Evolution of BCP and crisis management to answer cyber threat (By Xavier Fauquet, Formind)

Introduction

The typologies of recent cyber-attacks and the multiplication of attacks push BCP managers in coordination with SSI managers to review and adapt their BCP strategy and crisis management organization. Those changes aim in particular to answer the following questions:

1. Does my BCP, which has been set up to mitigate major “classical” disaster, also respond to a major cyber crisis?
2. Can my BCP be a factor of aggravation of a cyber crisis ?
3. Is my actual crisis management adapted to the management of a cyber crisis?

And more broadly, the CISO and BCP manager must answer the board members the following question: « Are we cyber-resilient? ».

BCP and Cyber threat

BCPs have usually been designed to respond to « classic » major disasters but do not take into account the specificities of a cyber-attack. Thus, in order to assess the ability of a BCP to participate in the response to a cyber-crisis, it is necessary to investigate the following elements and to update the BCP accordingly:

1. What types of attacks could affect the viability of my IT disaster recovery plan (IT DRP) and on which perimeter? The IT DRP has usually been designed to allow continuity of critical activities with automatic replications and backup of critical systems, even real-time data replications. This type of solution can thus facilitate the propagation of a cyber-attack, leading to the failure of IT DRP in the event of a coordinated attack.
2. When running the BCP, when restarting systems, how do I ensure the integrity of my systems? A cyber-coordinated attack usually last for a long time, with potential hacking of systems several month before the detection of the cyber crisis.
3. What are the possible additional specific solutions to be implemented to counter cyber-attack scenarios? The technologies on the market are evolving rapidly to provide new flexible responses to very specific scenarios, such as the availability of virtualized workstations to replace a compromised set of workstations.
4. Are BCP stakeholders aware of the specificities of the deployment of a BCP following a cyber-attack:
5. For IS stakeholders, more than for any other disaster, it is necessary to ensure that a maximum number of evidences are kept and that the integrity of all the elements used to restart a system is checked,
6. For business stakeholders, they need to be strongly involved in the checking of system integrity, taking into account the specific objectives of a cyber-attack (fraud, destabilization, theft of data etc …).
7. Can I detect specific attacks on my BCP? My BCP can be an entry point used by the attacker, whether it is to hack, not during a disaster, into my systems or during a disaster by taking advantage of the weaknesses introduced by a BCP mode. It is necessary to ensure that security watch implemented also covers the elements constituting the BCP.
8. Has my PCA been tested to withstand cyber-attacks? The test scenarios must evolve, making it possible to test the capacities of anticipation of the teams when detecting suspicious events but also the reflexes in case of a real crisis (conservation of the evidence, containment, analysis of impact, etc …)

This BCP update requires a strong cooperation between BCP and IS Security teams, in order to share best practices to be applied to solve this type of crisis.

Cyber crisis management

Beyond the BCP aspects, the crisis management organization must also adapt to take into account the specificities of a cyber-crisis on several axes:

1. Ability to technically analyze the cyber-attack and to propose solutions: often overlooked, a security expertise unit becomes a key element for the analysis of the situation, the reporting of relevant information and the development of solutions to contain the cyber-attack.
2. Ability to analyze business impacts: the potential impacts of a cyber-crisis are often wider than a traditional crisis, including the management of massive data leakage or the obligation to close a service to preserve future business continuity or limit impacts. This means having the people able to carry out this type of analysis around the table and being prepared to do this type of analysis.
3. Ability to identify the motivations of the attacker. A cyber-attack is usually not free and has specific goals (destabilization, ransom demand, data theft, etc.). Understanding the attacker’s goals is a key point in management of the crisis and requires an upstream analysis of internal and external threats.
4. Time management: a cyber-crisis usually extends over a long period of time, with a significant risk of uncertainty as to the real resolution of the crisis … This requires a mobilization of various stakeholders over time but also an adapted internal and external communication.

Ultimately, the management of this type of crisis and the rise for the need for cyber-resilience require:

1. Close cooperation between IS, BCP, ISS and business stakeholders, with the need to carry out coordinated joint analyzes,
2. Awareness and strong sponsorship by the General Management