covid 19: addressing business continuity in the online world

Komitas Stepanyan,PhD, CRISC, CRMA, CobitF

IT AuditVirtual Training for PEMPAL

--- 1 ---

COVID 19: Addressing Business Continuity in the online world



--- 2 ---

COVID 19 challenges

Remote work: Opportunities and Risks

BCM vs BCP

Cyber Resilience

Examples



--- 3 ---

STATISTICS

Change in remote work trends due to COVID-19 in

2020

What percentage of your workforce will remain permanently remote post-COVID

who were not remote before COVID?



--- 4 ---

STATISTICS, 7 SURPRISING STATS ON THE SHIFT TO REMOTE WORK

1. There has been a massive shift to work from home. 88% of organizations have encouraged or required their employees to work from home and 91% of teams in Asia Pacific have implemented ‘work from home’ arrangements since the outbreak.[i]

2. Coronavirus has been a catalyst for remote work. 31% of people said that Coronavirus (COVID-19) was the trigger to begin allowing remote work at their company.[ii]

3. Organizations are mobilizing, using crisis response teams to coordinate their response. 81% of companies now have a crisis response team in place. [iii]

4. Business continuity tops C-level concerns. 71% of executives are worried about continuity and productivity during the pandemic.[iv]

5. Cybercriminals are taking advantage of the crisis. Over a 24-hour period, Microsoft detected a massive phishing campaign using 2,300 different web pages attached to messages and disguised as COVID-19 financial compensation information that actually led to a fake Office 365 sign-in page.[viii]

6. Technology and infrastructure are some of the biggest barriers to connectivity and workforce productivity. 54% of HR leaders indicated that poor technology and/or infrastructure for remote working is the biggest barrier to effective remote working in their organization.[ix]

7. Remote work is here to stay. 74% of companies plan to permanently shift to more remote work post COVID.[xv]

https://www.riverbed.com/blogs/15-surprising-stats-on-remote-work-due-to-covid-19.html#_edn1




https://www.darkreading.com/threat-intelligence/after-adopting-covid-19-lures-sophisticated-groups-target-remote-workers/d/d-id/1337523






--- 5 ---

Cases

September 11, 2001 USA

March 11, 2011 Japan, Damage $309bln

Hurricane KatrinaAugust 2005 USA, Damage $125bln

Volcano Eyjafjallajökull14 April 2010 North Europe



--- 6 ---

The Reality

43% of US companies never reopen after a disaster and 29% more close within 3 years.

20% of small to medium size businesses suffer a major disaster every 5 years.

78% of organizations which lacked contingency plans but suffered catastrophic loss were gone within 2 years…most had insurance, and many had business interruption coverage!

(Sources: U.S. National Fire Protection Agency, U.S. Bureau of Labor, Richmond House Group and B2BContinuity.com)



--- 7 ---

Cases

It doesn’t concern us



--- 8 ---

Case 2018, Central Bank of Armenia

CENTRAL BANK OF ARMENIA



--- 9 ---

Standards, Frameworks and Documents

ISO 22301 – Business Continuity Management Systems

Business Continuity Management Audit/Assurance Program - ISACA

GTAG 10 Business Continuity Management - IIA

Toolkits & papers from web



--- 10 ---

Definitions

ISO 22301

business continuity management system BCMSpart of the overall management system that establishes, implements, operates, monitors, reviews, maintains and improves business continuity

business impact analysis

process of analyzing activities and the effect that a business disruption might have upon them

incident

situation that might be, or could lead to, a disruption, loss, emergency or crisis

business continuity plan

documented procedures that guide organizations to respond, recover, resume, and restore to a pre-defined level of operation following disruptionNOTE Typically this covers resources, services and activities required to ensure the continuity of critical business functions.



--- 11 ---

BCM Audit, GTAG 10

It is the ability of the business to continue

operations with minimal disruption or

downtime in the advent of natural or man-

made disasters.

Business continuity planning is a strategic

discipline that should be an integral part of the

organization's culture.

What is Business Continuity ?

??? BCP VS BCM ???



--- 12 ---

What is BCM?

An ongoing process supported by senior management

and funded to ensure that the necessary steps are taken

to identify the impact of potential losses, maintain viable

recovery strategies and recovery plans, and ensure

continuity of services through personnel training, plan

testing, and maintenance.



--- 13 ---

BCM Lifecycle

Execution

Compliance Monitoring

& Auditing

Training & Awareness

Programs

Business Continuity

Plan Testing

Solutions Deployment

and Enhancement

Business Continuity

Strategy Design

Governance

Continuity Life Cycle

Business Impact

Analysis

Risk Assessment

Project Initiation

And Management

Analysis

Culture



--- 14 ---

QUESTION

When a disaster occurs, the highest priority is:

1. Minimizing data loss by saving important data

2. Ensuring everyone is safe

3. Recovery of backup tapes

4. Calling a manager



--- 15 ---

QUESTION

The amount of data transactions that are allowed to be lost following a computer failure is the:

1. Recovery Time Objective

2. Recovery Point Objective

3. Service Delivery Objective

4. Maximum Tolerable Outage



--- 16 ---

ER, CM, BC ---> BCM

Minutes Hours Days Weeks

incident

TimeT = T0

1 - Emergency Response

2 - Crisis Management

First action that focuses on avoiding, deterring, and preventing disasters and/or preparing the organization to respond to a disaster

3 - Business Continuity

CM focuses on managing external/internal communications and senior management activities during a disaster.

The goal of ER is lifesaving, safety,

and initial efforts to limit the

impact to asset damage.

The goal of CM is to effectively address the coordinated response, resources, and internal and external communication

BCM capabilities are focused on

the recovery of critical business

processes.

The goal of BCM is to minimize the financial and other impacts to a business caused during a disaster or business disruption.



--- 17 ---

RTO, RPO

Normal Processing

Normal

Processing

ISO 22301:2012, Societal security – Business continuity management systems

RPO recovery point objective

point to which information used by an activity must be restored to enable the activity to operate (“maximum data loss”)

RTO recovery time objective

period of time following an incident within which:

➢product or service must be resumed

➢activity must be resumed

➢ resources must be recovered

incidentRPO

T = T0T = T0 - X

Lost data

RTO

Time Down

T = T0+Y

Backup 1

LastBackup

Backup 2

Processing Gap: Lag time between the disruption point and resumption of normal processing.

The data that will be lost, destroyed, or otherwise unavailable, after successful recovery

IIA Definitions



--- 18 ---

Core Processes

Process

1. Accounting and Finance

RTO

2. Licensing

3 hours

5 hours

3. Government payments 1.5 hours

4. HR 2 days

5. Public Relations 0.5 hours

RPO (Backup frequency)

1 hours

5 days

4 hours

2 weeks

2 hours



--- 19 ---

Example

Process

1. Monetary policy short term programming. CB operations in local market

2. Operations in international markets. Foreign reserve management

3. Exchange rate calculation and publication

4. Bank interest rate calculation and publication

5. Cash circulation

RTO

3 hours

5 hours

1.5 hours

2 days

0.5 hours

RPO (Backup frequency)

1 day

0.5 hours

1 day

2 weeks

0.5 hours



--- 20 ---

HIGH LEVEL QUESTIONS MUST BE ADDRESSED

CAE should be able to answer the following simple and important questions related to business continuity:

Does the organization’s leadership understand the current business continuity risk level and the potential impacts of likely degrees of loss?

Can the organization prove the business continuity risks are mitigated to an approved acceptable level?

If an unacceptable business continuity risk exists but executive management has decided to assume the risk, are the organization’s owners and business partners aware that management has decided not to mitigate the risk?

Has the decision to accept the risk been properly documented?



--- 21 ---

ACTIONS NECESSARY TO MEET BCM REQUIREMENTS

Management Commitment to BCM Program

Build a business caseUnderstand the valueEstablish a BCM program

Conduct a Business Impact Analysis (BIA)

Identify business processes & define critical processes Define RTO and RPO for processesIdentify other parties and physical resources for recovery

Conduct a BC Risk Assessment & BC Mitigation

Assess the impact of disruptive eventsDefine BC disruptive events Develop BC risk mitigation strategies

Define Business Recovery and Continuity Strategies

Define staffing alternatives needed for recoveryDefine alternative sourcing of critical functionsDefine alternative offices needed for recovery Plan to transition back to normal operations

Establish Disaster Recovery for IT

Understand business recovery requirements

Select recovery solutions and recovery sites

Deploy, Verify and Maintain BCM Program Capabilities

Deploy BCM program awareness and trainingMaintain the BCM program and BC plansExercise business continuity capabilitiesEstablish crisis communications and align with crisis management Align with emergency response and external agencies coordination



--- 22 ---

BCM AUDIT CHECKLIST

1. Management

2. Business Impact analysis and Risk Assessment

3. Contingency Arrangements

4. Documented Plans

5. Training and testing

6. Review and UpdateBCM Audit checklist.docx



--- 23 ---

COVID 19 AND CYBER RESILIENCE



--- 24 ---

THE EXPERIENCE AT FBI



--- 25 ---

OUTSIDE OF THE PERIMETER IS DANGEROUS

Corporate security perimeter stops > 99% of threats



--- 26 ---

THREAT LANDSCAPE OF REMOTE WORK

IT personnel

Access Infrastructure WAN

Endpoint

Employee

LAN PhishingSocial engineering

MalwareTheft

Tampering

WardrivingCracking

MasqueradingMan-in-the-middle

EavesdroppingTraffic analysis

Man-in-the-middle

MalwareTampering

PhishingSocial engineering



--- 27 ---

• 91% of successful data breaches started with a phishing attack

• 23% of targeted people open phishing emails and 11% click on links or open attached files

RISK: PHISHING



--- 28 ---

• Not designed for large-scale and prolonged usage

• Inadequate capacities• Low number of concurrent users

• Low number of notebooks and mobile devices

• Limited bandwidth

• Insufficient support

• Pressure on IT Departments to find solutions fast

RISK: WEAK INFRASTRUCTURE



--- 29 ---

- Business: Not enough conferencing capacity. Do something. Fast!

- IT: We cannot bring in more servers fast… Maybe the cloud?

- Business: We need it yesterday!

- IT: Alright… let’s Zoom then!

RISK: CLOUD



--- 30 ---

Some critical data has been transmitted through China even

when not necessary

POOR SECURITY DESIGN



--- 31 ---

PHISHING EXAMPLES



--- 32 ---

• Authorities and firms should prioritize• Clear remote access policies (who, what, when, and how)

• Robust authentication of users and devices

• Strong encryption methods

• Secure remote access devices (endpoint security)

• Network security monitoring

• Cloud usage should be based on detailed risk assessments

• Additional user awareness campaigns should be launched

• Robust controls over configurations at both ends of the connection

• Additional security controls for critical functions

RECOMMENDATIONS



--- 33 ---

CYBER HYGIENE – IT IS NOT DIFFICULT!

Choose the right environment

Protect your WiFi

Keep work and home separate

Do no open suspicious content

Hide your webcam when not in use

Secure your devices after work

Apply updates regularly Use strong passwords / 2FA

Protect videoconferences



--- 34 ---

ONE LAST THING…

IT personnel

Access Infrastructure WAN

Endpoint

Employee

LAN

THINK END-TO-END



--- 35 ---