As the industry knows, a successful cyberattack can shut down operations - not just for a few hours, but for days and weeks.
The collateral damage, such as information leaks, reputational damage and so on, can continue for much longer.
From a partner perspective, organisations in Australia realise that more cyberattacks are to be expected in the future, and that they will grow in scale and sophistication over time.
However, Gartner research vice president Roberta Witty claims organisations rarely know that IT environments have been breached until it is too late.
“At that point, an organisation could have much of its IT infrastructure infected with malware, be subject to ransom demands for its data or other such destructive attacks that result in compromised or lost data,” Witty said.
“In the time between the initial breach and detection, the hacker team is likely to have compromised many systems and applications, systematically worked to elevate its privileges in the environment and compromised, destroyed or encrypted data.”
As partners take on the consultative mantle in a security capacity, channel value can be derived from ensuring effective enterprise-wide risk containment, with cybersecurity and business continuity management (BCM) leaders now forced to align processes.
“This requires two distinct phases,” Witty explains. “A planning phase that identifies the best practices to apply before experiencing a cyberattack, and a response and recovery phase that identifies the best practices that apply once the business is in crisis model.”
For Witty, even organisations that do have a cyber incident plan sometimes assume that an incident is an orderly affair, following a well-defined procedural pathway.
“Authors of these plans often assume that the attacker will have one mode of attack, that the incident will be a relatively simple, and brief affair, and be similar to a typical technology failure,” Witty said.
But as partners will no doubt attest, the reality is different.
“A cyberattack is a street fight,” Gartner research director, Rob McMillan, added, “You are not dealing with a technology failure, although a manufactured technology failure might be one of the methods used against your enterprise.
“Rather, a motivated individual or group of individuals that have decided to target the organisation have left the business with a messy, chaotic and long-term event.”
McMillan said cyberattacks must be viewed as large-scale business operations crises and, therefore, must be handled from an enterprise continuity of operations perspective.
“Integrating established BCM best practices into the existing computer security incident response process can boost the organisation’s ability to control the damage of a cyberattack, speed up the efforts to get back to normal operations and, therefore, reduce some of the financial impact of the cyberattack,” he added.
For example, McMillan said business impact analysis (BIA) can quickly identify if impacted IT services, operating locations, and partners/suppliers/third parties are mission-critical to the organisation.
In addition, crisis communications processes and automation set up for traditional BCM disruptions can be leveraged for a cyberattack, while business recovery and resumption plans can be used if IT services are shut down by the cyberattack and while waiting for cleansed IT services to become operational.
“Furthermore, IT disaster recovery (DR) procedures can be used to restart systems and restore data in the right sequence,” McMillan explained.
“Crisis management automation can also be used to manage the organisation’s overall response and recovery from a cyberattack.”
Going forward, partners can help ensure that there is collaboration through proactive team development and cross-team representation throughout the organisation, involving all phases of the incident cycle from planning, budgeting, strategy development, exercising, event response, program management and governance.