Cybersafetyconnections January 2022 vol #49 

  • Create a Business Impact Analysis. 
  • Determine Recovery strategies.  
  • Develop Continuity and Recovery Plans. 
  • Ongoing Training and Testing.  

This week’s blog will be discussing an article on how to get back to business after becoming a victim of a cyberattack.The article is “Helping clients build a cyberattack recovery plan” written by Rumbi Bwerinofa-Petrozello CPA/CFF, CFE in the Journal of Accountancy December 2021.  

And it does not matter the size of the organization, even individuals are constantly experiencing cyberattacks. We need to look at the possibility of these cyberattacks happening and how to manage these incidents to avoid businesses coming to a complete halt. Taking these steps does not necessarily prevent all cyberattacks. It is the organizations’ ability to respond quickly when a breach/cyber-attack happens that is important and that can limit the damage and reduce the cost to the organization.  

A major part of the risk assessment process involves building a strong business continuity and disaster recovery (BC/DR) plan. This is simply how to continue in operations and recover from a cyberattack/breach. BC/DR plan is something accounting practitioners are in a position to help their clients and employers to create to help them recover from cyberattacks.  

Below are the steps to create a plan and the ways practitioners can add value each step of the way;  

  •  Design a Business Impact Analysis (BIA)  

Practitioners are advised to work with clients to first figure out how a breach/cyber-attack will affect the revenue and the extra expenses that would be incurred like the cost of overtime and third-party vendors brought on to help with business continuity and disaster recovery.  

Other considerations are regulatory fines and contractual penalties, reputational damage and effect on customers’ happiness and possibly defecting to a competitor. Also, consider the effect of the timing of the incident and the duration. If the disruptive breach/cyber-attack happens before or during a busy season for the business and lasts for months it will have a greater effect than during a down period for the business and that only lasts for some minutes.  

Practitioners are advised to encourage organizations to consider the issue from different angles/scenarios and put numbers to the outcomes. It is best to speak with people who know the business well to know how it would be impacted and also the responsible parties. Follow-up of key personnel by practitioners is encouraged to confirm the information and get other missing pieces in the analysis.  

  • Determine Recovery strategies  

After getting the information provided in the first step above (BIA), the organization can then begin to come up with a plan of action to recover through identifying the business processes that are important to the organization. Dependencies between business units, functions, and third parties should be considered. All this information helps the organization to calculate the resources it would need to function depending on the extent of the disruption.  

The first step (BIA) helps practitioners to know the organization’s processes, business areas, functions, and resources requirements. It is important that the IT recovery plan is in line with the organization’s business plan. When there is a business interruption, the IT department’s focus should be on the important operations.  

An important part of the BC/DR plan is Back up management. Is back up connected to the network and can it be affected by malware attack? Practitioners can advise clients to have the back off offline and in a safe location away from possible cyberattacks or natural disasters. It is important to also find out how often backup is done as well as how much data the organization can afford to lose. This will help to match the data needs of the business to back up the schedule.  

Another consideration is to find out if staff know what to do in the event of a cyber-attack. For example, do staff turn off the machine or pull the plugs and disconnect from the network to halt the spread of the cyberattack, or would restarting the machine spread the cyberattack? Are the staff knowledgeable about how to send an emergency message to IT to investigate the root cause/source of the cyberattack?  

After creating the various business interruption scenarios, organizations should also consider alternate manual workarounds to get operations back up and running. Practitioners on their own part can work with clients to evaluate the risk of fraud with these workarounds and how to address these risks. When there is a disruption, organizations are not looking to incur more losses from using workarounds to resume operations.  

The practitioner in addition can evaluate where there is a mismatch between what the recovery requirement is for the organization and what the actual current capabilities of the organization are.  

  • Develop Continuity and Recovery Plans  

The first stage BIA and second stage recovery strategies are then combined to come up with the BC/DR plan. The plan will set out the BC/DR roles and responsibilities. It helps for this list to include insurance contacts, Key vendor relationships, legal resources, and digital forensic experts that are an important part of the continuity and recovery process involving damage assessment and situation analysis.  

In the BC/DR plan, there should be documentation of detailed procedures, resources requirements, and logistics of all the recovery plans of action. Organizations can also include a plan of relocating to an alternate site if there is a need to move operations.  

With the information collected during the business impact and recovery strategies analysis, documentation of data restoration and IT recovery plans is a must in the BC/DR plan. It is really important that how business and IT will work together in an orderly and successful way is plain to see.  

In the event of a disruption, employees should know what to do; how to communicate, where to go, and how to keep doing their jobs. The manual workaround evaluated by the practitioner should also be documented in the BC/DR plan.  

And lastly, the BC/DR plan should clarify the procedure to detect and report incidents. Having this knowledge and detailed documentation brings clarity and less confusion.  

  • Ongoing Training and Testing  

With the BC/DR plan in place, employees especially BC/DR plan employees are expected to know what to do, be able to rely on the IT systems to work according to plan. To gain this level of confidence there is a need for training and testing. Practitioners can create a guide for BC/DR team members directing attention to the high-risk areas. The test can include a review of the BC/DR plan, discussions by BC/DR teams, and simulation.  

Organizations should do regular tests of their backup and recovery processes to avoid discovering that the backup won’t work in the event of recovering data during a breach/cyber-attack. Testing results are to be documented. Practitioners may have to follow up with clients to see that the tests are occurring, results are documented and actions are taken on results when required.  

BC/DR plans need to be regularly review,maintained and improved due to changes in the organization like new software update, opening a new location, employees’ turnover over, or change in roles/responsibilities. Organizations can learn from the BC/DR training and testing.  

Subscribe to get the latest post.