Question
Business Continuity Management for cyber attacks
How does BCM help you prepare for and address potential cyber attacks?
Managing cyber risk and resilience should be a continuous process enabling an organization to react quickly to an attack and limit its impact. Establishing a computer security incident response team (CSIRT) supports efficient crisis management. The CSIRT coordinates response activities and processes – including across all relevant departments within the organization – to deal with intrusion detections. The performance, speed and efficiency of a CSIRT relies on the resources available, which should ideally include:
- Organizational setup: A framework of policies, standards and procedures should be established to guide the decision-making processes and resource allocations in line with the business objectives defined by leadership.
- The human factor: Assigning qualified staff to the right roles and ensuring that everyone understands their roles and responsibilities is central to the cooperation needed in case of cyber disruption.
- Effective tools: Suitable technological solutions and infrastructure enable people to focus on the most important parts of their work and be as effective as possible. For example, a tailored security information and event management (SIEM) system can collect and analyze data from various sources to identify potential security incidents. This reduces the need for manual monitoring and improves the effectiveness of detection and analysis during an attack, and also enhances forensics and evidence gathering.
Continuous monitoring of an organization to detect vulnerabilities and cyber attacks allows the incident response plan to be triggered in case of an attack, which is an important aspect of BCM. There are also various regulatory requirements governing cyber risk and resilience management: the FINMA Circular 23/1 “Operational risks and resilience” (specific to banks in Switzerland) and two European regulations, namely the Digital Operational Resilience Act (DORA) and the Network and Information Security Directive (NIS2), which apply to financial institutions based in the European Union. These regulations require that financial institutions identify threats, implement protective measures, monitor for cyber attacks, develop response procedures and ensure prompt recovery of business operations.
Question
Adapting cyber resilience to the latest risks
How do you ensure your cyber resilience plans are aligned to the most recent cyber risks?
Lessons learned and improvements made following incidents – as discussed in the previous section – are especially important to avoid being overwhelmed twice by similar incidents or vulnerabilities. But organizations like financial institutions shouldn’t only rely on past experience. Cyber criminals often attack organizations that are similar to one another, using techniques they have learned from previous events. It is therefore crucial to be able to prevent the most common attacks, especially those occurring against direct peers or competitors.
Considering this fact, organizations should not simply maintain a reactive state but preferably be proactive to mitigate the most recent cyber risks before even being targeted. This can involve staying up to date on the latest cyber threats, vulnerabilities and attack techniques as well as implementing appropriate security controls and measures to mitigate the corresponding risks.
Additionally, it is important to have a well-trained and informed workforce that understands the importance of cybersecurity and can help mitigate risks through safe cyber practices. This can be achieved by training employees on best practices for securing data and systems and conducting organization-wide cyber awareness campaigns. More generally, leaders should promote a culture of security awareness throughout the organization.
Overall, being proactive in addressing the most recent cyber threats involves a combination of staying alert, implementing best practices and training employees on safe cyber practices. This should always be accompanied by regular assessment and testing of the security measures in place.
Question
Effective incident response
How do you guarantee the effectiveness of your incident response plans and processes?
Performing cyber incident simulations (CIS) is essential to ensure that incident response plans and processes are effective. In general, a CIS conducted as a tabletop exercise or real-case simulation. While tabletop exercises involve walking through a hypothetical scenario and discussing how the organization would respond, simulations include running a mock attack to test the organization’s response capabilities.
It is important to identify any gaps or weaknesses in the incident response plan during testing in order to make necessary adjustments. Testing can also help identify areas where employees need additional training or resources to effectively respond to cyber incidents. For example, it might be helpful to define in more detail the roles and responsibilities of different team members in responding to an incident to ensure that everyone knows what they are responsible for and what actions they need to take. As communication is critical during a cyber incident, the incident response plan should include procedures for communicating with different stakeholders, such as customers, business partners and regulators.
In addition to testing the incident response plan, organizations need ways to evaluate its effectiveness. Measures of performance might include the number of incidents detected and resolved, their respective costs in terms of damages and business interruptions, as well as the duration between identifying and addressing an incident. These metrics can be used to assess the effectiveness of the incident response plan. Furthermore, detailed analysis can help identify trends and patterns in incidents and highlight areas where improvements can be made.
Generally, organizations should regularly review and update their incident response plans and processes based on the results of CISs and the corresponding metrics and reports, as well of experience of new cyber attacks. This ensures that they remain relevant and effective in an environment of constantly evolving cyber threats.
In the current digital environment, cyber risks are a major concern for financial institutions due to their potential for severe disruption. Hence, it is crucial to have a robust cyber resilience strategy in place, including a well-designed and regularly tested incident response plan. Compliant and effective cyber-oriented BCM should focus on identifying and mitigating risks, developing response procedures, and ensuring prompt recovery of business operations. Additionally, the BCM should be evaluated and improved continuously to consider the latest incidents and emerging threats in the cybersecurity landscape.
Summary
By adopting a comprehensive cyber resilience strategy, organizations can adopt a sound risk management approach to address potential cyber incidents. This enables them to be proactive against cyber threats, while maintaining their core business activities.
Acknowledgement
We kindly thank Anthony Kieffer for his valuable contribution to this article.
