Incidents such as the theft of 2.5 million pounds from 9,000 customers of Tesco Bank last November have prompted Bank of England Deputy Governor Sam Woods to signal the development of “operational resilience” rules that would spell out what systems at a financial firm underpin critical services, and the “tolerance” level for an outage before regulatory intervention.
This is in addition to the specific cyber resilience tests that the Bank of England have already asked banks like HSBC, Barclays, Lloyds and RBS to undertake.
Whilst discussions are not likely to start until the end of 2017, and specific rules and guidance are not likely to materialise until some time after that, we thought it would be helpful to set out why we believe conventional tools such as Business Continuity and Disaster Recovery are currently failing to fill the regulators with the confidence that the financial sector is prepared in the event of a cyber attack together with some steps organisations can take to help prepare for any future operational resilience regulation.
Reason 1: A data compromise requires the implementation of an IT Disaster Recovery plan as part of the Business Continuity response – and these are notoriously prone to failure
Within a modern business most data is stored, processed and transmitted using technology. This has been the situation for some time now and, even as far back as 2006, the UK Government estimated that 93% of information generated was in electronic form. This means that a data compromise incident will almost always require an organisation to implement some element of their IT Disaster Recovery plan as part of any Business Continuity response.
However, the brutal reality is that, according to the Disaster Recovery Preparedness Council, even under controlled test conditions the average self-managed IT Disaster Recovery plan only has a 35% recovery success rate.
There are many factors that contribute to this shocking statistic, including: failure to update plans and processes following a change; lack of internal expert resource; and conflicting operational priorities.
But this doesn't have to be the case as the chances of success can be dramatically increased if IT Disaster Recovery is consumed “as a service”. For example, Sungard Availability Services Managed Recovery Programme was found by DRI International earlier this year to consistently return a 87% test success rate for its clients.
Reason 2: There have been unintended consequences of the "all threats and hazards" approach to Business Continuity planning
Business Continuity theory says that in developing a preparedness plan, all threats and hazards facing the organisation should be identified, their vulnerabilities assessed and potential impacts analysed. As well as identifying scenarios to inform any post incident activity planning, the threat, hazard, and vulnerability assessments should also inform hazard prevention, deterrence and risk mitigation activity that could be implemented across the organisation.
However, the reality is that, rather than being an activity undertaken by the whole organisation, Business Continuity has often been delegated to a single individual who collects data, produces post-incident plans and arranges exercises.
Whilst even this minimal amount of activity will provide some level of preparedness, it has had the unintended consequence of not providing the wider organisation with the information about the operational risks they face so that they are ready to anticipate, react and adapt if necessary.
This situation is an issue in the response to all hazards and threats but it is magnified many times over when it comes to a cyber-attack. Due to the nature of cyber-attacks, the response is often launched during the attack, e.g. the thief/vandal/extortionist is still on the metaphorical premises making off with the swag, and responding to an attack in progress is fundamentally different to responding to either a natural disaster or the consequences of an attack.
If the attack is still in progress then the attacker can, and will, adapt their strategy in response to your defensive moves. Therefore if you are not ready, or able, to adapt your plan quickly you are likely to be defeated.
Likewise, if your Business Continuity plans are openly available outside your organisation and describe in detail the pre-defined steps that should be taken you will be at a significant disadvantage.
The solution to this is fairly simple: accept that “plans rarely survive first contact with the enemy” and stand up a Crisis Management Team comprising of the organisation’s executive who can make strategic business decisions the minute you think you may be under attack – not several hours later when the IT Department have exhausted all pre-prepared steps and the situation has escalated out of control.
However – a word of caution – a cyber-attack is characterised by information overload and an extremely high tempo and if you haven’t pre-prepared your crisis management team to be able to psychologically function in such an environment the response may fail.
Reason 3: Conventional business continuity plans focus on the isolation, containment and management of the risk at the lowest level possible whereas cyber risks need to be escalated as quickly as possible
Unlike conventional business risks where the threats, vulnerabilities and consequences are often grouped at certain levels/functions of an organisation and the primary aim of the response is containment to prevent escalation, cyber threats are in a support system (e.g. the IT environment) but the major vulnerabilities and consequences are at the top of the organisation.
This means the primary aim of a cyber-attack response should be the rapid and effective escalation of the issue to a level in the organisation where all the impacts can be managed in a coherent manner.
This sounds like a pretty straightforward communication and escalation issue that can be easily incorporated into a standard Business Continuity or Crisis Communication plan - right?
On one level it is just as simple as that. However, writing it in a plan and telling people this is what they must do and then actually getting them to do it is harder than you think due to the laws of remembering and forgetting.
The laws of remembering can be summarised as: we remember best what we heard last; we remember what we hear most often; we remember most the things that are presented dramatically; and we remember most the things we have a use for.
The laws of forgetting can be summarised as: we forget 50% of what we hear immediately: we forget 75% of what we hear within two months: of the 25% we do remember, only 60% is correct, plus we add things that were never said in the first place.
Detailed plans for events that we have no immediate use for therefore stand very little chance of being retained – which is why your Business Continuity manager or your Fire Warden is always on at you to carry out an exercise or a drill.
And herein lies the major problem: a cyber scenario exercise based on standard Business Continuity principals calls for the testing and exercising of the whole organisation but full-scale testing and exercising of an organisation’s top to bottom cyber risk management capability with a regularity that is necessary to keep pace with the changing threat and business dependencies is often prohibitively expensive and disruptive for most organisations.
The result is that elements are tested in isolation, (e.g. can the infosec gurus detect and contain an attack or can a business unit manage without a particular application?) but the top to bottom communication and escalation is often never tested or rehearsed and, as a consequence, fails when put into a live situation.
To overcome this Sungard Availability Services has developed a hybrid exercise format that focuses on the key capabilities necessary for a successful cyber response. It’s not a substitute for a full-scale test (by the way - we can also deliver this for you) but it provides a safe environment for organisations to practice the detection-escalation-communication-counter-attack process which is where we have observed most organisations fail.
Reason 4: A false sense of security
Many years ago I looked after the security of an organisation that had several thousand business premises. Some of the premises were unmanned the majority of the time, some were purely operational and had a handful of workers maintaining equipment etc., and some were office and administrative environments. However, all contained valuable and attractive items that, if stolen, would disrupt critical business processes.
I followed normal (deter, detect, delay, respond) security protocols, e.g. the unmanned premises had several layers of security measures centred on the critical asset that would automatically trigger an emergency response if breached, the sparsely manned sites had automated restricted access to the site as whole and a few layers around really critical stuff, and the administrative centres had access controlled via a reception and the perimeter guarded by manned guards.
Almost without exception my highest level of crime occurred at sites with a perimeter guard. On investigation, I found that the behaviours of people changed dramatically when they thought that someone else was responsible for the security of the site. They failed to challenge people they didn’t recognise, they let people through access-controlled areas even if they didn’t have a pass and, in one case, they even made my penetration tester a cup of tea and showed them how the control room worked.
I believe the same has happened with cyber-attacks. Perimeter security (e.g. firewalls etc.) and access control (e.g. passwords) are never unobtrusive in an organisation. You can’t fail to know they are there because they either prevent your access to the website you really want to visit or challenge you to think up and remember, without writing down, a random arrangement of letters, numbers and special characters each month or so.
They are the logical equivalent of the guard in a uniform and people make the assumption that they can stop everything.
In the organisation I worked for we solved the problem by bringing security, business continuity and emergency response under a single umbrella so that when security measures were deployed people were in no doubt that they were not 100% effective because they were always deployed in conjunction with the measures to be taken when they were breached .
Sungard Availability Services do the same - our managed security services focus on protection and detection and are designed to be deployed within a cyber-attack response framework.
So is there anything financial and other organisations can do to reduce their cyber risk whilst they wait for regulator guidance regarding operational resilience?
Based on our analysis of the reasons conventional Business Continuity and Disaster Recovery plans are failing to rise to the cyber challenge - the answer is yes.
At the very least we recommend that organisations start the dialogue between everyone who has the ability to influence the outcome of a cyber attack so that they are on the front foot when the guidance lands.
We are more than happy to help you prepare for the forthcoming operational resilience regulation but if you wish to go it alone please make sure that you take the following into account as they can dramatically reduce your chances of being the next logo plastered over the press for a cyber-attack:
- A cyber-attack requires the implementation of an IT Disaster Recovery plan as part of the Business Continuity arrangements and these are notoriously flawed. Consider investing in Disaster Recovery as a Service (DRaaS) as it can dramatically increase your chances of a successful recovery.
- A cyber-attack requires the standing up of a Crisis Management Team and they need to be prepared to function in a fast tempo environment characterised by information overload. Consider providing them with executive coaching that specifically addresses the crisis management aspects of a cyber-attack e.g. maintaining situational awareness, decision making under stress, command and control and media survival skills
- Conventional Business Continuity plans focus on the isolation, containment and management of the risk at the lowest level possible whereas cyber risks need to be escalated as quickly as possible. Make sure you have a separate cyber-attack response plan that has the appropriate escalation and communication processes embedded and make sure they are practiced for example by using a hybrid exercising capability such as that offered by Sungard Availability Services.
- Don’t underestimate the negative internal effect of visible perimeter security. Never deploy a security system that does not focus on protection and detection and is designed to be deployed within a cyber-attack response framework.
Regulators to set out cyber resilience rules Bank of England Deputy Governor Sam Woods has said that UK regulators may develop, “operational resilience rules… and the tolerance level for an outage before regulatory intervention” (Reuters, online). The framework would be jointly overseen by the Bank of England and the FCA, to evaluate threats to firms’ operations, solvency, and wider financial stability issues.