Integrating cyber security with business continuity

Cyber security is a top concern for nearly all companies. While addressing cyber security is clearly a technology-centric issue, recent incidents show it is no longer only a technology issue.

The integration of technology into all areas of credit union operations means that all functions will be impacted in the event of a cyber security response. Similarly, an event impacting business continuity may also have security implications. Today’s level of integration makes it nearly impossible to delineate between cyber and business continuity problems.

The time has come for credit unions to think outside the box and integrate these two important functions. Integrated cyber incident and business continuity programs can deliver benefits that go well beyond dollars and cents.

Consider the below steps to ensure integration is both smooth and effective:

Integrate management teams and resources. Many organizations still consider cyber security incident response and business continuity efforts to be separate functions, primarily because the two disciplines have long been thought of as separate and distinct, each intended to ensure an efficient and appropriate reaction to a unique event. Significant efficiencies and benefits can be realized if the relevant resources and processes are integrated, even if the practices have performed well as individual disciplines in the past. Creating a single process not only optimizes process flow and facilitates training, but it also forms a cohesive function, the goals of which are protecting the organization’s reputation and ensuring continuity of operations.

Align policies, procedures and training. Similar management teams and supporting activities exist in both specialties. Combining these teams and processes will yield a more cohesive, streamlined process that is capable of bringing more assets to bear when an event occurs, regardless of the incident type — which is increasingly important as security and continuity-impacting incidents become themselves more and more frequently integrated. For example, it is not uncommon for cyber criminals to attempt to leverage a physical incident to cover phishing or social engineering attacks. Timely involvement of all business-area leadership is crucial, as any sort of incident could raise immediate issues that require decision-making.  

Leverage common touch points between business functions. A comprehensive response plan typically includes many “touch points” between IT and business functions. These touch points are usually coordinated through a response team that has common resources for communication, including periodic situation updates, designated response options and identified  potential business impacts. A common framework may help mitigate the impact of negative events.

Coordinate crisis communications. The key to effective resolution is clear, concise communications, regardless of whether a business-impacting event is cyber or physical in nature. If an event requires communication with members of the public, it is essential to identify and follow regulations specifying how and when impacted individuals must be notified. Establishing clear communication protocols and procedures in advance ensures a credit union’s crisis management team will have the information it needs to develop and distribute authorized communications quickly, effectively and cohesively when the time comes. This preparation will pay off in ensuring an organized response to public concerns and inquiries, and will also make it easier to monitor external activity.  

Optimize after action reporting. The root cause of an event is not always obvious, and unless identified through a complete and careful analysis, the event could recur. What actually happened, and why? Once the cause of an incident has been identified and remediated, the credit union should update its incident response program documentation to integrate the lessons learned. Regularly updating an integrated plan reduces the potential for mistakes and eliminates duplication of effort.

Risks related to cyber security should be handled similarly to any other business risk. Whatever the specifics of the incident, a single framework and management reporting structure should be in place to identify and control the incident’s potential impacts. Different subject matter experts may be brought in and out to assist, depending on the nature of the specific problem, but leveraging a common framework, training and reporting structure will facilitate the response and help to reduce negative impact to the business.

Start small when it comes to developing an integrated process. Pay attention to the details, taking it one element at the time. In the end, you will learn a great deal about your business and end up with a process that will support your credit union’s needs well into the future.