maxkabakov - Fotolia
Before 2020, contingency planning and crisis management were mostly academic exercises. Disasters, shutdowns and breaches happened, but many companies seemed to hum along for decades only addressing these matters when they arose.
Now, if you think everything is OK, just wait 15 minutes. We have entered an age of continuous events that confound our ability to operate, and we face new threats that impact our enterprise security on a daily basis.
In cybersecurity, contingency planning has traditionally focused on full-scale disasters and was generally connected to mandatory check-the-box regulatory compliance requirements. Big breaches and occasional act-of-God disruptions were feared but rare, isolated and difficult to prepare for. However, with recent global events and a changing threat landscape, we've checked off three squares on the Armageddon Bingo Card in the last year alone with disasters that have had a lingering impact on almost every business on the planet:
- power grid disruption
- civil unrest
As a result, things have changed. Security is adjusting to new threats and vulnerabilities, manifested across expanding attack surfaces, and all with long-term implications. The good news is that these disruptions have accelerated our ability to adapt, develop and test our contingency plans.
Contingency planning 2.0
The goal of contingency planning is not just about how we react to a security breach, but more about business continuity (BC) -- aka operational resilience. The strategy behind operational resilience management (ORM) is to develop options that enable people, processes and information systems to adapt to changing patterns without disrupting customer relationships, transactions or services. When faced with an incident, the mission is to execute the right options rapidly enough for business to continue with minimal disruption.
When America was more manufacturing-oriented, emergency response was mechanical and focused on physical points of sale, a supply route or the factory floor. The PR department would dust off the "Crisis Communications Plan," and spokespeople faced the disaster in front of TV cameras. In the 1980s, the infamous Tylenol poisonings set the tone for how to do it right (be as forthcoming with as much information as possible) versus the Exxon Valdez oil spill how-to-do-it-wrong model (executives hiding behind "no comment" for far too long).
Now, most of American business is service-oriented. Before the pandemic, desk-bound employees and teams got the work done in office settings, and the IT department defended the perimeter against hackers. Then, the pandemic elevated the ORM strategy: Keep the business open by allowing everyone to access data and information remotely without having to go to the office.
We've seen too many companies that didn't adjust quickly enough to enable the majority of office-based staff to continue supporting business operations from their homes. Management and IT scrambled to provision isolated employees with tools, access and visibility on company data and processes, while security teams were forced to completely reevaluate risk and security postures on the fly. Failure to cope in such scenarios was often far more damaging to companies than a typical data breach.
From a set of once manageable threats and vulnerabilities, operations were suddenly overwhelmed with thousands of new entry points across an expansive attack surface. Hackers and shadowy nation-states quickly figured out new tricks -- like breaching an executive's laptop through an internet-connected gaming system in their kid's bedroom or smart thermostat.
The pandemic has upended the network security theory of the soft, safe center protected by the hardened, tough exterior -- the enterprise network. Cybersecurity contingency plans now must extend beyond the traditional network edge to external extremes -- homes, public spaces, vehicles, hotels, truck stops, etc. To keep business open, the challenge to security teams is to extend coverage of that tough exterior to every endpoint.
Power grid disruption was one of the original motivators to build hardened data centers in remote, self-sustaining environments, often away from coasts and flood plains. Last winter's Texas storm showed that power disruption related to environmental occurrences can thwart old-school contingency planning. This was such a rare event, organizations weren't ready and the effect was devastating.
Weather events are quickly becoming compared to pandemic-induced economic shutdowns, and though few businesses had foolproof ORM strategies at the time, the Texas storm only lasted a few days. Nevertheless, millions were left without power and unprepared for freezing temperatures, service disruptions and business shutdowns. We learned that, even if something happens only once every 100 years or so -- be it a bad winter storm, a flu epidemic or a Capitol riot -- we can't afford to let our guard down. Though these events are hard to predict, organizations can plan for them.
Generational cybersecurity contingency planning
We've seen civil unrest over time but last year saw more than usual. Predictable perhaps, but if your business was in the wrong neighborhood or you left your laptop in a federal office building on the wrong day, contingency plans weren't much help.
The ability for workers to immediately leave their desks and flee to safety, while still providing for BC, is a critical skill set that must be addressed within an ORM strategy. In these situations, continuity is nearly impossible, and civil unrest can be so deadly and damaging that, once we get away from the initial danger, we have to focus on recovery. Business has stopped, and we need a plan to quickly restart, redeploy resources and support our teams that are likely more rattled than they are with a short-lived weather disaster or a slow-motion pandemic. Businesses that are not directly affected by outages or unrest can still be connected to vendor or supply chains that are impacted, and they will have to react and adapt as well.
Though there are a lot of variables, programs must have preplanning and training diligence in place. These are the new fire drills of the post-pandemic world -- or, more appropriately, the modern battle drills that need to be implemented and practiced with high discipline and precision. Organizations should be rehearsing with as many people as possible to develop the collective muscle memory. Drills should include all internal departments, plus vendors, suppliers, contractors and even customers, if appropriate, and be scheduled at least once a year. Since we just filled three spots on the Armageddon Bingo Card so quickly, we have to realistically consider full lift-and-shift dispersals of entire companies and teams to simulate likely scenarios.
Just like corporations, threat actors are also planning on how to execute attacks and take advantage of these disruptive scenarios.
With so many contingencies to plan for in a world moving to the cloud, there are no safe spaces or bastions of defense anymore. All this highlights the need to rethink, redevelop and test our contingency plans on a regular basis.
The old rule is still in place: Thou shalt have a contingency plan. By examining how contingency plans failed in addressing BC and by observing how organizations adapted, we can learn how to manage IT and security teams to protect and plan around the changing patterns of knowns and unknowns.
About the authors
The authors work together at cybersecurity firm Coalfire: Joe Neumann, Cyber Executive Advisor, Threat and Vulnerability Management, Secure Product Development; and Doug Hudson, CISSP, CCSP, CCSK, Open FAIR, Senior Director, Cyber Risk Advisory.