Having a fully cyber-resilient business is imperative for companies to survive cyber incidents. However, is such a goal actually achievable considering the current cybersecurity landscape? In the complex world of digital transformation, a generally accepted answer to this question would be 'no', but having an effective resiliency model may alleviate many of the risks faced by modern-day organisations and industries.
Three key elements for an effective cyber-resilience model
1. Incident Management
Experiencing disruptions to an organisation's IT services may have severe repercussions which can be both reputationally,reputationally and financially damaging. It is therefore imperative that organisations implement an incident management procedure, starting from an end-user reporting an issue, and ending in incident resolution and lessons learned.
Reduced incident resolution times are vital, and therefore having a streamlined reporting mechanisms are highly-recommendedhighly recommended, allowing the functional communication of incidents in a structured manner, forming a baseline for initial incident review and prioritisation. Classifying incidents in accordance with company risk-assessment methodology allows security teams to focus efforts efficiently, directing remediation tasks to the appropriate technicians with appropriate expertise.
2. Business Continuity
Setting up a resilient business cannot be achieved without establishing a continuity plan. The Business Continuity Plan (BCP) is not universal, therefore it should initially be based on a Business Impact Assessment (BIA), allowing stakeholders to clearly identify assets and processes which must be protected at all costs. The BIA in turn allows the identification of Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) which form the basis for the BCP. In simple terms, the plan dictates how a company should respond when coping with incidents or emergencies.
Along with a business continuity model, organisations should also have a disaster recovery model. Whilst business continuity plans allow businesses to remain operational during an incident or disaster, a disaster recovery plan focuses on recovery strategies and infrastructure after such an occurrence. It is imperative that testing processes accompany both plans, to allow businesses to assess the efficiency and level of preparedness, ensuring that all procedures are updated based on new business processes, locations, infrastructure, and personnel. This allows businesses to strengthen their resilience in a proactive manner.
3. Training and Awareness
Another effective measure is strengthening the organisation's first line of defense by educating employees not only about information security practices, but also about how to identify security and data breach incidents, and how to act and respond in the event of an incident or disaster occurrence. Employees should assume a level of responsibility based on their assumed role within the company, notifying relevant parties where needed and activating the appropriate procedures based on the event and associated level of prioritization. Employee compliance and understanding with company response plans should also be tested on a periodic basis through drills, assessments, and interviews.
What is DORA?
The Digital Operational Resilience Act (DORA) is the latest legislative effort at European Union level to protect citizens and to address the risks related to the ability of financial institutions to endure, respond to, recover from, and report on the effects of ICT incidents such that these can continue carrying out crucial tasks with the least possible interruption to consumers and the financial system.
BDO can assist licence holders in assessing their preparedness against DORA through an assessment of your organisation's compliance with the MFSA ICT Guidelines. Our solution allows for a conclusive breakdown of any gaps in procedures or risks which prevent your firm from demonstrating compliance through the following services:
- Assessment of your firm’s current standing with the guidance document, through a tailor-made Gap Analysis.
- Provision of a clear and concise remediation plan, identifying the actions required to become compliant with the MFSA’s Guidance document.
- Assurance of Information Security within your firm’s Technology Arrangements.
- Identification of risks your firm faces through a proportionality considered Risk Analysis.
- Implementation and compliance with an ICT Governance framework and Strategy.
- Assist with the implementation of a Third-party Management process, addressing outsourced IT arrangements.
- Designing of relevant tailored policies including Information Security, Business Continuity, Outsourcing, Change Management, Project Management, Incident Response (or assurance of your firm’s current policies).
- Identification and provision of a comprehensive Training and Awareness program covering Information Security & acceptable practices.