Director, Information Security
Get The Business Continuity Business Case Template
Cyber attackers know organizations of all sizes have made a lot of operational changes because of the coronavirus pandemic, and they’re taking full advantage of them as new cyber attack vectors.
Just a few weeks after much of the U.S. southeast experienced gas shortages following a hack of the Colonial Pipeline, attackers were at it again, this time targeting the world’s largest meat production facility, JBS, which resulted in the shutdown of its five largest U.S. plants and other plants in Australia and Canada. Nation-state actors are believed to be behind this attack, as well as another attack revealed recently by Microsoft that targeted more than 150 government agencies, with the U.S. racking up the brunt of the attack.
One recent report highlights how attackers are shifting focus to target products and services for daily life, like the Colonial Pipeline and JBS attacks, citing a 102% increase so far this year in ransomware attacks compared to the same time period in 2020.
Whether it’s a result of technology changes related to remote workforces or it’s a lack of focus away from the day-to-day as organizations keep their attention on crisis management, attackers know there are new opportunities to infiltrate organizations and they’re taking full advantage.
In 2020, for example, there were more than 1,000 reported cyber breaches affecting almost 156 million individuals through data exposures. No industry is immune. While small businesses and medium-sized businesses (SMBs) may be the most vulnerable to attacks, healthcare, government, energy, higher education, and critical infrastructure are squarely in attackers’ crosshairs.
The Cybersecurity and Infrastructure Agency (CISA) has released a list of 16 industries as critical infrastructure sectors, all of which can fall victim to an attack at any time, including:
Healthcare organizations, for example, suffered greatly at attackers’ hands last year, likely as a result of the rapid adoption of telehealth, telemedicine, and electronic medical record solutions needed to meet consumers in newly defined socially distanced and stay-at-home environments.
In fact, the Office for Civil Rights investigated almost 500 data breaches of healthcare-covered entities and business associates in 2020 where breaches affected 500 individuals or more. The previous year, there were only about 125 investigations at that level.
What may be even more alarming is that in just the first three months of 2021, OCR already looked into 113 healthcare-related data breaches affecting 500 or more individuals.
The healthcare industry’s statistics are just a snapshot of what’s happening for industries around the globe.
So, what does this mean for operational resilience? Some may ask if cyber events are the next big threat for business continuity, but the statistics demonstrate the threat is already here and now.
Cyber resilience and operational resilience are emerging hand-in-hand.
Further, when we look at what’s happened during the pandemic, paired with increased cyber attacks, it paints a clear picture of industry evolution. We shouldn’t build response and recovery plans that focus solely on single events, instead, organizational resilience will depend on organizations’ abilities to simultaneously manage multiple crisis events and disruptions at the same time.
And for many, this includes the new challenges of remote and geographically dispersed workers who expand response scope.
Get The Business Continuity Business Case Template
As organizations have adapted to COVID-19 challenges, we’ve seen a push for more cloud and software as a service (SaaS) adoption for the gamut of businesses, from small companies to large enterprises.
While this move brings a lot of benefits to these organizations, for example, faster deployment, cost-savings, and affordable scalability, it also brings with it increased risks for more cyber attacks.
That’s because many of these solutions employ data storage for multiple organizations on the same servers or a series of interconnected servers. These large data centers, for example, are enticing for attackers who are perfecting ways to laterally move within these networks from a single point of compromise, such as a successful phishing attempt.
What would happen, for example, if one of the nation’s largest cloud-services providers, such as Amazon Web Services (AWS) or Microsoft Azure fell prey to a successful cyber attack? We already saw back in November 2020 the potential for large-scale failures when AWS had an outage that affected a number of well-known and widely used companies such as Adobe, Glassdoor, and Roku.
While this event only lasted a few hours, it highlights just how dependent the business world is on cloud services and how one misstep anywhere along that data chain can have vast impacts on operations for many.
Fortunately, there have been no reports of a successful cyber attack on these large cloud services providers (CSPs), but we shouldn’t sit back and feel secure. Every organization, regardless of if you’re using a large-scale CSP, other data centers, or hosting all of your data on-premises, should include cybersecurity and the potential for cyber-attacks in your business continuity planning.
So where do you begin? How can you include cyber threats in your business continuity planning and strategies?
One of the biggest challenges for organizations, especially when it comes to a range of technologies and cloud-hosted services, is they don’t have a full understanding of all the systems, software, and applications in use (or dormant) within their organization or how and where they’re used.
That’s because for most organizations, these software selections, purchases, and implementations are handled at a department or location-specific level with little communication up the management chain (or even to IT and cybersecurity teams) about what they are and why they’re needed.
And, what we see repeatedly, is when team members leave an organization or positions change, often the knowledge related to the where/how/why goes with them.
This is where a business impact analysis (BIA) and risk assessments can help. With your BIA, your goal will be to identify all of your assets to build a comprehensive inventory and then determine which of those assets (for example, your cloud-hosted solutions) are directly related to your most critical services and operational components.
Once you have an understanding of your mission-critical needs, you can then begin to peel back the layers to determine what would happen if you lost access to one of those systems, for example, a temporary data center failure, or if you lost the related solution and data completely through something like a ransomware attack.
Your risk assessments can help you take a closer look at how your technology partners manage their cyber risks and what processes they have in place to ensure cybersecurity and compliance, but also what their business continuity and disaster response plans look like so you’ll know if they’re taking these risks as seriously as your organization does—or if the risk of working with them is just too great.
While most of us are still working through pandemic fatigue, we’re optimistic as an increasing number of people are successfully vaccinated for coronavirus, we’ll be able to move away from our deep focus on this specific disruptive event and refocus on planning and response for future disruptions.
But while there could be a light at the end of the pandemic tunnel, we have no reason to believe that cyber attackers intend to slow pace. This year alone, cybercrime is anticipated to reach damages of at least $6 trillion USD worldwide, and by 2025 skyrocket to nearly $11 trillion.
If you’re not already working on building a cybersecurity program for your organization and haven’t figured out how to work cyber threat management and mitigation into your operational resiliency planning, now is the time.
Need help? Contact a Castellan advisor and we can assist you with business impact analysis, risk assessment, and continuity planning for this and other potentially disruptive events.
Get The Business Impact Analysis (BIA) Template
Director, Information Security
Get resilience insights delivered to your inbox.