Operational resilience is the cornerstone of a mature business strategy, but mitigating unknown risks is easier said than done. A recent survey from SAS shows that less than half of executives believe their organization is resilient and only 26% demonstrated the key practices and markers of highly resilient businesses. This leaves a lot of room for improvement in how business leaders incorporate cyber best practices and approach their resilience posture.
October may be Cybersecurity Awareness Month, but our experts on cybersecurity, cyber insurance, and business continuity/disaster recovery are immersed in working with organizations across industries to navigate these risks year round. We have brought them together to answer 10 common questions and address the need for driving greater resilience in the business community.
1 | How has the concept of resilience changed over time?
Nima Khamooshi, Vice President, Cybersecurity, Dataprise | We’re seeing businesses becoming dependent on technology and a lot of business owners are increasingly aware that all their critical business tasks rely on technology of some sort. We ask probing questions to uncover what level of resiliency they need and make sure we’re right sizing solutions.
Andres Franzetti, President, Risk Cooperative | Expanding on that, you really need to be aware of the risks on multiple fronts. Not only does your organization need to be resilient, so does your suppliers, third party partners, and technology providers. Look at resiliency through the whole ecosystem you’re working with to make sure you identify those vulnerabilities and plan for those going forward.
Steven New, Director, BCDR, Dataprise | From a disaster recovery perspective, it’s actually evolved greatly throughout the years. From backing up tapes into the whole disaster recovery market now. It’s warp speed ahead.
2 | What are the biggest business continuity threats on the horizon?
Steven | Threat actors are getting smarter and smarter these days. That’s one of the biggest threats from a security aspect, because as technology changes we have to stay one step ahead.
Nima | A lot of organizations don’t understand that they’re under attack all the time. The days of saying, “I’m too small a business to be attacked, no one’s kind of looking at us!” – those are over. One of the first things we see attackers do over 90% of the time is, they go after the backups. So, the dynamic is not just a single cyber-related attack, it’s also going after secondary systems on the on the recovery side, also.
Andres | Just to take a 30,000-foot view, aside from the known threats, looking forward we’re seeing a sort of shifting threat landscape. Five years ago nobody would have thought of COVID as a huge disruptor to business continuity, but what does it mean when you have to suddenly switch all your employees to remote work? You need VPNs, you need to be compliant, you need to manage privacy and security for your clients. Many times small- to mid-sized business owners are firefighting the onslaught of anticipated cyber threats, but it’s important to look ahead and engage companies like Dataprise and Risk Cooperative to help to formulate agile proactive responses to outlier threats.
3 | What are some common mistakes organizations make during the incident response process?
Nima | I generally default to my top three mistakes:
Number 1: A lot of business owners, when they have a breach, feel violated. But when you add in high emotions to a scenario that requires clear thinking, you’ll miss key details that will help you in the recovery. So just keep emotional moderation.
Number 2: I see folks that don’t have a trusted partner prior to that event happening. They need somebody who can go on a security journey with them and be relied on for the safe recovery of their systems. Having that trusted partner is a key piece.
Number 3: Have a plan that you’ve tested so everybody knows what to do, how to do it, who to contact, and really understand the decision-making process. There’s going to be so much information coming in from all directions. You really need to know this team is covering this, that person’s covering that, so that you can kind of orchestrate the response in mature way, rather than a highly reactive way.
Andres | Along the same lines is coordination. We see the insurance carrier brought into the conversation after the fact, but depending on how the insurance policy is set up, clients can incur some cost because actions that they took don’t line up with the requirements of the policy. So, it’s important to not only have that plan, but then also know how your insurance policy coordinates with that plan so that you can have a seamless response.
Nima | That’s a great call out, Andres. When that coordination, that connective tissue, if you will, isn’t in place it really complicates things downstream. Whereas, a little bit of testing upfront saves a lot of time and effort on the back end.
4 | How to convince business leadership to buy-in to the importance of incident response?
Nima | Business owners don’t understand the cyber impacts, but they do understand the risks. So, if you say to somebody in the accounting department, “What would happen if you couldn’t receive revenue?” They understand that fully. It’s a matter of being able to translate technical terms into business terms, and then you complement that business conversation with a tabletop exercise where you’re actually trying to help people understand what the impact could be. Again, “What would we do if we didn’t have these critical business functions?” It makes it easier to get that buy-in you’re looking for.
5 | Explain an essential cyber set for businesses in the small- to mid-market space?
Nima | I generally recommend what I call my ‘five step plan’:
Number one, have that trusted security partner. You need somebody that you can call anytime and know that they’re going to answer you and jump in quickly.
Number two, have a plan for business recovery and incident management. Planning ahead of time makes the orchestration dramatically easier.
Number 3, test the plan. Pull everybody together and actually walk through it to make sure they understand their roles.
Number four, get cyber insurance. You should talk with your broker to understand the business risks and really get the right coverage level for your particular business.
Number five, involve the leadership in the decision-making. Realistically, the leadership all has a vested interest in protecting the business, so this is just one of the many duties that they perform in protecting the business.
6 | How are cyber insurance practices changing?
Andres | The cyber insurance market is always going through an ebb and flow, and it’s related to attack frequency, sophistication, and size. The bar is higher in terms of underwriting requirements and accessibility. The five step plan that Nima just outlined is really the baseline for the underwriting process; they want to make sure you have all these plans and policies in place, multifactor identification, backups, all of those components. That’s really kind of where the industry has gone.
The second part of it is, more limitations on third party providers and coverages, and more specifics in the language. Similarly, for attacks like ransomware, that we’re seeing more frequently, we’re seeing caps on those as well. It’s a matter of really looking at the policies and doing a deep analysis to make sure you’re getting the right level of protection and the best pricing.
7 | What are some common gaps in cyber insurance coverage businesses may overlook?
Andres | It goes back to some of the limitations in coverage. A big area that we’re looking at is what we call the contingent business interruption. Thinking back to Kaseya, companies using those systems had disruptions to their own businesses, but many times insurance policies weren’t paying out (or they were paying out at a much reduced rate) because that wasn’t a listed coverage. We’re seeing that contingent business interruption piece have some severe limitations in the sublimits of policies. Not all cyber insurance policies are created equally; there are a lot of different types of coverages and policies out there so it’s important for organizations to really do that self-assessment, know their operations, talk to their brokers, and make sure that all of these different areas of risk are identified and that those gaps are as minimized as possible.
8 | How can businesses best prepare for the cyber insurance application process?
Andres | It’s Nima’s five step plan, right? It’s working with your managed service security providers, your IT departments, making sure that you have all the baseline components in place. And then as you’re going through the application, we have companies that reach out to their IT vendors to really help them complete the technical application components. That close collaboration, making sure you’re getting credit for all the proactive steps that you’re taking, is critical so that you’re able to get the best pricing and broadest level of coverage possible. But make sure you have those minimum thresholds met to get access to the insurance coverage in the first place, because we are seeing that access is very, very limited.
9 | What are the most important elements of a Business Continuity / Disaster Recovery plan?
Steven | You need to come at this from a perspective that somebody just went into your data center and pulled the power cord. How do you function? Create an inventory of everything – who are your stakeholders, who needs access to what resources, what are those resources. There are actually three different types of plans: Business Impact Analysis, Business Continuity Plan, and Disaster Recovery Plan. There are a lot of different steps, but the first thing would be starting off with a business impact analysis.
Business Impact Analysis (BIA) is actually a plan to understand your risk and your tolerance to an outage. It will go through the details of what is impacted, who is impacted, what downtime your organization can risk, how much money you’re losing for the downtime, and all these are key components that are required to be able to give you a good Restore Point Objective (RPO), Recovery Time Objective (RTO), because at the end of the day, a BIA is to mitigate risk and capital loss that you may experience in the event of a disaster.
The Business Continuity Plan lists everything that you need to do to make sure your business continues to operate in the event of a disaster, and limit the operational interruption that you experience.
A Disaster Recovery Plan is a reactive plan that happens during the disaster. You need stakeholders involved to create a war room, and then determine who reaches out to end users, letting them know what happened, your finance team will be involved working with cyber insurance, and also your MSSP.
Andres | From the insurance perspective, a lot of the questions are around, What is our risk? What is the right type of limit that we need to take out? Understanding that business impact analysis and the type of liability that you might need to absorb, as well as your business interruption components, are critical. A lot of times folks don’t know how to quantify that piece of the puzzle.
Nima | To that point, I like to see the alignment between critical business functions and what systems support those critical business functions. A lot of times, the business owner understands, I need to be protective of this function or that function, but they may not understand the underlying IT system for technologies that actually support it. So if you’ve got that traceability between them, it makes a lot of what Steven and Andres are talking about a lot easier to map out and understand how to protect it more effectively.
10 | What updates need to be made over time so that these plans stay relevant?
Steven | We always need to test our BCDR plans to determine if it does need to be updated. Relevant information that you need to update is, have any systems changed? The biggest change we see during a DR event, is where customers have migrated an on-premises solution to a SaaS solution. For example, your IT department migrates to Office 365 so the Exchange server no longer has to be brought up in a DR environment; it is now a SaaS solution. So, that is one of the most relevant updates that we need to make over time. But I cannot stress enough to test the plans.
BONUS | Please share one piece of advice to improve an organization’s resilience posture.
Nima | Make sure that you assess your security program and identify what you can do for next steps to improve your posture. Security is a journey, so what’s important is that you assess it over time to get where you need to be. I think of it like saving for retirement, you put in a little bit, over time, and then you arrive at your ultimate goal.
Andres | I always come at it from the insurance and risk management side of the house, so my approach is always self-assessment at that 30,000 foot view to see what’s coming around the corner. Companies often view insurance as a cost of doing business, not necessarily as a proactive or strategic investment, so they might go for the lowest cost solution. Those short-term savings can have long term costs. Make sure that you’re analyzing the policies in detail, you’re asking your broker any question that you may have and doing that extensive analysis to make sure you’re getting the right type of coverage.
As we discussed with cyber particularly, there’s a lot of different components that make up a cyber insurance policy. What are you getting for the breach response coverage, what are you getting for your business interruption coverages, not just the liability. That’s the most straightforward component. Taking that analysis allows companies to basically take risk off of their P&L and put it on to the insurance policy, so it’s a very important process to go through.
Steven | Visit those business continuity strategies now before it’s too late. You would be surprised how many companies we work with that have not tested those plans, and have not reviewed their business continuity strategies going into a disaster. As we know in technology, things change every single day. After you get all those in place, I cannot stress enough, test, test, test to make sure they work when needed. If you run into an issue during the test, you need to get it resolved and documented.