Business Continuity and Cyber Incident Response: Strategies for Maintaining Operations and Security

According to the Business Continuity Institute, business continuity is about having a plan to deal with difficult situations, so your organization can continue to function with as little disruption as possible. Essentially, it is a system of prevention and recovery from potential threats.

When your business is experiencing disruptions and users/customers can't access resources, it becomes more expensive the longer it takes to regain normal business operations. Having a plan in place ensures that personnel and assets are protected and are able to function quickly in the event of a disaster is key. Looking at two scenarios, I will be discussing short-term solutions for the displacement of employees, processes, and hardware, proposing a failover solution with requirements for implementation, and ranking the order of importance of the three tenets of the confidentiality, integrity, and availability (CIA) triad as they relate to the incident.

The first scenario is the sprinkler system within your building has been triggered. There is not a fire, but currently the sprinklers are going off within the server room. There are a few short-term solutions available for the displacement of employees. Ideally, I would like to equip employees with laptops and a secure VPN connection and have them work remotely from home. I would ensure that employees have all the necessary tools they may need and access to needed files and systems remotely. If remote work is not available for some or all employees, I would recommend alternative job sites. These can include co-working spaces at another company or a rented office space. I would ensure, regardless, that the space was equipped for the needs of the business, whether that be wifi, computers, meeting rooms, etc. I also believe that keeping clear communication is key within an incident as such. It is going to be hectic, but solid communication will keep all employees in the know and up to date on the status of the recovery and the temporary work place.

As for the processes and hardware, there are also a few solutions. Hardware will need to be assessed for damage and critical hardware will need to be prioritized for replacement. Temporary solutions may have to be made and virtual machines might have to replace non-critical machines, until permanent replacements are available. I would also want to evaluate the integrity of data stored on the physical devices within the server room. If data isn’t salvageable, recovery from offsite backups can restore the data. Of course, all of this can’t happen without rerouting all communications to the redundant systems in an effort to maintain operational continuity. Cloud based storage and a temporary network may have to be configured. I would also reach out to whatever vendor I plan to purchase the new equipment from and see about expediting the order.

A failover solution provides automated redundancy and continuity of operations in the event of failures. Failover systems enable rapid switching to standby components or backup data centers with minimal service interruption during incidents. The best failover solution is going to be establishing an offsite data center with a cloud-based infrastructure. This way the system detects the failure and automatically switches traffic to the offsite data center that mirrors the server room. Ensuring real-time data replication and maintenance of the backup systems will ensure that the backup systems are up to date as possible with the most current data.

Requirements for implementation include many aspects. Infrastructure investments for software and hardware for the off-site data centers and cloud-based services. Software for data replication and monitoring is also needed as well. A high-bandwidth network connection to handle the network traffic switch. And overall, IT expertise is going to be needed to manage the chaos that is going to ensue if one has to experience this incident.

As far as the CIA triad and the tenets of cybersecurity, I would rank them in importance as follows: Availability, Integrity, and Confidentiality. The primary concern should be availability of data and systems to employees and customers. There is a severe risk of disruption to business because of hardware and potential data destruction. Getting systems back online and operational is crucial for business continuity. I would begin with critical systems first and work my way until all systems are restored. Next, I would rank integrity because water could in fact corrupt data stored within the affected server room. It is very important to ensure data is accurate during the recovery process and that backups are verified before put in place. Confidentiality is my least concern as this isn’t an active security breach incident and the data is at risk of being stolen. Confidentiality should still be kept in mind as temporary solutions are implemented at a fast pace to get systems back online.

The second scenario is a user reports that their workstation is locked with a picture of a snowman. They have disclosed that right before this happened, they started playing music from a personal USB drive. The locked workstation and the image of the snowman would be enough to identify malware and/or a virus on the workstation. The most important thing to do initially is to disconnect the workstation from the network containing the malware to the workstation. You do not want anything to be able to spread to other systems.

There are a few short-term solutions available for the displacement of the employee with the locked workstation. The employee could temporarily be assigned a new workstation. I would make sure the employee has everything they need to continue working. The employee could also elect to work from home, however, that measure could be a little extreme for this scenario.

As for the processes and hardware, there are also a few solutions as well. I would start by re-imaging the workstation to remove any traces of malware. I would then use a backup to restore any lost or corrupted data on the affected workstation. I believe beneficial processes that could be put into place to help prevent this incident from happening in the future are increased network monitoring to detect anomalies, updating anti-virus and malware detection tools across all platforms, and implement policies regarding personal use USB drives in the work environment. The policies should block all non-business USBs from being able to be used on the network. I would also recommend employee awareness training to cover best practices and what to do and not to do in the work environment. These training sessions should happen consistently and be mandatory for all employees.

The best failover system that I could implement would be a robust backup and recovery system with real-time data updates. This system would need to cover at minimum the critical systems, servers, and workstations. I would also implement enhanced network security such as advanced threat detection systems that automatically identify and isolate compromised devices. I would also ensure that regular audits are being conducted to identify vulnerabilities within the IT infrastructure.

Requirements for implementation include the investment into the software and hardware and the training and awareness program. The software is the robust backup and recovery software, advanced anti-virus, malware detection, and network monitoring tools. The hardware includes the additional machines. I would even go as far as to advise updating the firewall and IPS solution, as they did not catch this attack and allowed a workstation to get locked, potentially holding critical data or systems hostage.

As far as the CIA triad and the tenets of cybersecurity, I would rank them in importance as follows: Integrity, Confidentiality, and Availability. The main concern should be focused on the integrity of the machine and the data. The malware installed on the workstation could alter or corrupt the data located on the infected workstation. Next, I believe confidentiality is second most important as the malware could access sensitive data and exfiltrate it. Thirdly, availability because while you can’t actually use the workstation, maintaining integrity and confidentiality of the data is top priority.

References

BCI. (n.d.). Introduction to business continuity. BCI. Retrieved November 11, 2023, from https://www.thebci.org/knowledge/introduction-to-business-continuity.html

Kenton, W. (2010, December 20). What is a business continuity plan (BCP), and how does it work? Investopedia. https://www.investopedia.com/terms/b/business-continuity-planning.asp

Holtzer, D. (2023, September 19). Alternative workplaces: Then versus now. Eptura. https://eptura.com/discover-more/blog/what-is-an-alternative-workplace/

Instant failover. (n.d.). Imperva Inc. Retrieved November 11, 2023, from https://www.imperva.com/learn/availability/instant-failover/

Martins, A. (2019, November 24). How to Tell if Your Computer Is Infected and How to Fix It. Businessnewsdaily.Com. https://www.businessnewsdaily.com/1368-6-signs-computer-infected.html