Well, Happy New Year everybody! From me to you, I hope that all of your wishes and dreams come true this year, and that 2021 will be a much better year for this world. But there is one certainty that will continue to linger on with us:
And that is the COVID19 virus. Even despite the availability of vaccines coming out, there are new strains of it which are still continuing to emerge, even in those countries such as the UK and Japan. In fact, both nations have literally cut off their borders in order to contain it.
But apart from this, another truism this year is the Remote Workforce. As I have written about numerous times last year, this is a reality which will probably now be with us at least until the end of this and even going into the next.
Many lessons have been learned from this, especially from the standpoint of Cybersecurity. Many CISOs have now learned the sheer importance of having IR/DR and BC Plans in place, and hopefully they will spend the necessary time to get all that ready this year.
But apart from having all of these documents in place, the next crucial step for Corporate America is to actually rehearse the parts that go with them. In other words, holding mock exercises on a regular basis to make sure that the IT Security team (as well as other departments) on are on their toes and know what to do.
While it is one thing to stress the importance of doing, it is also yet another to point out the benefits of doing it. So here we go:
*You will know your strengths and weaknesses:
The only way you will know what areas in which your IT Security team needs to work on further is by actually rehearsing all of these above-mentioned plans. We all have strengths and weaknesses, so while it is important to praise what is being done well, it is also equally if not more important to offer constructive criticism to what can be done better. Note the term “constructive”. Never be negative, instead also offer up ways in how those weaknesses can be made better for the future.
*Your time to respond will be much quicker:
Just suppose that you have all of your IR/DR and BC Plans in place. Now imagine if they never have been practiced or rehearsed? If your company were to be impacted by a major security breach, it will just take you that much longer to respond to fight it. And those lost minutes could be the make-or-break time for your company. Now imagine if you have practiced all of those plans on a timely basis. Not only will your response time be much quicker, but your respective teams will know exactly what to do rather than fumbling around in the documentation. Those saved minutes will now mean that your business could very well survive the initial onslaught of a Cyberattack. Also, the use of KPIs and other metrics is becoming important to the CISO, especially in regards as to how long it takes to detect a malicious actor that may be lurking around, mitigate it, and bringing up mission critical processes and operations after you have been impacted. By conducting these kinds of drills, you will get a much better gauge on all of this and can even prepare a plan with your CISO to bring any time lags down to an acceptable level.
*Training in real time:
One of the biggest buzzwords last year was “Security Awareness Training”. Again, it is one thing for your Remote Workforce to sit in meetings all day and listen to what they need to do. But then again it is the other if they actually did it. So in this regard, by rehearsing your plans, your IT Security team and the other people that are involved will get all of the real training they could ever imagine, and this will only reinforce what they are being taught on Zoom, WebEx, or Microsoft Teams. Once this combination is in place, only then will your employees truly comprehend of what it means to have a strong level of Cyber Hygiene.
*You will be able to further quantify and justify costs:
One of the key mantras in the world of Cybersecurity is to conduct a Risk Assessment to see where your level of Cyber Risk is at. This typically involves taking an inventory of all of your digital assets and assigning their level of vulnerability to a security breach on some predefined, categorical scale. But it is very important to keep in mind that this just all very theoretical because many assumptions have to me made, and that you are also using past data to predict what the future could possibly hold. But by conducting these kinds of exercises on a real time basis, you will get an idea of not only where your true weaknesses and gaps lie in your lines of defenses, but also what the true cost will be in order to procure those tools that are needed. This will serve two primary purposes: You have greater chances of getting more money for already tight Cybersecurity budgets; and you will be showing to your C-Suite and Board of Directors some hard numbers as to how the bottom line of your company will be impacted if corrective and remediative actions are not quickly taken.
*Determining what kind of external help that you need:
Since many business are now ditching their traditional brick and mortar presence for a virtual presence, the chances are that your IT Security team will need to rely upon external, third parties in order to help them carry out their daily tasks. For example, this could come in the form of a Virtual CISO, or even hiring out an MSP or an MSSP. By practicing your IR/DR and BC Plans, you will know exactly in what areas that you will need extra help in. Therefore, you will then have the ability to really target your budget accordingly, so that you will be able to get what you really need. But it is also important to keep in mind that hiring external third parties can in of itself pose a serious security threat, so you have to take the vetting process very seriously. This will be the focal point for a future blog.
*You will become more compliant:
One of the biggest concerns associated with the Remote Workforce is that of Data Privacy, for obvious reasons. With this in mind, it is highly expected that enforcement of both the GDPR and the CCPA will continue into full swing this year. This not only means audits, but also horrible financial fines if you are deemed to be non-compliant. By rehearsing your IR/DR and BC plans, this will also force you to achieve compliance in which you were not before. For example, if you conducted a Disaster Recovery rehearsal and found out that certain control mechanisms were not working, now is the time to get that corrected so that you do not get audited down the road.
My Thoughts On This:
Now that you have an idea of what some the tangible benefits are to practicing out your IR/DR and BC Plans, it is very important that you conduct them on a regular basis. In this regard, it is recommended that you do it once every quarter, or if not at least twice a year at a minimum.
Also, as you conduct and complete each set of exercises, make sure that your IT Security team is updating the documentation with all of the lessons that have been learned. This will ensure that any margin of error that previously existed has been reduced to the greatest possible.
Keep in mind that if you are thinking of acquiring some sort of Cybersecurity Insurance Policy for your company, one of the first questions before you are awarded a policy that you will be asked is if you have a set of IR/DR and BC Plans in place. By answering “yes” the first time around will not only speed up this process, but it will also help to ensure that you will get a 100% payout in case you are impacted.
Finally if you had these Plans already in motion before COVID19 hit, many kudos to you. But if you are thinking of migrating your entire On Prem IT and Network Infrastructure into a Cloud based platform (such as that of the AWS or Microsoft Azure), you will need to rework your plans entirely to reflect this, as everything will now be virtually based. But, more to come on this topic once again in a future blog.