When discussing cybersecurity prerequisites, it is often completely unclear what “corporate resilience” means. People often mix up different terms and definitions, and the fact that the other standards also use the terms differently doesn’t help.
Why terms can make or break your efforts
As you may be aware, many different standards, legislation, best practices, and defining organisations use and explain the various terms involved in creating corporate resilience in other, sometimes even contradictory ways. The most crucial aspect in this regard is to ask yourself some fundamental questions before starting the continuous journey of establishing corporate resilience:
- What capabilities do we need?
- What do we call them, and what do we mean by it?
- Do we have a shared understanding of the terms we are using?
Only when these central questions are posed can the foundational work begin. This article, by facilitating the conversation around a common understanding, will help you succeed with corporate resilience by helping you understand cybersecurity prerequisites.
By preparing a model that creates an overview of corporate resilience elements, Devoteam sought to clear up this confusion. As a prelude to the walkthrough of the different terms, we must introduce two main concepts:
Corporate resilience is understood as a broad umbrella term encompassing the different activities that seek to bolster the organisation’s ability to withstand disruptions. It entails most of the strategic activities described below.
Contingency plans are Formal procedures that seek to address disruptions to organisations by providing an alternative plan, commonly known as plan B. We thus broadly understand contingency plans as the different formal procedures developed to bolster corporate resilience.
With these central concepts defined, we can begin diving into the different areas of the model presented below:
Qurple boxes – The cybersecurity prerequisites for good corporate resilience
Let us talk you through the model, starting from the bottom:
The purple fields at the bottom of the model are the company’s essential cybersecurity prerequisites for contingency planning to function in practice and not just be an organisational exercise.
This foundation should consist of at least the following:
6. Technical Recovery Plans/Disaster Recovery Plans
These plans dictate a concrete step-by-step recipe for re-establishing a system and which cybersecurity prerequisites, such as licenses, backup, rights, etc., are necessary to carry out the recovery.
The plans must only contain the essential information necessary for systems recovery and must be distinct from system documentation. If you need external consultancy assistance for the recovery, then this plan must contain the information that the consultant needs to be able to carry out the work.
Of course, you must store the plans in a place where you can still access them, even if the infrastructure is inaccessible. You also use these plans during regular operational breakdowns, when you must re-establish systems, so they are not reserved for crises.
7. Cybersecurity prerequisites: Playbooks
To counter a predictable scenario affecting several systems simultaneously, you can describe a good playbook for the specific situation. For example, this is what you see in a first aid book, where there is a sequence of different actions for, e.g., burns and drowning accidents.
It is expected to have a scenario-based action plan for ransomware attacks. It describes the reaction pattern you agreed to, with specific prepared actions that can prevent the situation from developing negatively. For example, these playbooks can tell how to quickly divide a network into segments (also called island operation) or how to shut down parts of the network.
You can automate a scenario-based action plan as scripts that carry out the actions quickly, as the reaction must be completed within a few minutes. Management should approve these plans, as they often affect the company’s activities dramatically and will initiate one or more business contingency plans.
8. Prioritisation and dependencies
If systems are to be recovered, they will be done according to an IT department-operated “queue system.” Here, you would first recover the IT infrastructure and then the systems that are prerequisites for the rest of the systems to function. Based on the prioritisation of the systems’ importance, the business can request service in a specific, pre-determined order.
Experts often base this on an assessment of the business impact (called a Business Impact Assessment, BIA). One of the cybersecurity prerequisites that tackle the most critical systems and services first and re-establish essential business processes as soon as possible.
Since there are often several business areas, those responsible for the business areas must mutually agree on their priorities so that there are no internal conflicts in a crisis situation. This order can be changed in the problem, but it is much faster than starting with something rather than nothing.
Dependencies between systems and services can be more challenging to uncover if you do not have a well-maintained CMDB (Configuration Management Database). If the CMDB lacks clear descriptions, preparing simple sketches to show basic dependencies proves beneficial. This aids decision-making in a crisis and impacts the recovery sequence.
9. Cybersecurity prerequisites: Robust design and architecture
A robust architecture and systems design can reduce some of the problems caused by a crash or a cyber attack in advance with a robust architecture and systems design. One should consider a correlation between a system’s criticality assessment and the design’s robustness. This is often an economic assessment, as it is expensive to have redundant systems.
Examples of robust design are redundant systems, duplicated services, segmented networks, backup designed for crisis recovery, and cloud services that can run independently of on-premise systems.
10. Alternative Services is the IT function’s plan B.
Business continuity plans will describe the wishes for emergency operations based on some alternative services that must function in everyday life to beso that they are ready in a crisis.
This can be an alternative communication platform or daily data dumps that can ensure the continued operation of the business. These services can be “dormant” until needed and must again be independent of the shared networks.
This corresponds to the fact that lists were printed out every day in the past so that they could be used in a crisis. You can still do that, but time has passed since this approach became popular, as it is too resource-intensive and often does not solve all your needs.
Cybersecurity prerequisites – Blue boxes the daily operations
The blue fields are the areas that belong to the company’s daily operations. This entire area aims to prevent incidents from developing into crises.
5. Operations consists of:
- Business processes are normal business operations. If something hinders these processes, you can implement Business Continuity plans.
- Processes for common incidents (Incident Processes) deal with common and often local problems. For example, an employee’s computer may not be not working.
- Processes for significant incidents (Major Incident Process) can be used, for example, when many computers in the company do not work or several critical systems are affected.
You can see a scale from one to five on the left side of the model. It is a scale for the severity of the incident, where one is the most critical. We call the most severe IT operations organisation event a Major Incident. One or more significant incidents will often draw on all the resources an IT department has available, which means that the average service level drops noticeably.
When a serious incident occurs, the IT department immediately tries to solve the problem by all conceivable means. If this proves impossible, crisis management steps in and takes control of the situation. Notifying crisis management of all significant incidents saves time.
The company’s IT manager will typically be the IT manager who has the role of IT crisis manager, thus deciding whether there is a crisis.
Red boxes – Crisis Management
The red boxes are about the part of corporate resilience that is activated the second an incident has passed and has become a crisis.
This includes areas such as:
2. IT Crisis Management
This is the IT department’s crisis management and is a layer on top of the Major Incident. They run a war room with a clear division of roles following a structured agenda. They often bring in more resources and make decisions with a prepared mandate. This is where they create and maintain the extensive overview, and there will usually be roles representing HR, communication, coordination, business management, and facilities.
This team coordinates long-term efforts, prioritises them, and communicates them to all stakeholders. IT crisis management can obtain support from outside specialists to handle the situation and take responsibility for deviations from policies and guidelines.
3. IT Service Continuity
Many people find this concept almost unknown and can only define and implement it in close cooperation with business management. Emergency operation differs from redundancy, but alternative systems or data extraction often provide availability in other ways. If they fail, it can be a spreadsheet ready to replace quality management systems.
You often only need a limited amount of data to lead your business forward in a crisis, but this data is vital. It may be possible to deliver goods from a warehouse with a pen and a pad, but it will take a long time to import this data when the systems return. Therefore, an alternative digital solution is often better to avoid significant backlogs.
4. Business Continuity
These plans describe how the business will continue if you suddenly cannot continue operations through your everyday business processes. Someone other than the IT department who knows the work processes will prepare these plans. They know their own area’s daily routines, needs, and rules. It is often those who are responsible for processes and business areas who are responsible for preparing business continuity plans.
Business continuity is often used as an umbrella term for crisis management. But that’s just one area of overall corporate resilience. Whatever you call it, be specific.
1. Corporate Crisis Management
This is the entire organisation’s crisis management. If IT is down, it can drag the whole company down, and the entire company is in crisis. Then, the IT crisis management, with the IT director at the end of the table, resolves the IT crisis, while the overall crisis management is handled here. Here, it is usually the CEO who sits as the crisis manager.
This plan is not limited to IT incidents but can also accommodate war, extreme weather, pandemics, etc. However, an IT crisis will very often activate the entire company’s contingency efforts. Therefore, the two crisis teams must cooperate closely and well.
Cybersecurity prerequisites: Testing the plans
You should test all plans regularly with realistic and challenging scenarios. To make the testing as concrete and specific as possible, test the plans individually.
Preparing a test plan that extends over three years is a good idea, as it is often only possible to test some plans within 12 months.
You must adapt the testing of the plans to a specific purpose and have an appropriate level of ambition. It is essential that concrete learning comes out of the tests, and therefore, it is advantageous to create a test plan that increases complexity as you improve. It could be in these steps:
- Peer review of the plan. If your colleagues do not understand the plan, it needs correcting. The plan is read through and adapted by someone with sufficient professional knowledge.
- Scenario-based simulation. The plan is tested in a simulated incident and adapted for the company. Actions are limited to being described and not implemented.
- Technical testing. Here, the experts test the parts of the plan that will not negatively affect the company’s operations. It can be a test of an SMS crisis communication tool, a failover of individual redundant systems, or contact with suppliers.
- Operational testing. Here, they try out a scenario as close to reality as possible. They re-establish systems, contact business partners, and evaluate employees during a fire drill. This incurs significant costs and risks, so they plan it carefully and well in advance. Often, they will test the elements in a live test at level 3 before including them in the exercise.
Cybersecurity prerequisites: Advice and the human aspects
When a crisis arises, it is often necessary to control the course of the battle with a military mindset.
You have to run fast. Leaders must make decisions with a firm hand, and employees must make an extra effort. Therefore, one must also consider the human aspect of the crisis.
Often, an attack pushes people very hard for a long time, perhaps around the clock. Therefore, they will no longer be able to sustain the momentum at some point. The HR function will safeguard employees’ well-being and prevent stress and a bad working environment. It is also important to remember that most employees have no contractual obligation to work extraordinarily in a crisis. You must handle this carefully.
Demant and Mærsk are examples of companies where a cyber attack hit, lasted for several months, and some systems never recovered. The employees also do not forget how hard it was to be part of the incident, and the handling becomes part of the company’s future image.
Don’t pave the road while you are driving it.
Corporate resilience must be established before a cyber attack occurs.
Building your corporate resilience takes time, and you only have a little of that when attacked.
The time you spend preparing and making plans directly reduces the time it takes to recover after a cyber-attack. The decisions you must make under tremendous time pressure are often tricky, so it’s better to have these discussions before the incident occurs. Thus, the pace during a cyber-attack can increase, and there is less insecurity as you can adhere to well-known frameworks.
If you seek inspiration for good contingency planning, look toward the Defence, the Rescue Services or general First Aid. Here, experts test methods in life-threatening situations and adapt them through generations. Use their operational experience and notice how simple and concise the methods often are.
Recommendations for inspiring reading material:
- The Checklist Manifesto, Atul Gawande
- Battle Mind. At præstere under pres, Merete Wedell-Weddelsborg
- First aid, redcrossfirstaidtraining.co.uk/
- Five-paragraph order, United States Army.
What you can do today
Having read this article, you now understand the different cybersecurity prerequisites central to building organisational resilience. But remember, knowledge is power, and you expand power by sharing it rather than diminishing it. By bearing this concept in mind, our immediate recommendation is to begin by focusing on these simple steps:
- Share your knowledge to establish a common understanding,
- Identify and commit to areas relevant to your organisation,
- Develop a strategic plan for addressing your selected capabilities to ensure effective execution across corporate resilience.
Our experts can help you
Contact our experts now to make the best of corporate resilience and contingency planning!