Data Breaches: Do They Have Place in Business Continuity Plans?
Written by Erika Voss, CBCP, CORE, MBCIJune 23, 2014
An event that affects the company occurs: a rep from IT comes to the table as a responder for security related questions ... they said we’ve been hacked and records have been compromised?
Even more helpful, if you could both see the disaster, let alone understand the impact through a similar lens. It would remove difficulties that occur when you see appropriate responses so differently. The IT responder: “Get the system back online quickly.” Security’s responder: “Let’s isolate and contain first before we just put the system back.” The PR responder: “What do you mean we’ve been hacked and records have been compromised? Just how big are we talking?”
Sometimes we take for granted that we have complex infrastructure with multiple layers, platforms, and applications in our “backyard” and yet we are told things are protected, locked down, or better yet we won’t get “hacked.” Today the business continuity professional no longer has just the world of people, facilities, and information systems to worry about. Our space just got bigger. “Welcome to the world of data breaches!” Do you have a continuity plan for this? Companies today are beginning to look beyond just crisis management, crisis communications, business continuity, and disaster recovery plans. Those who are putting more of their “backyard” in the cloud are needing to know and understand that the vulnerability of my data being leaked is becoming scary enough far too common.
Here’s the rub: people have to let go of their egos and sense of self-importance so there can be a clear plan ahead of time identifying which priorities are going to be supported.
It may be easier to get IT to agree ahead of time that although getting the system “back online” is crucial, putting the “system” on remote servers or contracted “cloud” systems is wisest first, until you can all verify that the incident hasn’t left other contamination in the network. You must as a team go back to the basic fundamentals and ask where and how are passwords stored as system administrator? If there was an attack, do you have the right permissions, ACLs correct, and an environment locked down enough to contain the hack to a cluster?
Wait, I have things virtually sitting somewhere, too. How do I protect my data in the cloud? As a business continuity planner, you want to collaborate not only your executive management but also your information technology teams and push those hard questions in front of them? Who has permissions? Where are the passwords stored? How much is on the stack? Did we participate in the last failover environment? Were there after-action items that didn’t get completed, and if they didn’t why didn’t they?
Data breaches and have a response to deal with this type of attack is becoming the new trend with business continuity in my opinion. You have a plan to respond to an outage, a network disruption, and a server being taken offline, moving people to an alternate site, or understanding that an emergency evacuation requires multiple levels of coordination with teams to make sure our employees, ourselves, and our families are safe.
But what and how we approach a data breach is becoming more complex and difficult. It’s requiring more than just the IT and security teams to be engaged. You need your public relations team and the business continuity manager at the table now, too. The role of the business continuity manager is to talk about the operational resiliency that is there already in place. It’s coordinating the teams, the response, the event, the external agencies that will call and show up, and bringing it all together in what is the most painful way, but yet admitting the truth: “We’ve been hacked, and our records have been compromised.” This first statement needs to be made almost as immediately as finding out the information from IT.
If the exchange server is under attack, probably one person you will consider for incident commander is the exchange administrator. He/she brings technical skills and the expertise to the front line. Operationally, because the exchange server itself has been attacked, you may put your security analyst in the position of operations chief. He/she will examine logs to determine how the attack happened. The logistics chief, if your company is worldwide, can often be your help desk manager. He/she facilitates help tickets, etc. and can be the first line of communication with customers.
That being said, internally you will want to involve your public information office to assign someone the role of communications officer. That person is first-line for communication company-wide; then eventually customer-wide, and media-wide if a larger incident unfolds. By assigning the tasks and responsibilities, the scope of each work assignment is clear. You’ve created an incident command team with the most useful experts in each specific role. You are prepared to handle the disaster, but wait. Where does your business continuity manager fit in this event? Ideally as the liaison officer.
Your business continuity manager wears multiple hats already, and in a crisis event, he or she puts on the red vest, grabs his or her flashlight, and works in the trenches to help save the day as well. This is why we took this job and why we love our jobs. We want to help stay resilient at the beginning, the middle, and the end.
For data breaches, we need to be engaged, understand the risks, impacts, where our data sits (virtually or not), and how to protect it. This is just a new component for us build a continuity plan. To become ready to respond in these type of events, baking in your operational resiliency at the beginning will help when, unfortunately, the hack has already taken place. Drive the response quicker, safer, and better by telling your customers, clients, or personnel there is a plan in place. After the fact saying, “we should have” or “no we didn’t” doesn’t help your reputational brand. And today, it’s all about brand loyalty ... and knowing your records are safe. This is just another new hat to business continuity plans.
It doesn’t happen by magic.
Tabletop exercises often help get people comfortable with stepping up and taking on leadership roles to resolve incidents. Although you and your IT group may never see it all eye-to-eye, with an incident command approach and some fundamental agreements before a crisis is at hand, your organization can better “weather” even the biggest “storms.” Understanding and exercising your plans beyond the scenarios of earthquake, hurricane, malicious attacks, and outages are everyday practice.
In getting better we continually do and strive as practitioners. But are you ready to sit down at the exercise table and read your inject, “We’ve been hacked and records have been compromised, now what?”
As a practitioner can you and would you have that conversation easily with your response teams, or would it be a painful eye opener to some that is too late of an answer for executives.
Erika Voss, CBCP, CORE, MBCI, has more than 20 years of experience in training, crisis management, business continuity, emergency preparedness, business resiliency, and executive level crisis management response. Her background focuses on response operations, business continuity/resiliency, emergency preparedness, risk analysis, mitigation, exercise development, planning, and incident management operations across multiple platforms: federal and state government, information technology, finance, and supply chain/retail environments. She currently works for one of the largest software companies in Redmond, Wash., as the senior business continuity manager for the operating systems and supply chain environments. In her spare time, Voss serves on the Red Cross Scientific Advisory Board, teaches courses at Southwestern College.
