A common and generally accepted method of expressing a level of risk is that it is a product of the impact and likelihood of a negative event occurring. As either the impact or likelihood rise, the threat to the business (and the urgency of sensibly managing the risk) increases accordingly. Using this (or any other) risk model, the importance of the two traditional areas of readiness planning - business continuity and disaster recovery - can be seen to have increased significantly over the past decade.
Business continuity planning has become more important because the likelihood of severe disruption to business is perceived to have increased. With severe weather becoming more frequent and tabloid headlines proclaiming in large, bold fonts that we're overdue for anything from a global bird flu pandemic to another Icelandic eruption, modern businesses would be seen as negligent if they didn't plan for disruption.
On our scale of risk assessment, the likelihood of extended business disruption is increasing even though the impact could arguably decrease due to BYOD, remote working and the general ability for many staff to function without a bricks and mortar office. The London Olympics led to some great examples of UK businesses transforming the way that their employees were able to work, albeit in many cases only for a matter of weeks.
Disaster recovery has followed the opposite path, with significantly increased reliance on IT systems leading to a spike in the potential impact of extended periods of downtime. Turning IT services into a commodity which can be bought and discarded almost at whim has allowed businesses to become more agile and to buy in systems and services at lower cost, but has also turned many supplier/customer relationships into transient, short-term arrangements on standardised terms.
With that in mind, many businesses can no longer rely on being prioritised in the event of external systems going down - there's no five to seven year contract which is at stake for the supplier, and those standard terms which meant you didn't need to involve the legal team in the procurement process may also mean that your service level agreements aren't quite as tight as they once were.
Equally, internal systems may not be as well supported as you'd hope if the development (and, barring superlative handover processes to internal developers, second or third line support) have been outsourced or even offshored. Frantic international calls following a 9 am emergency in the UK might not be answered until office hours begin on another continent, leaving your business unable to do much more than reboot the server and cross as fingers as you have to hand (no apologies for the pun).
The perception of disaster recovery has changed over the past decade so that it now sits alongside business continuity as an expected part of "business as usual" operational management. A business which hasn't implemented and tested their disaster recovery provision is likely to be seen as negligent, and is likely to have breached any client contracts for provision of services if extended disruption does occur.
The last few years, and the increasing acknowledgement that security breaches are a “when, not if” event, have seen the rise in importance of a third branch of readiness planning to sit alongside BCP and DR – forensic readiness, or the ability to access (and trust) sufficient log data to identify when a breach has occurred, what happened, and what datasets have been compromised.
Going back to our risk model, the likelihood of an organisation suffering a security breach is approaching 100 percent - and the impact of a breach turning into a significant data loss event is likely to exceed the impact of a building being burned to the ground or a few days without IT systems. A data breach can be a company killer, particularly for smaller organisations or those with reliance on a limited client base.
Forensic readiness has to be seen as a core requirement of good organisational hygiene, alongside business continuity and disaster recovery – and should be specified in standard contract clauses. Businesses without forensic readiness planning and testing in place should be seen as negligent in the same way as a business which decides not to cover business continuity or disaster recovery. The penetration test should no longer stop when all vulnerabilities have been identified, and should continue to identify whether or not the intrusion was detected and recorded for reactive investigation.
By implementing and testing their forensic readiness, a business can prepare itself to be in a much better position when – not if – a security incident occurs.
Contributed by ,