Cyber Resilience & Business Continuity – A Powerful Pair in Risk Management
Think of some of the most iconic duos in history, like Batman & Robin, Snoopy & Woodstock or Doc Brown & Marty McFly. Certainly, these characters are memorable on their own, but it’s hard to imagine one without the other, right?
Just like these beloved fictional characters, there are two strong elements available to your organization that work together to stand the test of time, and that powerful pair is cyber resilience and business continuity. By working hand in hand, these two elements can help your organization develop and deliver techniques to defend against cyber threats.
The Importance of Business Continuity & Cyber Resilience
Your organization needs a clear strategy. That’s where business continuity and cyber resilience come in. Think of business continuity as the behind-the-scenes planning and preparations your credit union can make prior to any incident. According to DRI International (DRII), with business continuity, your organization is taking a “proactive approach to ensure business operations can continue during and after a disruption.”
Cyber resilience, on the other hand, is the credit union’s capacity to continue business operations despite disruptions from a cyber event. In other words, “the show must go on.” DRII defines cyber resilience as an organization’s ability to “continuously deliver its intended outcomes despite adverse cyber events.”
So why are these two elements so important for your organization? According to IBM’s Cost of a Data Breach Report 2023, the average time it takes to discover that there is a breach is approximately 204 days, which is more than six months and the average time to contain the breach is 73 days. Combined, you’re looking at an average of 277 days from the time the breach occurred, meaning the containment process can take more than nine months. As Doc Brown would say, “Great Scott!”
Additionally, keep in mind that even after the attack has been contained, your institution will still need to go through the process of eliminating the problem and restoring your information.
How to Incorporate Cyber Resilience into Your Business Continuity Plan
It’s likely no surprise that disruptions have become the norm in our digital day-to-day lives. Proper planning is critical to mitigate and manage threats. Integrating cyber resilience into your business continuity plans (BCP) is key. As you write your plans, here are some considerations for incorporating cyber resilience into your BCP. DRII outlines five elements of cyber resilience for your institution to consider, which provide a holistic approach:
- Prepare/Identify
- Protect
- Detect
- Respond
- Recover
Identify your capacity. When you are performing the business impact analysis, identify the desired recovery time objectives (RTO) and recovery point objectives (RPO), keeping in mind that you will need to adjust these to create the actual recovery timeframes, as recovery time capabilities (RTC) and recovery point capabilities (RPC) for cyber resiliency.
Provide training. Having employees who are informed and engaged on cybersecurity can make all the difference. A supportive, security-focused team culture starts with you. Something as simple as knowing who to contact if employees notice something suspicious can help minimize the impacts.
Backup your information. If a breach were to occur today, would you still be able to access your data? This is usually the first area that is targeted in order to prevent you from being able to recover. Make sure you are backing up your information and using continuous data protection (CDP). If at all possible, you’ll want to ensure the data you’ve backed up is immutable, air-gapped, clean and secure.
Communicate the plans. Once you have it in writing, you’ll want to share the business continuity plans with your staff and make sure they are trained in any necessary action steps and procedures they need to take. Be sure to clearly define everyone’s roles.
Perform ongoing testing. Testing will allow you to make sure that the plans that you’ve developed will work when they are needed, as well as identify any gaps or issues that can be addressed before a true incident happens. Continuously check your systems for any vulnerabilities through services like social engineering tests, vulnerability scanning and penetration testing, in addition to conducting risk assessments and threat surveillance, to name a few.
Create a strong line of defense. Work with trusted partners to utilize efficient risk management solutions that help you to protect your sensitive data and stay up to date on rules and regulations.
Communicate effectively. Don’t rely on call trees in case of urgent communications. Instead, look to mass notification systems to make sure all appropriate parties are notified in a timely manner every step of the way.
Benefits of Cyber Resiliency in Your Business Continuity Plan
The importance of being prepared is more apparent than ever before, especially as advancements in AI continue. Plus, in addition to protecting your data, building cyber resiliency into your BCP can help your credit union avoid lengthy downtime, costly regulatory fines and preserve your valuable reputation.
Your organization’s secure future depends on the actions you take today. Just as Doc Brown shared in the memorable movie line, “Your future hasn’t been written yet. No one’s has. Your future is whatever you make it. So, make it a good one.”
Mark Clarke works as the business continuity administrator for Vizo Financial Corporate Credit Union. In this role, Mr. Clarke supports the performance of business continuity planning, business impact analysis and business continuity training for the Corporate and the credit union industry. Mr. Clarke also delivers tailored consulting services for credit unions, assisting them with their specific business continuity needs.