phones.
2. 68% - Data breach (i.e. loss or theft of confidential information): Organizations need site specific data security solutions that can detect, prevent, and continually audit interactions with sensitive data. Through continual monitoring of file and application access, organizations can minimize theft of confidential information.
3. 65% - Cyber attack (e.g. malware, denial of service): Companies should follow security best practices and implement practical and effective safeguards to mitigate internal and external attacks.
Each department should be responsible for assessing computer and software needs when developing critical process recovery strategies, and obtaining the review and input of the IT Department in support of any identified computer and software recovery time objectives.