David Sutton - Business Continuity in a Cyber World: Surviving Cyberattacks

Business Continuity
in a Cyber World

Business Continuity
in a Cyber World

Surviving Cyberattacks

David Sutton

Business Continuity in a Cyber World: Surviving Cyberattacks

Copyright Business Expert Press, LLC, 2018.

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any meanselectronic, mechanical, photocopy, recording, or any otherexcept for brief quotations, not to exceed 250 words, without the prior permission of the publisher.

First published in 2018 by

Business Expert Press, LLC

222 East 46th Street, New York, NY 10017

www.businessexpertpress.com

ISBN-13: 978-1-94744-146-0 (paperback)

ISBN-13: 978-1-94744-147-7 (e-book)

Business Expert Press Information Systems Collection

Collection ISSN: 2156-6577 (print)

Collection ISSN: 2156-6593 (electronic)

Cover and interior design by S4Carlisle Publishing Services Private Ltd., Chennai, India

First edition: 2018

10 9 8 7 6 5 4 3 2 1

Printed in the United States of America.

Abstract

Until recently, if it has been considered at all in the context of business continuity, cybersecurity may have been thought of in terms of disaster recovery and little else. Recent events have shown that cyberattacks are now an everyday occurrence, and it is becoming clear that the impact of these can have devastating effects on organizations whether large and small, and whether in the public or the private sector.

Cybersecurity is one aspect of information security, since the impacts or consequences of a cyberattack will inevitably damage one or more of the three pillars of information security: the confidentiality, integrity, or availability of an organizations information assets. The main difference between information security and cybersecurity is that while information security deals with all types of information assets, cybersecurity deals purely with those that are accessible by means of interconnected electronic networks, including the Internet.

Many responsible organizations now have robust information security, business continuity, and disaster recovery programs in place, and it is not the intention of this book to rewrite those, but to inform organizations about the kind of precautions they should take to stave off successful cyberattacks and how they should deal with them when they arise in order to protect their day-to-day business.

Keywords

availability, compromise, confidentiality, continuity, cyber, cyber threat, cyberattack, cybersecurity, denial of service, information security, integrity, prevention, response, risk

Contents

I would like to take this opportunity to thank:

My wife Sharon for her unceasing support throughout all my writing work;

My children Bella, Matt, and James and their respective partners for their continuing encouragement, and my wonderful grandchildren for regularly helping me remember that theres much more to life than work;

My good friend and colleague Andy Taylor, who put me in touch with BEP in the first place, Nigel Wyatt, for forwarding my abstract, and Scott Isenberg, for agreeing to publish the book;

Finally, Mr. Evans, my English teacher at Thomas Adams School in Wem, for reasons that I hope will be obvious.

Why Is Business Continuity Important?

From 2003 to 2014, I gave an annual lecture on business continuity to information security students studying for their masters degree at the Royal Holloway University of London. On one occasion and before I had even begun the lecture, a particularly difficult student (theres always one, isnt there?) asked me what business continuity had to do with information security. I explained that if he listened for a few minutes all would become clear. This he did, albeit rather grumpily.

After my introductory slides, I explained with several real-world examples just what can happen to an organization when information assets are damaged, stolen, or rendered unavailable. The point I was trying to get over was that it wasnt only about the information and the systems that held it, but everything around that as wellthe computer room and its supporting infrastructure; the building and its immediate environment; neighboring buildings; the weather; the political and economic constraints; and by no means least the people, and how a bizarre chain of events can sometimes contrive to cause unexpected problems.

One of my best examples related to an explosion at an oil storage depot a little way northwest of London in December 2005. The explosion in itself was a major event, requiring the fire and rescue services of three counties to control and extinguish the subsequent fires, but it was a building several hundred metres away that suffered the particular information security impact. The heat from the fire was so intense that it caused a large and heavy air-conditioning unit fixed to the ceiling of the computer room to break loose and fall directly onto an even larger and more expensive mainframe which was processing extremely sensitive data. Unsurprisingly, the mainframe failed, but fortunately the disaster recovery system located about 30 miles away cut in immediately and both the data and the reputation of the organization were saved.

When thinking about protecting an organizations information assets, its always worthwhile asking one simple question: What could possibly go wrong?

Could, for example, a loosely affiliated group of hackers take down the CIAs website? Yes. A group known as Anonymous did so in 2012it was not the first time this had happened. Clearly, the CIA was able to respond quickly, and although it did not suffer any financial loss as a result, it did lose face.

Could another hacking group develop a piece of malware that encrypted the hard disk drives of systems all over the world and demand a ransom to unencrypt them? Yesthe WannaCry virus (attributed to North Korea) in 2017 did just this. Many organizations were totally unprepared for this kind of attack and suffered financial, operational, and reputational losses as a result.

Could a major government department still be using personal computers running Windows XP, 7 years after it had ceased to be supported by Microsoft? Again, yesbut on this occasion, I will spare them the embarrassment of naming them!

The answer then to the question What could possibly go wrong? is Almost anything one could imagine, and quite a few things one might never have even thought of.

Twenty years ago, no one could reasonably have imagined the aforementioned examples, but today all bets are off, and nothing would surprise me anymore.

So, what is the problem? Is it a lack of understanding of the issues at senior management level? Is it a lack of investment in securing an organizations systems and services against cyber threats? Is it a lack of training of IT and security personnel? Is it a lack of awareness of users? Is it the result of work by extremely clever attackers? Is it the poor security design of IT systems and services? Actually, it is a combination of all of these, and possibly many more.

In recent years, an unprecedented number of major business-disrupting cyber incidents have occurred. Some of the organizations affected by these have survived them; others have not. The key to ensuring that your organization remains in the former category rather than the latter is a combination of information security or cybersecurity, and business continuity management, an increasingly important aspect of business life, but one that is frequently overlooked.