National Post (National Edition)
Cyber Resilience — Changing the Face of the Business Continuity Profession
Joe Ozorio
There are two types of organizations when it comes to cyber breaches: those that have been hacked, and those that don’t know yet they’ve been hacked.” Of all the cute quotes by cybersecurity evangelists, I like this one best, because to me it reflects the all-pervasive nature of cyber breaches today. I truly doubt that there’s any commercial, private, or public organization where a hacking attempt hasn’t been made, whether successful or not. Today’s cyber criminals have too many resources, technologies, motives, incentives, and insidious purposes for us to be able to avoid.
At the Disaster Recovery Information Exchange (DRIE), we’ve seen the rapid evolution of cyber attacks that now impact every facet of our profession. The Business Continuity Institute’s (BCI) 2019 Horizon Scan Report, drawing input from 569 global professionals, shows that “cyber attack and data breach” is considered to be the primary global threat over the next year. And justifiably so, as you’ve likely read in this special issue. It’s for this reason that cyber resiliency has been a recurring theme at DRIE Toronto’s regular symposiums in recent years. We believe business continuity management (BCM) and organizations resiliency professionals must be vigilant in understanding the threat and incorporating appropriate planning and response to meet the ever-changing nature of cyber attacks.
At our Sept. 12, 2019 symposium, the theme “Testing and Exercises — Why You Should Be Including Cyber in Your Exercises” brought to the forefront compelling issues centered around cyber resiliency. Two of our presenters came from the cybersecurity departments of two of Canada’s major banks. You might imagine they have a tall order in protecting the bank’s assets from the claws of cyber criminals around the world! They spoke about the current cyber threat landscape including cyber fraud, supply chain attacks, phishing, and insider threats; and risks to businesses ranging from loss of customer, client, or employee information to electronic channel fraud. They demonstrated how the advantage is clearly and deeply on the side of the cyber attacker. These attackers consider what they do simply as a business. They have patience, great skill, and no rules of engagement. Their funding is unlimited because they steal what they need.
Above all, both banks agreed that cyber attacks are not solely an IT problem. To think so is extremely short-sighted and places the organization at huge risk. Cybersecurity is a business problem, and everyone needs to be a cyber risk manager.
From a BCM professional’s perspective, regular business continuity exercises must incorporate cyber attacks in their scenarios, or craft entire scenarios around cyber attacks. To not do this is to ignore what is now considered to be the foremost global threat.
If you’re a BCM or resiliency professional, whether at the practitioner or management level, you’re in a unique and pivotal position to bring together many different parts of your organization together to plan, prepare, and practice responses to what’s now inevitable.
Cyber attacks have changed the very fabric of organizational resiliency. So too, we as BCM professionals must change with it, or be left in the cyber dust. The Disaster Recovery Information Exchange is a non-profit, member-funded association of BCM and resiliency professionals dedicated to the exchange of information on all aspects of BCM, from emergency response to the resumption of business as normal. DRIE has chapters and affiliates across Canada and in the Caribbean.