IN THIS ISSUE:
- CyberSecurity - article by Garth Tucker
- July Golf Day - TUG's 31st annual charity tournament
- Stay Connected - Confirm your subscription to TUG Buzz
& its Impact on Resilience Programs
Back in January 2017, I wrote a quick and dirty overview of cybercrime and its increasing threat to business resilience https://www.linkedin.com/pulse/how-big-deal-cyber-crime-garth-tucker/ and have kept as up to date as possible with cybersec trends, events, software & methodology so that my resilience planning is relevant and effective. Recently, I've noticed several municipalities outing themselves as the losing half of a cybercrime attack. Kudos to them for having the courage to publicly admit it and hopefully open some eyes in other organizations. For a good overview of an actual attack, check out this video outlining what happened in Wasaga Beach, ON (thanks to my fellow DRI Canada Director Martin Gierczak for his peer review and this example) https://youtu.be/A8S-uCeE0-Q. I would never call someone out publicly on this topic, but the people involved took the route to learn from and help educate others from their misfortune – Big thumbs up to the people in Wasaga Beach!
First, let's look at where many organizations go wrong when planning their cybersec program.
- They try and do it all themselves. This has become such a many layered and extensive issue that outside of places such as Public Safety Canada, RCMP, CSIS, DND, big Banks, etc. most organizations do not have the ability/experience to build or respond to a cybersecurity attack effectively.
- Cybercrime has become elevated into the Emergency Management realm. When you're attacked, you will quickly exceed your ability to respond and MUST involve outside agencies such as your local police or the RCMP. They have the experience and tools to deal with these crimes. Your staff may think they do, but as we have seen time and time again, they don't. It's not a knock against their abilities, but they aren't working on this 24/365, the experts at the RCMP are.
- Lack of employee email "indoctrination." When new staff are being onboarded, teach them how to use email. We all assume that everyone knows how to use Outlook, but this is not correct, people know how to open and respond to emails, but they have very little awareness of the havoc that can come in an innocuous looking email (I miss the inherent security of Lotus Notes ). Teach them before you let them loose on your network. Staff who have been around for years should also be taught proper email handling. Don't open attachments from anyone that you don't know. EVER.
- Not taking advantage of resources available to Canadian businesses from places like Public Safety Canada, the RCMP, etc. Get your IT folks involved with groups like ISACA https://www.isaca.org to stay on top of trends and network with other professionals to get tips on how to be more effective, pay the membership dues and allow them to attend conferences.
Next, some 10,000-foot advice on how to integrate cybersec response into your resilience program. I can't get too granular, then you wouldn't need consultants like me . Before we begin, let's agree that there are different responses and planning processes for IT and for the business units and we'll look at them individually.
IT – As part of the Disaster Recovery (DR) program, IT should have introduced processes/software that protect the systems from outside attack and have kept those processes fresh and added the proper update patches to the software. I'm not going to say that Process A or Software B is the best because it's not one size fits all, that's your job to determine what solution is best for your organization. If you don't have those skills in-house, bring in an independent security expert or experts.
Also, at this point, you must identify who is responsible for what in your response. I've seen a room full of propeller heads looking uncomfortably at one another because there's no set of instructions for them to follow. Don't just think you're going to drop a Disaster Recovery as a Service (DRaaS) solution into place and that's that. There's more to the puzzle that must be identified.
After defining the building blocks of your defense and your response, identify the communications protocol for who gets notified, when and how. Bring your communications and HR folks into this process and if you don't have your own comms folks, hire outside experts.
Call the cops. Sounds like a cliché, but that's what you should do. Local police first and let them escalate to next level. You very likely do not have the resources to tackle international organized crime syndicates and this is probably whom you're dealing with. Way back in the day, I taught technical course for IBM worldwide and I remember Eastern Europeans being so much further ahead and much better educated than North Americans around computer technology. I had a scientist from the former Soviet space program in a class in Moscow who had written code to operate a space station and mathematicians in a class in Warsaw that made me feel very insecure about my intellectual abilities. Fortunately, they were far too polite and friendly to ever make me feel stupid intentionally. But this is likely what you're up against and while the bad guys do this for a living, your IT folks are busy with all the other work that goes into running your systems. Cybersec is just another hat they wear in their daily routines. Let the pros handle things once you're in response mode, don't throw gasoline on this fire. You'll also want to check with law enforcement when your building your plan and see if they have any input on how you should communicate with them in the event of an attack or if they have any processes you should make part of your response. If possible, bring them into your planning process. This is crime, it's kinda their thing .
Now that you've started building your cybersec walls and response, how effective will it be when it's required? There are 2 ways to find out. You don't want to use one of those ways. Test, exercise, walk through, whatever you want to call it, this is the least dangerous way to see how effective your response is going to be in the event of an attack. Option #2 is an actual incident where your readiness is tested with all the horrible repercussions that go along with a less than perfect response… This would be the way you don't want to use for checking your readiness . If you don't run a boat through its sea trials, there's a good chance it's going to sink the minute it gets caught in a gale.
Lastly, always stay vigilant. Don't get lulled into a false sense of security because the criminals are always out there probing for a weakness. Getting too comfortable around your cybersec is a recipe for getting mugged in cyberspace.
The Business – Your IT is out or partly out. What do you do? As part of the Business Continuity (BC) planning process, your practitioner will have identified IT outage as a threat/risk, and you should have defined a mitigation strategy or business resumption plans (BRPs) around this eventuality. I can't tell your how that plan will look for your business unit, but cybersec is not like a failed piece of hardware or a power outage. It's virtually impossible to define how long that attacked infrastructure/data will be unavailable with any reasonable accuracy. It will depend on what's been attacked, how it's been affected, and if there's a predefined solution. So, you must define a process that works as effectively as possible based around an unknown parameter. Don't think of this as a failing of the IT folks, it's the nature of the cybersec beast and you must do your best to mitigate the impact of a cyber-attack on your specific business unit processes and the up and down-stream dependencies. Not an easy thing to accomplish, but any steps you take are better than doing nothing.
The hardest part for the organization is going to be putting it out there that you've been attacked. How will it affect reputation? Stock prices? Your career? Put all that aside and know that you're not the only organization to get attacked and if you look at the ones that really stand out, it's the organizations that tried to keep it a secret who look the worst. That makes a bigger story than the actual impact of the cyber-attack. Nobody who is affected wants to be kept in the dark, issue a press release and let the public know you're on top of it and limiting exposure. Otherwise, the story, once it goes public, will be how you tried to be sneaky. Most importantly, your clients, suppliers, etc. MUST absolutely be made aware that their information may have been compromised so they can begin their response. Not informing them immediately is not only unprofessional, it will likely lead to litigation and rightly so. You could have left them vulnerable to an attack that with prompt notification could have been avoided. Cybercrime is a fact of life these days and hiding it only emboldens the criminals who prey on organizations.
All this is theoretical until it isn't. Don't put your head in the sand and hope you don't get a cyber punch in the nose. Take the steps required, don't pinch pennies on the budget, and ensure your staff is as aware of your cybersec response processes and their part in it as they are of a fire in the building. If you don't take the steps required to mitigate cybercrime attacks you shouldn't be considered a victim if it happens to you. Why? Because you knew the threats were out there and did not do enough to protect your organization. If I choose to live in northern Canada and willingly choose to not take shelter in the winter knowing it's going to be -30 C and snowing with 50 km/h winds, I'm not a victim, I'm a statistic (and a moron).
I've gone way over my usual 1000 words or less, but this topic is one that I could probably write 100,000 words and still just scratch the surface. Good luck and be afraid, be very afraid .
Thanks to all who peer reviewed and offered suggestions on this article to help me appear smarter than I am… hahahaha!
Garth Tucker, CBCP, CORP
Garth is the Principal of Green Apple Resilience Planning (greenapplebcp.com), a member of the DRI Canada (dri.ca) Board of Directors, and a Certified Business Continuity Professional (CBCP). His career focus is on the development and management of holistic resiliency programs as well as effective management of crisis events. The path to his current position began with software development, project and program management, and as an IT technology educator worldwide for IBM in the late 1990s and early 2000s. He transitioned to disaster recovery, business continuity, and crisis management beginning in 2002. Significant formal, and self-education throughout his career has ensured he remains relevant and effective.
Back To Top
As you may know, our golf day was rained out on June 13th, so we have rescheduled the TUG Golf Tournament for Thursday July 25, 2019.
If you were already registered, we will contact you to reaffirm your availability to play on the new date. Otherwise, you still have time to sign up for this worthwhile charity event!
On Thursday July 25th, 2019 we are back at St. Andrews Valley Golf Club in Aurora for the 31st Annual TUG Charity Golf Classic.
Register now at: www.tug.ca/golf
Proceeds to Holland Bloorview Kids Rehabilitation Hospital
Back To Top
The Toronto Users Group for Power Systems (TUG) is a user group/forum for the exchange of ideas, and specializes in providing affordable education relating to the IBM iSeries, AS/400, System i, and Power Systems platforms. TUG is in its 34th year of operation.
Articles & Downloads archives
TUG Buzz! archives