Many business continuity practitioners are perceiving a higher level of risk than ever before in their careers. Unfortunately, these risks are more often resulting in real incidents which require emergency response and continuity of operations. Being prepared may be the most important thing an organization can do in 2018. But what should we prepare for, and how should we prepare for it? This discussion will walk through some of the emerging threats concepts, tools, and techniques that business continuity professionals can expect to see more of in 2018.
Main points covered:
- What should we prepare for in 2018?
- How should we prepare?
- The emerging threats, concepts, tools, and techniques expected in 2018
- Emerging threats creating new risks
Presenter:
David Feeney, CPP, PMP has 17 years of security industry experience assisting organizations with risk management matters specific to physical, personnel, and cyber security. He has 9 years of experience with service providers and 8 years of experience within enterprise security organizations. David has worked with industry leaders in the energy, technology, healthcare, and real estate sectors. Areas of specialization include Security Operations Center design and management, Security Systems design and implementation, and Enterprise Risk Management. David holds leadership positions in ASIS International and is also a member of the InfraGard FBI program. David holds Certification Protection Professional (CPP) and Project Management Professional (PMP) certifications.
Andrea LeStarge, MS has over ten years of experience in program management, risk analysis and curriculum development. Being specialized in Homeland Security, Andrea leverages her experience in formerly managing projects to support various Federal Government entities in identifying, detecting and responding to man-made, natural and cyber incidents. She has an established track record in recognizing security gaps and corrective risk mitigation options, while effectively communicating findings to stakeholders, private sector owners and operators, and first-responder personnel within tactical, operational and strategic levels. Overall, Andrea encompasses analytical tradecraft and demonstrates consistent, repeatable and defensible methodologies pertaining to risk and the elements of threat, vulnerability and consequence.
Organizer: Nevila Muka
Date: January 17, 2018
Link to the recorded webinar:
6. Presentation title
[To edit, click View > Slide Master > Slide Master]
Member firms and DTTL: Insert appropriate copyright
[To edit, click View > Slide Master > Slide Master]
6
The digital revolution is driving business
innovation and growth, yet also exposing
users to new and emerging threats.
Exciting technological innovations bring
fantastic opportunities:
Driving down costs;
Increasing integration; and
Driving efficiencies.
But opportunity brings risk:
New avenues of exploitation mean businesses
have a greater exposure to cyber attacks than
ever before.
Looking deeper into likely trends:
New technology
YOU
The increasing prevalence of cyber attacks means that new
techniques and tools are needed
New Technology = New Threats
{Dave will go first; Andrea second.}
Hello everyone.
My name is Andrea LeStarge.
I am a Manager at Deloitte and I have been with the Firm for almost three years.
Within the Firm, my specialty is to advise clients on cyber and physical risk components (and that encompasses threats, vulnerabilities, impacts, mitigation measures).
I work primarily in the Energy sector. My secondary industry is the public sector where I advise clients on strategic and operational plans aimed at responding to significant cyber events.
Prior to joining the Firm, I worked in the Federal and State landscape. I taught physical and cyber risk, how to conduct assessments, how to analyze and create / disseminate intelligence products, and other homeland security topics like suspicious activity reporting. I specifically entered into this landscape as an intelligence analyst and eventually grew to managing a statewide fusion center. Fusion centers were created in every state after the terrorist attacks on the world trade center in September 11, 2001. Fusion Centers are basically security operational centers that house several professionals from various Federal, State, local govts and critical infrastructure sectors – all focused on sharing information and investigating leads and possibly cases in an effort to protect the homeland.
I’m excited to be with you for the next hour and look forward to your questions and comments.
{Dave}
Today’s presentation is titled “Trends;” specifically we’re concentrating on some of the threats that are trends within BC. Everything we’ll be talking about is, in our opinion, an emerging or persistent trend to BC. With that said, today’s topics will include (review)
*Please note, throughout this presentation, we do refer to statistics centered on North America, and specifically the United States; we don’t anticipate that these numbers are far-off from other country’s experiences.
{Andrea}
So to begin, let’s level set on our terminology.
As mentioned in my short recap of my bio, I’m really big on the methodology of analyzing risk.
According to the US Department of Homeland Security – and let it be known that many public and private agencies also use this methodology – in order to truly calculate risk, one must analyze threats, vulnerabilities and consequences (or impacts).
There is a laundry list of possible scenarios of concern. Threats can be either manmade, cyber-related or weather induced (i.e. natural disasters). Threats can be either purposeful or accidental.
What threats we should really concentrate on are those that would be successful because of known vulnerabilities. Vulnerabilities are weaknesses in structure, processes or technologies.
When a vulnerability enhances the adversary’s capability of deploying his/her intended threat, the likelihood of the threat is enhanced.
Vulnerabilities are also inter-related with consequences or impact. One can prioritize the existing vulnerabilities with thinking about the consequences if the threat was successful – would it harm people? Would business processes be shut-down? Would there be a psychological effect? Consequences are often the hardest to calculate, but are often the element within the risk formula that keeps us up at night.
Finally, there is also a benefit of looking through the lens as the bad guy. Psychologically speaking, adversaries often want the “biggest bang for the buck.” S/he is not going to deploy a threat that will not be successful because there are no weaknesses. Likewise, s/he is not going to deploy a threat that will not result in a large impact – in other words, the resulting impact better be worth the risk to the adversary of getting caught, arrested, or even harmed or killed. This all relates to the intent of the adversary. Overall, the intent of the adversary is correlated with the consequences.
Now, I realize that the topic of today’s presentation is “2018 trends in Business Continuity.” Interestingly, the relationship between Risk Management and Business Continuity is under scrutiny so in actuality, this terminology slide / topic is perhaps the baselining trend of BC in 2018.
The process of conducting Business Impact Analyses (or BIA) is not the same as Risk Management, but what we just discussed is important because you would not want to conduct a BIA on an unlikely Threat because of non-existing or less-prioritized Vulnerabilities or on threats that would result in little impact and therefore appeal to the adversary.
In sum, though the words of “Business Continuity” and “Risk Management” are not synonymous, conducting a BIA is dependent upon a successful and appropriate risk assessment. With this said, BIAs should focus on RISKS that are RELEVANT.
{Andrea}
This next slide helps us dive deeper into the “who, what and how” of Adversaries and we’ve specifically concentrated on the cyber (versus physical) landscape.
In the security community, there’s been talk for years about the need to focus more on “IT risk”, or to “align security with the business,” or to “measure the value of security.”
Some organizations have done very well with this, but on the whole there is still a lot of confusion about how to make that happen – and we believe this is primarily because the ownership for cyber risk has remained primarily in the Tech sphere.
While executives and – increasingly – Board members are very concerned to know what’s going on, the programs themselves have continued to be delegated to technology leaders.
To manage IT security from a cyber RISK perspective, though, means that it has to be taken on as a business problem. In other words, BC must become an executive-driven program.
Don’t take this as Dave and I stating executives must suddenly become cyber security experts. Instead, we suggest that executives need to lead the discussion about:
Who might be motivated to attack us? – Intent of Adversary from the last slide
What could REALLY hurt the business? – Prioritizing consequences = CIA Model. Confidentiality, Integrity and Accountability
How much risk are we really willing to accept? – and give directives that shape the program *This is crucial – there has to be SOME acceptance of risk.
Once these questions are answered, then the entire organization can rely on technologists to figure out what kinds of tactics adversaries might use, and how to guard against or monitor for those indicators.
Also in lines with the Business Continuity program, the program itself needs to utilize several different disciplines. Different types of business risk will likely require weighting or prioritizing these areas differently. For some types you may rely more heavily on traditional or modernized security controls. On the other hand, there may be highly risk-sensitive parts of the business that will require extra investment in monitoring infrastructure, or assignment of threat intelligence teams to analyze indicators of compromise. Similarly, other parts of the business may require strong “resilience” components – these would be well-defined and rehearsed incident response plans, redundancy infrastructure and disaster recovery capabilities – or you may decide that cyber insurance is an important part of your recovery plan.
{Andrea}
Up to this point, we’ve stated the importance of analyzing threats, vulnerabilities and consequences. And we’ve also acknowledged the benefit of asking ourselves “who would harm us, what would they do to harm us and how would they harm us?”
Honing in on the risk formula’s element of THREAT, we acknowledge that a persistent trend in business continuity for 2018 is the new technologies that we all face. What are those new technologies? Well, we’ve included some examples in the yellow dots – using cloud services or allowing employees to bring /use their own mobile device.
Granted these innovations bring fantastic opportunities for us as business owners/operators – new technologies drive down costs, increase integration and drive efficiencies. But, we must acknowledge the risk that new technologies also bring. Technology could be the deployment mechanism of a threat actor and/or the vulnerabilities that Threat Actors could take advantage of to bring about negative impacts to our organizations. In other words, new technologies do bring new avenues of exploitation and as a result, organizations must acknowledge their potential increased exposure to cyber-attacks.
So let’s fully transition to the threat of cyber – and Dave, I’ll hand the microphone over to you …
{DAVE} Let’s take a look at some of the real-world cyber events…
Data Breach
Ransomware
Phishing
Data Loss/Insider Threat
Vulnerability Mgmt. (“the basics”)
Data loss / Insider Threat
Highlights are about Threats and Vulnerabilities within the cyber landscape.
It’s interesting that there is so much good attention paid to cyber risk mitigation efforts, but the lessons learned when a cyber incident occurs is often a very basic action could have prevented the attack from occurring in the first place.
So, let’s not loose track of basics = spend the time on training and
{Dave}
We’ve heard it said, there are two types of organizations - those that have been breached and those that have been breached and don’t know it.
Read stats.
{Dave} It is obvious the need for Cyber Risk Services is growing. Attacks and breaches are more and more common and the methods of attack are ever-changing.
Some notable statistics include 229 as the average number of days before an infiltration/breach is detected.
And that the Healthcare industry has the most breaches by far at 63% of all breach incidents.
SOURCE: Ponemon Institute, Cybersponse, 2018
https://cybersponse.com/dont-be-a-statistic-these-numbers-are-scary
{Dave} Manufacturers of widgets not cyber experts.
{Dave} Two sided- perspective: Manufacturer = Should ensure this; Purchaser = Should verify that these are in place and if not, that’s an accepted risk
{Andrea} Solution! Training. Example = https://www.asisonline.org/About-ASIS/Who-We-Are/Whats-New/SiteAssets/Pages/Soft-Target-and-Active-Shooter-Resources/Appendix%20D.pdf
{Andrea} In this slide we talk about the convergence of trends.
First, we have the physical and cyber convergence. In the previous slides, we’ve separated cyber and physical trends, but in this slide we acknowledge the convergence of these trends. A great example is NERC’s 3 out of 14 Critical Infrastructure Protection Requirements.
*Transition to Dave*
{Dave talks about the second and the third examples of convergence}
{Dave}
{Andrea}
BC professionals need to concentrate on the ENTIRE spectrum of planning:
Resilience is after-boom. Resilience is a measure of “it happened – now what? Are you totally crippled or can you minimize impact and start the clock again, and soon?”
Impenetrability is before-boom.
Our PPT today acknowledges several trends where the threat is going to happen, it’s a matter of when. So, place your BC efforts into planning for emergency response AND impacts to business process(es).
Many want to keep these two elements separate, but we can acknowledge that many words within this word bubble are synonymous with BC programs.
/////////////////////
**Dave, I know it’s traumatic, but you had an experience in this topic, do you mind sharing with the team here?
Incidents are becoming more critical – be quick and efficient in your response in order to best reduce the impact of the incident.
{Dave}
*Six Sigma at many organizations simply means a measure of quality that strives for near perfection