Last week, Cutover CEO Ky Nichol spoke to Chief Resilience and Control Officer at Santander UK, Mike Butler, about the Bank of England’s important business services framework and how organizations can use it and other principles to better recover from cyber attacks.
Their discussion outlined:
- The key steps of the important business services framework
- How to orchestrate cyber recovery flexibly across teams, technology and automation
- How to strengthen cyber recovery postures, ensuring cyber recovery plans can be exercised
Below are some key takeaways from the session, which you can watch in full at the end of this post.
The first step to better resilience and recovery is understanding your organization
As Mike notes, although the Bank of England’s important business services framework came about due to impacts on the UK financial services sector, the principles it’s built on apply across industries and geographies. He recommends organizations begin to implement its principles by getting a clearer understanding of how their customer interacts with them end to end, from the first interaction to when they’ve completed their journey. For example, a customer withdrawing cash from an ATM, checking their bank balance on their phone or using their card at the point of sale. The point is not to look at different components of your technology in isolation but to understand how they all interact when your customer needs to do something. This can expose vulnerabilities and help you to understand what your most important services are.
Once you’ve tested your recovery, test it again, and again…
Once you’ve created a map of what’s important and the various impact tolerances of different applications and technologies, you can overlay scenarios that could cause a lack of availability, such as DDoS, malware, or ransomware attacks. You can then use structured testing to understand where your exposure is in order to protect against outages but also recover within impact tolerances when there is a breach - encompassing people, locations, and technology to support these efforts.
The most important area of focus is the severe but plausible scenarios that could apply to your important business services. You need to stress those scenarios as much as possible, focusing on mitigating and remediating them. A ransomware attack would be one such scenario, as ransomware has been used to shut down all systems and endpoints and lock up all access in countless organizations.
When planning your response to a situation such as a ransomware attack, you need to consider all recovery options and create a plan that you can test, stress, and gather data on to improve. Building muscle memory within the organization is important so you know that the right people can spring into action when a real breach occurs.
For business continuity and operational resilience professionals, this path of testing and stressing is well trodden, but the difference here is the connectivity of every component that goes towards delivering a service. You’re not testing your ability to recover one application or piece of software, it’s about ensuring the resilience and ability to recover the whole process of delivering a service.
Once you understand your services, what’s the best way to protect them?
There’s no silver bullet off-the-shelf solution to help any organization protect themselves from a cyber attack - every way you might want to protect yourself needs to be bespoke to your organization. However, there is some commonality, such as the need to repeatedly practice and rehearse to build muscle memory. Once you’ve identified the most likely threats to your organization (and some less likely but still plausible ones), rehearse them and make sure everyone in the organization knows their role for if that scenario occurs.
At the most basic level, this is a playbook of who needs to be informed when a breach occurs - regulators, executives, and possibly the police. However, ideally, you would have a full plan that spins off a technical recovery workstream, a communications workstream, and a legal workstream, as well as steps to engage law enforcement and keep senior stakeholders and the board informed and communicate with customers, regulators, and the press. The moments after an attack occurs can be complete chaos if you don’t at least have your approach written down.
Another consideration is where you store your recovery plan. Mike recounted a time when he worked at an organization that had an incident that left them without access to the intranet for several hours. Fortunately, the recovery tools were hosted in the cloud, so they could still initiate their recovery.
The role of automation in effective recovery
Once you’ve decided what you need to do, automation can help your recovery and speed things up. The challenge is that there’s a lot of nuance when it comes to cyber recovery and people are needed to make decisions in the moment. As humans, we’re bad at knowing when it’s our turn to make decisions or get involved, which is why the planning and testing mentioned above is so important. Orchestrating people really helps accelerate recovery and improves post-event review.
“Having the ability to orchestrate people is phenomenal - getting people online and involved at the right time is key.”
- Mike Butler
Cutover’s Collaborative Automation SaaS platform enables enterprises to simplify complexity, streamline work, and increase visibility. Cutover’s automated runbooks connect teams, technology, and systems, increasing efficiency and reducing risk in IT disaster and cyber recovery, cloud migration, release management, and technology implementation. Cutover is trusted by world-leading institutions, including the three largest US banks and three of the world’s five largest investment banks.
To get the full insights from the session, watch the on-demand recording here: