Is Cyber Security the Elephant in the Business Continuity Management Room?
Cyber threats and data breaches now arguably pose a bigger threat to financial services organisations than many of the disaster scenarios simulated in testing. Organisations have created cyber security teams to repel attacks and introduced policies to attempt to combat the Insider Threat but are these initiatives aligned with Senior Business Continuity Leaders?
Over the past decade, technology disaster recovery planning has improved significantly. Mature organisations are now looking at their disaster recovery from a business processes approach rather than a systems-based approach; i.e. what are the critical business processes assessed against key risks and then what applications/infrastructure support those processes.
The result of the risk-based assessments should provide financial services organisations with an impact tolerance for IT applications and infrastructure, which are then tested in managed disaster recovery tests; these tend to simulate natural disasters or catastrophic accidents/incidents. Post test, the remediation activities are then focused towards the components that fail to be recovered within their impact tolerance.
So far so good, but:
Impact tolerances are principally predicated on returning an application to normal service by using a secondary location hosting a duplicate application and mirrored infrastructure, but how would this help if a virus has penetrated, i.e. the secondary threat comes from within.
Business leaders have potentially been led into a false sense of security, they run critical systems with an active/active configuration and others deemed marginally less critical with 2, 3 or 4 hours’ recovery time impact tolerance (which is proved to be achievable in testing scenarios).
The new reality is that in the event of a successful malicious cyber-attack penetration the organisation may need to revert to much older copy of the application and data more than 4 hours old, add in the lack of preparation and testing for such an eventuality and it is easy to conclude that in a severe event a bank could be out of the market for 48 hours or more.
Given the risk it would seem time to more closely integrate business continuity management with cyber security threats to allow more informed planning.