How to Make Business Practices That Support Cybersecurity Response

Comments · 12 Views

A programme for incident response must be adaptable while yet maintaining structure. Instead, decision-making processes, escalation procedures, and fragmented communications create the Wild West.

In his poem "To a Mouse," Scottish author Robert Burns said, "The best-laid schemes of' mice and' men. Gang behind agley. The adage "The best-laid schemes of mice and men often go wrong" may be more familiar to you.

Responders to incidents, business continuity planners, and crisis managers might all relate to this proverb. They are all too aware that once the first shot is fired, any plan could be rendered meaningless. But, as former President Dwight D. Eisenhower noted, "I have always found that plans are useless in planning for battle, but planning is necessary." Finding out which operational procedures and processes may have an impact on response is the first step in being prepared. Next, create a governance framework that supports a resilient organisation.

Knowing how your business activities might enhance or degrade your cybersecurity response must be a part of your planning. Plans for incident response alone are insufficient. Planners and responders must have an understanding of how their company functions as a whole. Planners can identify areas, such as practices and processes, that may have a cascading influence during a response by doing this.

Consider this planning as a form of systems design methodology that follows ideas similar to those in NIST 800-160 but from the viewpoint of business processes.

Or, to put it another way, what good is a strong incident response process if business practises burden it, reduce its effectiveness, or render it inoperable? Your cybersecurity response might be excellent on paper and even by itself. In reality, it is just another process that could fail, operating alongside the rest of the business.

Does Your Program Make Sense for Your Needs?

A programme for incident response must be adaptable while yet maintaining structure. Instead, decision-making processes, escalation procedures, and fragmented communications create the Wild West.

In most cases, centralised control is unnecessary unless the organisation is small. The centralised approach might be too far removed from the occurrence for decision-making and may be delayed (affected by communication lags).

You want to harmonise instead. Consider this as the program's constitution, outlining the lanes and encouraging cooperation. A response that is compromised can result from models that are out of sync.

Here are some typical problems with harmonisation:

  • Policy and practice do not align

  • Planning requirements do not integrate with organizational structure

  • Roles and responsibilities are not well-marked or defined

  • Process and asset identification have not been identified or maintained

  • Processes and assets do not have dependencies mapped

  • Business priorities compete or are in conflict with security benchmarks because each process is being performed alone or in silos

  • Resource misalignment or unavailability

  • Reactive, monolithic, bureaucratic systems prevent change and make it hard for processes to adapt.

When Planning Meets Real-World Processes

Suppose you have a robust cybersecurity programme and are confident in its ability to counter threats. It passes tests on its own. But how does it function when you integrate it into the system?

Think about this Success of an incident response depends on inputs from another process (a dependency) that is outside the purview of cybersecurity. There will always be a "ingestion source" when the issue first arises. Anything might be this, including a third party or a security operations centre. Consider customer service.

Consider that your company offers tech support. Your clients are complaining about poor service, even though you may not have yet noticed any strange signals. They usually get in touch with your customer service department.

What occurs then if the customer support procedure is flawed? In this instance, that might lead to a bad user experience (e.g., filling out a cumbersome form, not getting a person on the phone, an unreliable ticketing system, etc.). In this instance, the incident might not be discovered until much later due to a major ingestion source that is completely blocked.
What happens if the ingestion source is overloaded? Where will the focus of the response be? The "clog up" (symptom), the illness, or, in this instance, a potential attack?
It's time to use a traditional business strategy: downstream effects.

Moving Upstream and Downstream

These kinds of issues may not be limited to the cyber security team. That's just how teamwork operates. Finding locations that enhance or degrade cyber response can be done with the aid of mapping upstream and downstream procedures.

Threat actors can even be aware of the weaknesses in your customer service (poor practices). They may deliberately take advantage of these unethical behaviours. For instance, customer service can be a point of entry for social engineering attacks that target your customers and overwhelm your preparedness for a response.

How can the harm be minimised?

Which Business Practices Impact Incident Response?

Knowing every potential vector, process, and response that can have an impact on your answer will first and foremost use up too many resources. You won't see a good return on your investment and it's dumb. Nonetheless, you can be ready for the most typical ones. Consider it as putting yourself "within the 20" or in a position to score well. You start out in a strong position.

Assume you have an effective incident response plan in place and a solid governance framework. What is lacking? Potential problem areas include:

  • Ingestion sources not identified

  • Poor non-cybersecurity business practices or processes

  • Oversharing information (e.g., too much open-source information) and opening the door to social engineering attacks

  • Under-sharing information (e.g., practices or processes are poorly understood), creating blind spots

  • Practices conflict or circumvent security measures

  • Processes are missing dependencies or developed in isolation from business impact.

In essence, you might need to convert a lot of "unknown unknowns" into "known knowns." The bottom conclusion is that you must have a better understanding of how your operational procedures and business practices will affect your cybersecurity response. That requires some research (understanding your industry) and creativity (thinking like a threat actor).

Defining Impact Categories

Doing some qualitative and quantitative analysis is the next step once you are confident in the quantity of known unknowns. You need impact-related criteria and categorization to accomplish that. Some categories might be:

  • Financial

  • Regulatory and Compliance

  • Internal Operations

  • External Operations

  • Reputation

  • Health and Safety.

Impact categories will vary depending on the organisation. Adjust them to your corporate procedures. By participating in this exercise, you not only enhance your hazard response but also your cybersecurity response.

Recall the issue with customer service we used as an example? We would know who, what, and what kind of impact would occur if we correctly mapped processes and assets. We might rank the most important factors based on both qualitative and quantitative considerations.

Perhaps the customer service method is used in the cybersecurity incident response process (an ingestion source and dependency). If clients can no longer contact your team as a result of this, internal operations may be under pressure. The risk increases if a malicious actor who is aware of these issues is added.

In other words, even if you cannot perceive the connections between your business and cyber processes, they still exist. It closely resembles the data life cycle continuum that we previously mentioned. And if you don't do something about it, an attack or a mistake can have a bigger impact than it needs to.

So Now What?

Many faults and problems have been raised by us. How do you resolve them now? These are some strategies and concepts:

  • Create a system for identifying and maintaining business processes, then carry out process mapping. What you find could surprise you. What you initially believed to be important may not actually be so, while what you initially believed to be unrelated may actually be crucial. Extra points if you can incorporate this technique into a few of your record-keeping systems to guarantee automatic and frequent updates and maintenance.

  • Create impact categories that are appropriate for your company's needs and procedures, along with associated escalation criteria. Generic criteria and those without thresholds provide a lot of room for interpretation and can make your answer difficult to understand. To eliminate the grey areas (such as "substantial" financial risk vs a daily loss of $500,000), it is crucial to establish both qualitative and quantitative criteria.

  • Analyze the commercial impacts of your procedures. The BIA might not identify the business practises that an attacker could take advantage of, but you might discover which processes are weak due to their habits. It's all a part of learning about and understanding your industry.

  • Consider the world from your customer's perspective. Of course, this is something that practically all firms undertake to increase sales and their market share. But do you consider it from the standpoint of incident response? The good news in this situation is that firms have had to learn to deal with disruption over the past two years. This strategy forces your business and security teams to collaborate and share information.

When Plans Meet the Enemy

Most importantly, evaluate your procedures and policies in light of reality. Even though your plans and rules are excellent in theory, they could be too restrictive or prescriptive to be put into practise. Maybe your company may have a weak point that might quickly bring down the whole thing.

Data protection and cybersecurity are now considered normal company practises. In order to identify areas of strength, vulnerabilities, and even ways to extend new business prospects, the cybersecurity process must collaborate with other processes. Ensure the worth of your well-laid plans.



Read more