business continuity management and cyber resiliency - iasa · business continuity management and...
TRANSCRIPT
Baker Tilly refers to Baker Tilly Virchow Krause, LLP,
an independently owned and managed member of Baker Tilly International.
Business continuity
management and cyber
resiliency
Introductions
Eric Wunderlich, CRMA, ABCP
Senior Manager – Risk and Internal Audit
312 729 8185
Agenda
> Business Continuity Management Overview
> Top Threats and Vulnerabilities
> Trends and Other Considerations
The Cost of Disruption
$11.6MAverage cost of cyber attack
and data breach
Up to $58MAverage costs for
remediation
$53,210Minor incidents, average cost per
minute of downtime
Up to $14.25MAverage cost of IT outage over 24
months
2nd
Rank for sources of supply chain
disruption
Up to $360,000Average cost of severe weather
related events
IT OUTAGECYBER / DATA
BREACH
SEVERE
WEATHER
Source: Business Continuity Institute, “Counting the Cost”, 2014
> Higher incidence of cybersecurity
threats and attacks
– 2nd most frequently hacked sector
and top ten sub-sector
– 41 known security breaches in the
insurance sector
– 3.5 million identities stolen in the
finance/insurance industry in 2016
> Common attacks include
phishing and ransomware
– 60% of all attacks were ‘insiders’
– Of that 60%, roughly two-thirds of
these insider attacks were carried out
with ‘malicious intent’
– Ransomware is mostly distributed via
e-mail, with an average of 1,200+
global ransomware detections daily
Cybersecurity in Insurance
FBI estimates that $400 billion in
intellectual property is leaving the
US each year
Business Continuity Defined
“Business Continuity Management is a management process that
identifies risk, threats and vulnerabilities that could impact an entity’s
continued operations and provides a frame-work for building
organizational resilience and the capability for an effective response.”
- Disaster Recovery Institute
“Business Continuity Management is defined as a holistic management
process that identifies potential threats to an organization and the
impacts to business operations those threats, if realized, might cause,
and which provides a framework for building organizational resilience
with the capability of an effective response that safeguards the interests
of its key stakeholders, reputation, brand and value-creating activities.”
- ISO 22301:2012
Business Continuity Overview
PROGRAM
INITIATION AND
PLANNING
BUSINESS
IMPACT
ANALYSIS (BIA)
DEVELOP
CONTINUITY
PLANS
4
TRAINING AND
IMPLEMENTATION
1 32
RISK
EVALUATION
AND CONTROL
5 6
TESTING AND
MAINTENANCE
ONGOING PROJECT MANAGEMENT AND COMMUNICATION
Business Continuity Overview
Plan ResponsibilityFocus of
PlanObjectives
Emergency
ResponseFacility
Get the people
out safely
Develop procedures and policies to ensure the
safety of employees, visitors, and community
immediately after the occurrence of an event.
Crisis
Management
Crisis
Management
Team
Protect the
company
Focus corporate efforts to respond to any incident
that has a significant negative impact to the
enterprise.
Business
Continuity
Facility or Major
Function
Get the
business up
and running
Establish procedures that provide for the
continuation of business operations in the event of
a crisis on the corporate, divisional, or site level.
Disaster
Recovery IT
Get the
systems up
Establish system recovery plans to restore
technology (access to data and systems) in the
event of a disaster.
Crisis Management
Business Continuity Plan
Objective: back-to-normal as quickly as possible
Timeline
Emergency Response
Business Continuity
IT Disaster Recovery
Within minutes
after the onset of
an event
Minutes to days –
depending on what’s
needed to survive
Minutes
to days
Incident –
Time Zero
Minutes
to days
Back to Normal
Business Continuity Overview
> Establish the need for BCM
– Regulatory and/or contractual
– Organizational objectives
– Competitive advantages
> Obtain leadership and management
support for BCM
– Develop mission statement and/or charter
– Establish objectives and program structure
– Identify budget and resource needs
– Develop project plans and timelines
– Assign responsibilities
> Communicate, communicate,
communicate
– Establish clear communication channels
– Disseminate across the organization
Program Initiation and Planning
> Gain agreement on risk assessment
and tolerance
– Understand organization’s risk tolerance
– Establish measurement criteria
> Conduct information gathering
activities
– Develop risk universe
– Collaborate with other groups and
functions
> Evaluate and classify risk impacts
and vulnerabilities
– Evaluate impacts of risks related to
availability of personnel, information
technology, and communication
> Identify and evaluate effectiveness of
controls and safeguards
Likelihood
Imp
act
High Impact
Moderate Likelihood
Moderate Impact
High Likelihood
High Impact
High Likelihood
Moderate Impact
Moderate Likelihood
Risk Evaluation and Control
> Establish process and methodology
– Define objectives and scope
– Identify criteria to quantify and qualify
impact
– Determine data collection and information
gathering approaches
> Conduct data gathering activities
– Processes and/or functions
– Minimum resource requirements
– Interdependencies
> Prioritize processes and determine
order of recovery
– Identify gaps between current recovery
capabilities and results of BIA
Business Impact Analysis
Initial
Data Loss
Post-Disruption Data Loss
(Backlog)…
RTO and RPO Illustration
Time
RTO
Time
Data
Backup
Recovery of
operations
(BC strategy
activated)
Function / Service
/ Application
operational to
owner’s definition
Business
process
functional
Disruption
> Identify available continuity and
recovery strategies
– Requirements for business functions and
operations to meet RTO and RPO
– Internal and external options
» i.e. Repair/rebuild, alternate site, manual
workaround, reciprocal agreement, etc.
– Assess viability of recovery strategies
> Develop emergency response
strategies
– Protection of life, property, and environment
– Consult and coordinate with public agencies
for response strategies
– Develop crisis communication plan and
identify authorized spokesperson
> Document recovery plans
– Site level plans, functional or departmental
plans, scenario-based plans, etc.
Develop Continuity Plans
> Establish objectives of the training
and exercise programs
– Obtain support of senior management and
plan sponsors
– Identify desired level of expertise to be
achieved
– Align activities with recovery priorities and
tactical requirements
> Identify appropriate audiences
– Prioritize groups based on awareness and
training needs
– Goal is to increase awareness and
establish confidence
> Develop a realistic, progressive, and
cost effective program
– Start simple and build on mastery
Training, Testing, and Maintenance
Top Threats and Vulnerabilities
Threats and Vulnerabilities
Source: Business Continuity Institute, “2016 Horizon Scan Report”
Threats and Vulnerabilities (cont’d)
Source: Business Continuity Institute, “2016 Horizon Scan Report”
Cybersecurity – Are You Prepared?
Many companies lack the technical means to detect intrusion and
data exfiltration activities
– 69% of data breaches were externally discovered by law enforcement or
customers (Source: Mandiant M-Trends 2015 Report)
– Median number of days from earliest compromise to detection: 205 (Source: Mandiant M-Trends 2015 Report)
Business Continuity and Incident Response plans are critical to
minimizing exposure from cyber attacks
– Involving Business Continuity Management saved on average $9 per record
breached (Source: 2016 Cost of Data Breach Study: Global Analysis from Ponemon
Institute)
Communication and notification protocols can help to ensure timely
and relevant information for internal and external stakeholders
– Customer/Supplier notification protocols
– Media response and spokesperson
Consider these …
Cybersecurity – Are You Prepared?
Retail/Wholesale:
10% of Spear
Phishing attacks
Services:
31% of Spear
Phishing attacks
Finance,
Insurance,
Real Estate:
18% of Spear
Phishing
attacks
Manufacturing:
20% of Spear
Phishing attacks
All other
Industries:
21% of
Spear
Phishing
attacks
INDUSTRIES
AT RISK
Hackers
CYBERSECURITY
POLICY & PROGRAM
DEVELOPMENT
CYBERSECURITY/PRIVACY
COMPLIANCE READINESS
VULNERABILITY
ASSESSMENT/
PENETRATION
TESTING
CYBERSECURITY
ARCHITECTURE &
IMPLEMENTATION
SOC REPORTING
CYBERSECURITY
RISK ASSESSMENTS
Identity
thieves
Espionage
Regulations
Malware
Source: Symantec
Internet Security
Threat Report 2015
Trends and Other Considerations
How does BCM fit into your organization?
What does your response plan cover?
How often do you perform simulations?
Who is involved in the simulations?
How often are plans invoked and why?
What scenarios should we plan for?
Feedback from BCP Invocation
Use of Technology
• Do we have a plan to reduce risk to our customers?
• What is the risk of losing a critical customer or channel?Customers
• Are we reliant on a single supplier? Do we have alternatives identified?
• Do we know the financial health of our suppliers?Supply Chain
• Do staff contracts give us flexibility (i.e. hours, location) to deal with major disruption?
• Do staff know what to do if office or facility is inaccessible?Staff
• Have we prepared messages for dealing with a major disruption or crisis?
• Do we have trained spokespeople for communicating with media?Reputation
• Have we identified all critical information and IT applications?
• Is all critical information backed up and readily accessible?
• Have we appropriately addressed cyber security risks?
Information Technology
• Do alternative office and facility locations exists? Are employees aware?
• Have we identified and communicated with local agencies and municipalities for emergency response protocols?
Sites & Facilities
Self Assessment Questions
– Awareness and
training programs
– Clear lines of
communication
Critical Success Factors
Communication
and Awareness
Leadership Support
and Buy-In
Continuous
Improvement
Structured and
Disciplined Approach
01 02
03 04
– Awareness and
training programs
– Clear lines of
communication
– One size does not fit all
– Align to organizational
objectives and
requirements
– Ensure program and
plan include relevant
components (The 3 P’s)
– Measure and track
performance
– Testing and
maintenance
activities
"The time to repair the roof is
when the sun is shining." John F. Kennedy
Baker Tilly refers to Baker Tilly Virchow Krause, LLP,
an independently owned and managed member of Baker Tilly International.
Eric Wunderlich, CRMA, ABCP
Senior Manager – Risk and Internal Audit
312 729 8185