Business disruption is inevitable today. And increasingly it’s down to cyber incidents. Attacks caused $10.3bn in losses last year, in cases reported to the FBI alone. Even this figure is likely to be just the tip of the iceberg. With so much at stake, organizations need to look at ways to minimize the downtime that can result in serious financial and reputational damage.
This is where business continuity planning (BCP) comes in. Where cyber risk is concerned, organizations looking to minimize disruption would be wise to consider data-centric security as part of a multi-pronged strategy.
Why BCP matters
Business continuity is defined by the UK’s Business Continuity Institute as: "The capability of an organization to continue the delivery of products or services at pre-defined acceptable levels following a disruptive incident.”
An incident could be anything from a flood, to a utilities outage which takes out a datacenter. It could also be a supply chain failure, many of which occurred during the pandemic. But increasingly it’s the result of a serious cyber-attack. These also vary in type, from a ransomware compromise which can lock down files until a fee is paid, to a distributed denial of service (DDoS) attack which might make online infrastructure unavailable for a period.
Increasingly, such attacks are focused on data theft—whether they’re the work of a nation state, hacktivist group or financially motivated cyber-criminals. Ransomware has become a leading cause of such incidents, driven by cybercrime. In fact, a quarter (24%) of data breach incidents investigated by Verizon over the past year were traced back to ransomware.
Organizations must focus on BCP in this context not only to minimize financial and reputational damage, but also to ensure compliance with transnational regulatory mandates. The EU’s NIS 2 will force operators of essential services in various sectors to ensure continuity of operations in the event of a serious attack. They will need a verifiable incident response plan to ensure rapid recovery.
What should a cyber BCP include?
A BCP should cover the entire business. But IT systems are such a key component of business operations that it may make sense to draw up a specific plan on how to tackle cyber-threats. Consider the following checklist:
- Put a team together: Include stakeholders from across the business, clearly assigning each with specific roles and responsibilities.
Carry out a cyber-risk assessment: This will uncover where the main cyber-related risks are and what the overall financial, operational and regulatory impact of a breach could be. Be sure to include the extended supply chain in any such assessment.
- Perform a Business Impact Analysis (BIA): This will enable the organization to dive deeper by uncovering each impact caused by disruptive events. Ultimately, the exercise will enable the enterprise to work out how to recover from such events, and which business functions and processes to prioritize.
- Test and monitor: After working through the above steps, it makes sense to test enterprise systems to check whether plans need to be revised. After that, it’s a case of continuous monitoring to ensure the BCP is always fit-for-purpose.
Why data-centric security matters
A BCP will probably include proactive measures like security awareness and training, patch and vulnerability management, multi-factor authentication and perimeter security. But defensive measures are never 100% successful. This is where data-centric security comes in. By automatically discovering and classifying data across the enterprise and then applying strong protection, organizations can greatly limit the impact of a breach. That will help to minimize the time and resources spent on the following major post-breach costs:
- Breach detection and escalation
- Breach notification
- Post-breach response, including regulatory fines and legal costs
- Lost business including immediate disruption, lost customers and inability to recruit new customers
In short, applying data-centric security like tokenization means critical data can remain in use even if it has been accessed by threat actors. It means breached organizations can quickly recover and restore systems, minimizing recovery time objective (RTO) and maintaining operational resilience.
Reducing the financial impact of a data breach by rendering any stolen data useless to hackers ($5.4m)
Simplifying auditing and compliance by, for example, taking data out of the scope of PCI DSS (over $1m)
According to IBM, 83% of organizations have had more than one data breach. That means it’s not a case of if, but when, the next attack strikes. When it does, data-centric security can be a force multiplier for enhancing business continuity.