Yet another warning that we are all doomed by the cyber threat. I think we have gotten the message! What you see less written about for the benefit of the board is what you can practically do about it. So here is a suggested agenda for your next Governance Board Meeting on the subject of IT and Cyber Attack resilience.
Question 1: to the Financial Director, Risk Director and Disaster Recovery Manager
If we were disrupted by a cyber attack, how long will it take to get back to business as usual and what are the financial implications? Do all three of you agree with each other?
Tip: Look for consensus between all three as the answer should drive the disaster recovery (DR) plan that is right for the business and meets the expectations of the board and investors. All too often recovery times are set by DR/IT budgets not what's appropriate for the business.
Question 2: for the CIO and HR Director. What policies, protocols and processes have you created, communicated and ensured is fully understood by our employees, contractors and suppliers that ensures their behaviour doesn't put our business at risk? Please show documented evidence to support your answer.
Tip: Prevention is better than cure and all too often a lapse in employee or supplier behaviour breaches regulations, contracts, guidelines and policies exposing the business to cyber risk. Employees must stick to policies and be aware of the consequences of failing to do so. Look for frequency of reminder communications and training.
Question 4: to Security, HR and IT Directors. Have the three of you agreed and implemented layers of security around business and IT to ensure that our systems cannot be penetrated by physical, logical or technology means? Please show documented evidence to support your answer.
Tip: Look for evidence of joined up plans across the business that feature things like physical barriers to your buildings, IT facilities and controls of access to your data when it's in production, movement and storage, This isn't just an IT issue.
Question 5: to the CIO, Risk Manager and Disaster Recovery Director. If after doing all that the business can to prevent and protect itself from a cyber attack what is our recovery plan should an attack succeed? How long would it take to recover?
Tip: Look for a DR plan in business continuity software or an automated DR recovery process that is capable of recovering your older as well as your new IT. Some new recovery products do not recover older IT. It should be proven, rehearsed and frequently updated. You should make sure it's adequately resourced in terms of people and skills in the right locations. Not having a DR plan is very expensive.
Question 6: to the CIO and Disaster Recovery Manager. If we were infected by malware, do we have the means to recover quickly without re-infecting the business from the recovery IT?
Tip: Look for evidence of the IT system being rebuilt in data center space that isn't initially connected to the internet. This prevents re-infection and enables you to scrub your systems clean before connecting back up.
Question 6: to the DR Manager, CMO and CIO.
If infected and we shift to recovery mode, will we have the means to communicate with our stakeholders and media to manage their expectations and drive the right behaviour to protect their respective interests?
Tip: You should look for evidence of a clear communication plan that may require an emergency communication system integrated with your business continuity or Disaster Recovery software ,enabling you to stay in touch with your people to drive the right business continuity behaviour and manage the broadcast and social media. Call trees, and paper based recovery plans are out of date and cannot keep pace with fast moving events in the 24/7 news/media world.
Not having a DR plan is very expensive.