Molson Coors suffered a cyber-attack on March 11, 2021, that disrupted "its brewery operations, production, and shipments." By early April, the company reported to investors the company still wasn't operating at full capacity. In contrast, meatpacking giant JBS was able to recover operations quickly after bad actors attacked its servers. JBS shut down plants in three countries after hackers launched their attack on a Sunday, but it reported most plants back online by the following Wednesday.
The difference between the two? It comes down to the level of business continuity planning. A company's ability to continue essential functions during an attack—and quickly resume full operations afterward—is critical to minimizing the direct and indirect costs of the attack.
When it comes to being prepared for the expected, every organization—regardless of size— needs some level of business continuity planning. However, business continuity today is about more than just surviving a natural disaster or the loss of key personnel. According to the 2021 Data Breach Investigations Report (DBIR), small companies are nearly as likely to suffer a security breach as large companies. That's why your security program must address business operational continuity in the face of an active attack as well as how to recover fully once the incident is over.
The length of downtime a company suffers is a critical factor in how destructive the attack will be to a company's revenue, resources, and reputation. For example, in one survey, 40% of SMB respondents said they experienced at least eight hours of downtime due to a cyber breach. The average cost of that downtime was $1.56 million.
The goal of your security program's business continuity plan is to keep as much of your company operational as possible during an attack. This could mean protecting essential assets and functions not yet compromised by the attack. For those that are compromised, it means getting them back online quickly—in an alternate location, if necessary—even as the attack remains active.
Business continuity in the face of a cyber-attack is largely dependent on decisions your company made before the attack.
When setting up your security program, an early task is to identify what data, infrastructure, and functions are mission-critical. These are the assets that should get the highest level of protection from your security policies and controls. Yet, as part of your security program, a business continuity plan must go beyond mere asset protection. It must outline the steps and infrastructure for recovery, failover options, and other contingencies to minimize operational downtime.
As you make security policy and control decisions, business continuity needs to be part of the analysis. Here are a few key considerations:
Access management: Deciding how you'll manage to access your data and systems is critical to your company's ability to contain the reach of a hacker. A privileged access management (PAM) policy is the most restrictive approach regarding access and rights. Depending on the controls used, PAM can restrict access not only by user account but also prevent that user from further access to other systems. For example, suppose a bad actor hacks into a lower priority application on your network. In that case, PAM can prevent him from using that application to gain access to more critical areas of your network.
Data recovery: Ransomware attacks are growing. You can't minimize downtime by negotiating with (and waiting around for) an attacker to return control of your data. Instead, you can regain quicker access to your data by having daily data backups stored somewhere outside your company network. However, you may decide even daily backups are insufficient for some of your most important data. If losing a day's worth of your data is too much, you might choose to install disk mirroring for some systems.
Network diversity and redundancy: If you lose access to a critical system or function due to an incident, you need systems and controls in place that allow you to quickly switch or failover that function to a different part of your network or an unconnected network. Segmenting or virtualizing parts of your network can create secure places to which you can divert systems traffic or re-establish functionality.
Mobile devices: Stolen or lost mobile devices are a prime vulnerability for most companies. A PAM policy and controls can keep your network operational if an external device such as a smartphone is compromised. You may also create a security policy that enables remote wiping of any mobile devices with access to a business application or data.
These are only a few parts of your security program where you must consider business continuity needs. You can consult the NIST 800-53 security framework for more information on developing these and other contingency systems to strengthen your company's resiliency during a cyber-attack.
Business continuity and incident response are closely related and need close coordination, but they are not the same. Not every incident presents a severe or catastrophic threat to business continuity. Threat level assessment, which includes determining the scope and severity of an incident, needs guidelines that define when particular business continuity protocol(s) should be triggered.
The primary area where incident response and business continuity overlap during an incident is containment. Once a threat is detected and assessed, the first goal should be to contain it. A typical incident response for containing a severe threat is to take other systems offline. However, from a business perspective, this action means the organization loses access to the data and systems directly attacked and those taken offline as a defensive measure.
The business continuity portion of your security plan should focus on measures that shift the attacked and vulnerable operations, data, and systems into a safe mode. Having redundant, failover, and backup systems in place—whether on-premise or in the cloud—can facilitate this shift and get critical operational systems up and running with minimal downtime. Without such planning, your options for rapid recovery are limited, slower, and more costly to implement and likely will not provide as much operational or data recovery as you need or want.
Smooth crisis communication between the incident response and business continuity teams is critical. The communication plan covers how they communicate and collaborate on deciding which actions are appropriate, including specifying containment and recovery objectives, sharing realistic timelines for reaching those objectives, and providing ongoing updates. They also need to coordinate communications with employees, clients, and other stakeholders. The communication plan also needs to address the need for alternate communication channels should an attack compromise day-to-day channels.
Business continuity functions are also responsible for securing assets and business functions not compromised by the attack. Depending on the response plan, this may be accomplished by heightening the barriers between affected and unaffected systems, or by shifting the still-operational systems along with recovered assets and functions to alternative networks and workflows until the threat has passed.
Whether the crisis is a natural disaster or a cyber-attack, a strong business continuity plan allows your organization and its operations to quickly adapt to a threat, thereby minimizing business interruption, downtime, and costs. The longer critical data or systems remain unavailable, the more significant the impact on revenue and reputation, which both constitute long-term threats to your business's future.