By Gene Fredriksen
It is well known that cyber security is a top concern for nearly all companies. While addressing cyber security is clearly a technology-centric issue, recent incidents have shown it is no longer only a technology issue.
The integration of technology into all areas of credit union operations means that all functions will be impacted in the event of a cyber security response. Similarly, it is important to acknowledge that an event impacting business continuity may also have security implications. In fact, today’s level of integration makes it nearly impossible to delineate between cyber and business continuity problems.
Clearly, the time has come for credit unions to think outside the traditional box and integrate these two important functions. Integrated cyber incident and business continuity programs can deliver benefits that go well beyond dollars and cents.
Consider the steps below to ensure smooth and effective integration:
Integrate management teams and resources. Many organizations still seem to consider cyber security incident response and business continuity efforts to be separate functions. This is primarily because the two disciplines have long been thought of as separate and distinct, each intended to ensure an efficient and appropriate reaction to a unique event. But even if the practices have performed well as individual disciplines in the past, significant efficiencies and benefits can be realized if the relevant resources and processes are integrated. Creating a single process not only optimizes process flow and facilitates training, but it also forms a cohesive function, the goals of which are protecting the organization’s reputation and ensuring continuity of operations.
Align policies, procedures and training. Similar management teams and supporting activities exist in both specialties. Combining these teams and processes will yield a more cohesive, streamlined process that is capable of bringing more assets to bear when an event occurs, regardless of the incident type — which is increasingly important as security and continuity-impacting incidents become themselves more and more frequently integrated. For example, it is not uncommon for cyber criminals to attempt to leverage a physical incident to cover phishing or social engineering attacks. Timely involvement of all business-area leadership is crucial, as any sort of incident could raise immediate issues that require decision-making.
Leverage common touch points between business functions. A comprehensive response plan typically includes many “touch points” between IT and business functions. These touch points are usually coordinated through a response team that has common resources for communication, including periodic situation updates, designated response options and identified potential business impacts. A common framework may help mitigate the impact of negative events.
Coordinate crisis communications. Whether a business-impacting event is cyber or physical in nature, the key to effective resolution is clear, concise communications. If an event requires communication with members of the public, it is essential to identify and follow any regulations specifying how and when impacted individuals must be notified. Establishing clear communication protocols and procedures in advance of any event ensures that when the time comes, a credit union’s crisis management team will have the information it needs to develop and distribute authorized communications — quickly, effectively and cohesively. This preparation will pay off in ensuring an organized response to public concerns and inquiries, and will also make it easier to monitor external activity.
Optimize after action reporting. Even after an incident is resolved, the cleanup work is not done. What actually happened, and why? The root cause of an event is not always obvious, and unless identified through a complete and careful analysis, the event could recur. Once the cause of an incident has been identified and remediated, the credit union should update its incident response program documentation to integrate the lessons learned. Regularly updating an integrated plan reduces the potential for mistakes and eliminates duplication of effort.
Risks related to cyber security should be handled similarly to any other business risk. Whatever the specifics of the incident, a single framework and management reporting structure should be in place to identify and control the incident’s potential impacts. Different subject matter experts may be brought in and out to assist, depending on the nature of the specific problem, but leveraging a common framework, training and reporting structure will facilitate the response and help to reduce negative impact to the business.
When it comes to developing an integrated process, start small. Take it one element at a time, paying attention to the details. In the end, you will learn a great deal about your business and end up with a process that will support your credit union’s needs well into the future.
As Chief Information Security Strategist at PSCU, Gene Fredriksen is responsible for several strategic functions primarily focused on relating PSCU’s perspective and stance on cyber security to existing clients, prospective clients, consultants and the industry as a whole. Gene has over 25 years of information technology experience, with the past 20 focused specifically in the area of information security.