Integrating Risk Disciplines: Business Continuity and Cyber Response

Both the definition of “business continuity” and the industry as a whole are evolving. While this has well been the case for the last several years, it’s certainly ever-more true in our post-pandemic world.

As we reflect on lessons learned from our pandemic and multi-event response protocols, we can find many opportunities to improve business continuity practices to further solidify resilience. And among the many areas of change in the past year is an increased focus on cybersecurity awareness—cyber resilience—and the role it plays in business continuity.

At last, organizations are clueing in to the importance of congruence between cross-functional teams and processes, emphasizing cybersecurity for operational resilience is more than what you do if your systems go down as the result of another disruption or when you have short-term or small-scale data loss. Cyber resilience is part of a much bigger picture and as such is evolving as a critical component of business continuity.

First, What is Cyber Resilience?

Cyber resilience goes beyond cybersecurity controls and best practices. It’s the “how” your organization manages day-to-day operations to decrease the effects of a cyber event on your ability to do business.

Think of cyber resilience as a change in thought and practice, moving from the old approach to cybersecurity—what happens if your organization has a cyber event, to what your organization will do when an incident happens.

Are Cybersecurity and Cyber Resilience the Same?

While there are nuances between cyber resilience and cybersecurity, they’re not one in the same.

Here’s a simple way to look at their differences. Think of cybersecurity as all of the controls, policies, and procedures your organization has in place as a defense mechanism against cyber events. These cyber practices are definitely an important and long-standing part of many business continuity programs.

But, as we’ve seen with an increase in cyber events, specifically the increased number of ransomware attacks and phishing schemes since the start of the coronavirus outbreak back in 2020, we’re learning that even effective cybersecurity programs can’t stop all attacks. For organizations of all sizes, that “when” for cyber events has become ever more prevalent.

Get The The Cyber Response Builder


The Rise of Ransomware

RiskBased Security’s 2020 Year End Report Data Breach QuickView points to almost 700 publicly reported breaches that included ransomware as an attack vector. That’s a 100% increase compared to 2019.

And not only are there more ransomware breaches, breach severity of all cyber breach types is increasing. Successful cyber breaches are also exposing unprecedented numbers of records. In the report, five of the top breaches resulted in exposures of 1 billion or more records, with another almost 20 resulting in exposures of between 100 million and 1 billion.

While a few months of 2021 remain, we’re seeing ransomware attackers didn’t relent this year. Sophos’ The State of Ransomware 2021 report estimates almost 40% of respondents had been affected by ransomware in the past year. Of those successful attacks, more than half resulted in attackers’ successful encryption of data. In 2020, more than half of respondents said they’d been hit by ransomware.

The grim picture doesn’t stop there. Not only are organizations encountering successful ransomware attacks—with increased severity and more record exposures—they’re also costing more. The Sophos report cites the average ransom paid by mid-sized organizations is more than $170,000, which doesn’t include related response and recovery costs or account for potential fines or penalties for compliance, legal, or regulatory issues.

So, if there is a bright side to be found amongst the challenges and tragedies of the pandemic, it may be in increased awareness for organizations of all sizes about how to prepare for, mitigate, manage, and respond to increased risks such as cybercrime, ultimately leading to more mature business continuity programs and operational resilience success.

How Does Cyber Resilience Fit Into Business Continuity?

If your organization is just beginning to implement cyber resilience best practices or you’re ready to mature the cyber components of your existing business continuity program, you may have a few questions about how you can do so effectively. Here are a few tips.

First, consider developing a cyber resilience plan similar to what you would do for, let’s say, disaster response. While there are cyber components you’ll likely weave into all of your plans, you may find it beneficial to manage your comprehensive processes in its own plan.

For true cyber resilience, incorporate at least these four core components in your planning: anticipation (your environment and real-world attacks), vulnerability identification (critical systems, operations, and related weaknesses and security issues), response planning (what you’ll do if you experience an attack), and resilience (your return to normal as soon as possible).

When planning, remember these core actions:

  • Anticipate
  • Protect
  • Detect
  • Defend
  • Recover
  • Adapt

In addition to those core elements, your cyber resilience plans should take into consideration:

  • Data protection, storage, and recovery
  • Information security management such as controls, policies, and processes
  • Impact analysis for critical systems, functions, and data
  • Organizational awareness with ongoing training and education
  • System hardening, for example, adopting zero-trust policies and other controls
  • Testing and exercises of your existing controls, plans, and processes
  • Incident management
  • Event response
  • Ongoing evaluation, feedback, and plan improvements that reflect organizational changes and the changing threat landscape for your environment

What Are the Benefits of Integrating Cyber Resilience and Business Continuity?

When we talk about the evolution of cybersecurity into a culture of cyber resilience, it’s worth noting the varied and many benefits it can bring to your business continuity program.

Decrease Event Impact

A single cyber event can have far-reaching and long-lasting impacts on your organization. Even a small-scale event can disrupt your operations, making it difficult, if not impossible, to deliver your core goods and services. On top of that, your reputation could be damaged, you could lose customers, and you could face a range of legal, compliance, regulatory, and civil penalties. And, depending on the nature of the event and the events leading up to it, there may even be a chance of criminal prosecution. By integrating cyber resilience into your business continuity program, you can anticipate what these impacts may be, how severe they could potentially be, and make plans to mitigate those impacts.

Achieve RTOs and RPOs

Your recovery time objectives (RTOs) and recovery point objectives (RPOs) aren’t just statistics to leave hidden within a spreadsheet. They’re important parts of ensuring you’re able to return to normal operations as soon as possible—with as minimal impact to your resilience as possible.

But sometimes, during incident response, especially for an event you weren’t anticipating—such as a ransomware attack—it can be easy to overlook your objectives. Your team might be so focused on getting your systems restored, they overlook, for example, data loss impact.

Including cyber resilience in your business continuity program helps keep both your RTOs and RPOs front-of-mind, along with necessary processes to meet those important milestones.

Meet Compliance Mandates

A growing number of regulatory and oversight agencies—even some states—now have a range of cybersecurity and privacy mandates for organizations that handle, process, store, or transmit sensitive data such as personal health information (PHI) or personally identifiable information (PII). As cyber breaches put an increasing number of these records at risk, a growing number of expectations and requirements are being pushed down to the individual organizational level.

And for many, it’s not just about ensuring you have the right cybersecurity controls in place. It’s about ensuring you can anticipate, respond to, stop, and quickly recover from an incident to decrease impact on your consumers and their sensitive and protected data.

Cyber resilience, integrated with your business continuity program, can help you manage and evaluate your effectiveness and know just how effective your controls and processes are long before an incident, breach, or audit.

Integrating Cyber Resilience into Your Business Continuity Program

Are you ready to take your cybersecurity practice to the next level and integrate it as a component toward your greater resilience? Here are a few resources you may find helpful:




Integrating Other Disciplines into Business Continuity

While cyber resilience is an important discipline to incorporate into your business continuity program, you can strengthen your program by similarly focusing on integrations of other disciplines to help improve your organization’s operational resilience. Here are some key areas to disciplines to consider: supply chain resilience, crisis management, life safety, IT/disaster recovery.

Have other questions or need more guidance on how to effectively integrate cyber resilience or other disciplines into your business continuity program? Contact a Castellan advisor today or schedule a demo to Castellan’s business continuity in action.

Get The The Cyber Response Builder


Goodbye, uncertainty. Hello, confidence.
Castellan brings every aspect of resilience management – from readiness to response – together in one place, so you can stop hoping and start knowing.

Now you’re ready.TM

Ready for some hands-on help? Let’s discuss how to best achieve your resilience goals.