How to Make Business Practices That Support Cybersecurity Response
Scottish writer Robert Burns wrote in the poem “To a Mouse,” “The most effective schemes laid out by mice and men. The gang aft of a-gley.” It is possible to recognize the expression in its more popular form, “The best-laid plans of mice and humans often fail.” The planning process must include understanding how your business practices will affect your response to cybersecurity.
This phrase could be a source of inspiration for the incident response team, business continuity planners and crisis managers. They are aware that every plan is ineffective after the first shot has been fired. However the former president Dwight D. Eisenhower said, “In planning for battle I’ve always concluded that plans are not useful and planning is essential.” In order to be prepared start by understanding what business practices and procedures could impact the response, and then create an system of governance that helps to build a strong company.
Plans for incident response alone do not suffice. Responders and planners must learn more about how their company operates in general. This allows planners to identify areas, like practices and procedures which could cause consequences that can cascade throughout the response.
Consider this planning as a kind of system design method like the principles of the NIST 800-160 but from a business-process standpoint.
In other words, what is the point of a solid incident response system if the commercial practices impede it, reduce its efficient or hinder it from functioning? On paper, and maybe even on its own your cybersecurity plan could be excellent. However, in reality, when it is running alongside the rest of your business it’s an additional process that can stop abruptly.
Does Your Program Make Sense for Your Needs?
An incident response program has to be flexible, yet remain structured while maintaining structure. Otherwise, it can become an unstructured Wild West of decision authorities protocol, escalation protocols and a lack of communications.
If the company isn’t small, centralized control usually isn’t a good idea. Centralized control can be inefficient (suffering from communication issues) and could be too distant from the event to make informed decision.
You should instead bring the two groups together. Consider it as an constitution which guides the program, by defining the lanes and cooperating. Models that are not in harmony could result in a degraded response.
Here are some frequent hiccups with harmonization
- Policy and practice don’t necessarily align
- It is not possible to integrate planning requirements with the organizational structure
- Responsibilities and roles are not easily defined or clearly marked.
- The process and the asset identification has not been identified , or maintained.
- Assets and processes don’t have dependencies defined
- Priorities for business compete or are in conflict with security benchmarks due to the fact that each step is being carried out on its own or in silos
- Resource misalignment or unavailability
- Monolithic, reactive bureaucratic structures hinder the process from changing and make it difficult for processes to adjust.
When Planning Meets Real-World Processes
It is assumed that you have a robust cybersecurity plan and trust in the way it responds to threats. On its own, it tests well. What happens when it is integrated into the system?
Take this for instance incident response’s success is dependent on inputs from an additional process (a dependence) that is not within the cybersecurity domain. There is always an “ingestion source” from which the issue begins. This could be any of the following that is the Security Operations Center or a third-party. Let’s say that it’s customer service.
Imagine your company provides technological services. You might not have noticed any unusual indicators yet, but your customers are complaining about poor service. The usual procedure is to contact your customer service team.
What happens when the customer service process isn’t working? In this instance, it could be a bad customer experience (e.g. having to fill out a lengthy form, not being able to get an answer on the phone and a faulty ticketing system and so on.). In this instance it is possible that the problem won’t be discovered until later, since one of the main source of ingestion is clogged up.
What happens when you overwhelm the source of ingestion? What is the place where the response will be directed? The ‘clog’ (symptom) or the illness, in this instance an attack?
It’s the right time to adopt a non-cyber business practice that has downstream consequences.
Moving Upstream and Downstream
Such issues may extend beyond those working on cybersecurity. This is the way working as teams works. The mapping of upstream and downstream procedures and practices can identify areas that can improve or hinder cyber security.
Potentially, threat actors have been aware of the vulnerabilities of your customer service (poor practice). They could exploit these bad practices for their own gain. Support for customers, for instance could be a way to the use of social engineering to focus on your customers and overpower your plans in place to handle customer support.
How can you minimize the harm?
Which Business Practices Impact Incident Response?
In the first place, understanding each possible process, vector and response that can affect your response will take up excessive resources. This is a mistake and will not give you a decent return on your investment. However, you can plan for the most commonly played kinds. Imagine placing yourself in twenty in a good standing’. Start from a place that is strong.
Let’s suppose that you have a solid governance structure and an incident response plan in place. What’s missing? Trouble spots may include:
- Sources of ingestion not known
- Non-cybersecurity practices that are not secure or methods
- Information that is shared (e.g. excessive open-source data) opens the way to attacks by social engineering
- Insufficient sharing of information (e.g. practices or procedures are not comprehended) leading to blind areas
- Uses of conflict to bypass security measures
- Processes do not have dependencies or are designed in isolation of their impact on business.
It is true that you might have numerous “unknown unknowns” which need to be converted into ‘well knowns’. In the end, you must gain a better understanding of the ways in which your practices and procedures will affect the cybersecurity response. This means a little research (knowing the industry) and being innovative (thinking as an actor in the threat).
Defining Impact Categories
When you’re sure of the quantity of famous names The next step is to conduct a quantitative and qualitative analysis. To accomplish this you’ll need criteria and categorization relating to the impact. There are a variety of categories that could be used, including:
- Regulatory and Compliance
- Internal Operations
- External Operations
- Health and Safety.
Each organization has its own impact areas. Find them in relation to your business processes. You are not only improving your cybersecurity by performing this exercise, you’re also improving your response to hazards.
Do you remember the issue with customer service that we discussed as an illustration? If we could map processes and assets accurately We would be able to determine the people and things that are affected and what kind of effect will be the result. We can determine which aspects are the most important from both quantitative and qualitative viewpoints.
Perhaps your cybersecurity response procedure is dependent on the customer service method (an ingestion source and dependence). This could impact internal processes if customers are unable to not contact your team. In addition, add a malicious actor who knows about these issues and the threat is increased.
Also Even if you can’t determine how your business and cyber processes are linked however, they’re still in existence. It’s a lot like the data lifecycle continuum that we have discussed previously. If you don’t take action in this regard, then the repercussions from an incident or mistake may be greater than it needs to be.
So Now What?
We’ve identified a lot of issues and challenges. So, how do you overcome these issues? Here are some suggestions and suggestions:
- Create a system to locate and keep track of business process identification and then create process mapping. You might be surprised by what you discover. What you thought was important might not be so in the slightest, and something you thought wasn’t connected could be crucial. Bonus points if it is possible to integrate this approach into any of your records systems that will automatically and regularly perform maintenance and updates.
- Create impact categories, along with related escalation requirements, that meet your company’s needs and processes. The generic criteria, as well as those that do not have thresholds leave a lot for interpretation and may confuse your response. The quantitative and qualitative thresholds are essential to weed out the gray areas (e.g.”significant” financial risk versus a loss of $500,000 daily).
- Conduct business impact analyses (BIAs) of your procedures. The BIA will not be able to identify what business practices can be exploited by hackers however you can discover the processes that are at risk because of their actions. This is all part and parcel of discovering and understanding your company.
- Look at this world from the perspective of your customers. Of course, the majority of companies do this for reasons of marketing and expansion. But do you think about this from an incident response point of view? The good news is that the past two years of disruption have forced companies to adapt to disruption. If you decide to adopt this method it is making it mandatory for your security and business teams to collaborate and share information.
When Plans Meet the Enemy
The most important thing is to conduct an audit of your processes and practices. There may be great strategies and policies written down however they could be excessively strict or restrictive and therefore impossible to follow or implement. You may also have a weak link in your business policy that could take over your entire organization in one swift swipe.
Security and data security generally is a normal business procedure in the present. Thus, the cybersecurity procedure should be integrated alongside other processes to identify weak points, vulnerabilities and even ways to increase opportunities for business growth. Make your best-laid plans worth it.