Operational Resilience in the Spotlight
Resilience is a key outcome of protecting all organizations and their customer base; it transcends all sectors of the economy and is applicable in every industry.
Each nation’s government acted immediately to ensure that they could withstand the threats posed by this pandemic and meet the challenges it presents head on. Their key activities from the outset were to identify critical functions, set tolerances and assess the readiness to continue through the scenario presented.
This is not the first time such operational resilience has been tested; it may surprise you to learn that it is a fairly common occurrence, albeit perhaps not as universal as we are experiencing with COVID-19.
2017 – A turning point?
The 2017 WannaCry and NotPetya attacks had world-wide implications and severely impacted varying sectors/organizations - including health (NHS), trade and pharmaceuticals. Hot on the heels of these attacks were several high-profile data breaches which included household names such as Ticketmaster and Carphone Warehouse/Dixons. This demonstrated that attackers had the will and capacity to obtain vast quantities of data. Predominantly this was a criminal endeavour for financial gain, though the disruption caused cannot be understated. There were other high-profile breach instances across the globe including TSB in the UK and banks in the USA, Mexico and India.
The concept of cyber-crime as a risk has focused top management everywhere; more has been done to protect organizations including measures such as implementing ISO 27001 as an Information Security Management System. There has also been the release of GDPR and other national legislation to address the data privacy issues. ISO has responded recently through the release of ISO 27701 to extend ISO 27001 to cover the additional needs of data privacy legislation. We recently hosted a webinar on this topic, you can watch the recorded version here: A Guide to Implementing ISO 27701:2019 (PIMS)
Any threat to operational resilience is also a risk to business viability and continuity. The role in which governance and managerial entities play in controlling operational risk is directly linked to financial performance and reduction of losses through ensuring continuity of business services.
The examples I’ve listed here show a pattern of risk factors growing over the previous 5 years or so with the onset of ever more complex methods of cyber-crime and digital attacks. In some instances organizations ability to control or respond is diminished through the continued use of older information frameworks and assets.
Some organizations in particular have felt this recently and had to adapt by purchasing at great expense assets for their personnel to undertake teleworking under a remote working model.
It is the management of the unforeseen which often determines how an organization is perceived and ensures the continued reputation perception of their customer base. Any organization which can show their stakeholders that they can maintain core functions through periods of operational resilience will certainly have an advantage over those who cannot. In this way, they ensure their long terms sustainability and viability.
The effects of the pandemic are everywhere; indeed I am writing this blog from home on enforced restrictions to travel against a backdrop of remote audit working which NQA have been running for some time now. Most of the world’s population are working from home; conversely the cyber threat is greater now than it ever has been before.
Criminal elements have taken this opportunity to increase their attack instances and varied their attack patterns to match the new way of working. One only has to look at the huge increase in phishing, smishing and spoofing attacks which have occurred since the pandemic response mechanisms have been established.
Source: Metropolitan Police Twitter Feed
A depleted resource pool in all sectors means a decreased number of personnel available to respond to instances and the risks associated with this are apparent. Teleworking models are an effective immediate response mechanism though we’re already seeing an increase in stress for systems not designed for the practice. VPN usage, for example, is well above previously expected norms and instances of unavailability have increased dramatically.
Further, IT Helpdesk personnel will attest to an increase in enquiries as personnel adapt to the new reality. It has never been more important to communicate and ensure awareness of policies and initiatives such as those created in your ISMS. Just one deferred security patch or unauthorised software download can have far reaching consequences. If they aren’t already – these issues should be captured as a risk and given immediate treatment consideration utilising the Annex A controls within ISO 27001.
If an organization has a continuity plan it is highly likely that some commonly expected events are captured for consideration. This can be natural hazards, loss of asset, data compromise or being subject to an attack.
Cyber-attacks perhaps are the biggest unknown, simply as the others are relatively easily mitigated. Simply put; it has never been more important to address this issue. The standard response to any sort of regulatory/governance requirement can be to wait and see or even do nothing. However, the pandemic has forced many organizations to respond without being prepared. The threats to organizations everywhere is apparent and those with “ahead of the curve” operational resilience protocols have not only a competitive edge, but a survival lifeline in an uncertain environment.
It is not just important but vital for operational resilience measures to be considered and implemented as soon as possible. The use of temporary fixes and stop gap solutions is not sustainable and could lead to failure. Additionally, all organizations must continue to learn and develop their strategy to allow recovery and identify lessons to reflect on later.
All organizations should now seek to build robust crisis and incident management, business continuity and disaster recovery plans and ensure that they have been verified as suitable. A plan to address supply chain and ensure their continuity is also considered is a good next step. Additionally, ensuring awareness of security policies are communicated and understood to all employees and third parties will provide assurance that risks are controlled.
Additional security considerations, which may not ordinarily be part of the suite of options available, should also be given some review. These can include multiple factor authentication, segregation of access across networks and domains, phishing awareness initiatives or the provision of centralised security controls for all organizational assets.
All organizations should consider increasing monitoring activity on accounts with administrative functions and increase capacity monitoring measures and ensure backup/failsafe mechanisms are effective. Even the administrative cohort within an organization are prone to attack, leave nothing to chance.
What do I do now?
Operational resilience and business continuity is hugely important and this cannot be overstated. The outbreak of the virus leading to the current restrictions we are all working through has brought this issue in to everybody’s life. All organizations need to ensure resilience strategies are integrated in to all activity, particularly business critical functions and processes. Just like national governments have mechanisms to respond to crisis and the unforeseen, each organization that desires to continue through adversity must also do the same.
The process of ensuring business continuity is contained within a Management System standard: ISO 22301:2019. Detailed in this standard are the requirement to conduct Business Impact Analysis and a Risk Assessment processes. This will help identify all potential disruption scenarios and indicate what level of response and recovery capabilities are required. A strategy and implementation process follow which help an organization act and then ultimately recover when resilience is required. If you have no management system in place or a management system which doesn’t specify business continuity then you may wish to consider implementation of ISO 22301:2019.
If you have a functional ISMS using ISO 27001:2013 then you likely already have some controls in place from Annex A. It is important that you record and review all activity undertaken whilst in the current teleworking model to ensure that lessons captured are reviewed and provide a learning platform.
If your organization processes personally identifiable information then ensuring compliance with national legislation and GDPR is vital so extending your ISO 27001:2013 ISMS to include data privacy compliance through the implementation of ISO 27701:2019 should be considered.
Of course if you would like any further information or a quote for certification, please get in touch with us.