Joe Ozorio, CBCP
President, Disaster Recovery Information Exchange, Toronto
“There are two types of organizations when it comes to cyber breaches: those that have been hacked, and those that don’t know yet they’ve been hacked.” Of all the cute quotes by cybersecurity evangelists, I like this one best, because to me it reflects the all-pervasive nature of cyber breaches today. I truly doubt that there is any commercial, private or public organization where a hacking attempt hasn’t been made, whether successful or not. There are simply too many resources, technologies, motives, incentives and insidious purpose on the side of cyber criminals around the world for us to be able to avoid.
We, the members of the Disaster Recovery Information Exchange (DRIE), have seen the rapid evolution of cyberattacks, that now impact every facet of our profession. The Business Continuity Institute’s (BCI) 2019 Horizon Scan Report, drawing input from 569 global professionals, shows that “cyberattack and data breach” is considered number one out of the top ten global threats over the next twelve months and justifiably so, as you’ve likely read in the many articles in this publication. It’s for this reason that cyber resiliency has been a recurring theme at DRIE Toronto’s regular symposiums in recent years. We believe Business Continuity Management (BCM) and Organizations Resiliency professionals must be ever vigilant in understanding the threat and incorporating appropriate planning and response to meet the ever-changing nature of cyberattacks.
Cyberattacks have changed the very fabric of organizational resiliency.
At our September 12th, 2019 symposium, our theme “Testing and Exercises — why you should be including cyber in your exercises,” brought to the forefront compelling issues centered around cyber resiliency. Two of our presenters came from the cybersecurity departments of two of Canada’s major banks. You might imagine they have a tall order in protecting the bank’s assets from the claws of cyber criminals around the world. They talked about the current cyber threat landscape (cyber fraud, supply chain attacks, phishing, insider threats, and more) and risks to businesses ranging from loss of customer, client or employee information to electronic channel fraud. They demonstrated how the advantage is clearly and deeply on the side of the cyber attacker. These attackers consider what they do simply a business. They have patience and great skill and no rules of engagement. Their funding is unlimited because they simply steal what they need.
Above all, the two banks agreed that cyber attacks are not solely an IT problem. To think so is extremely short-sighted and places the organization at huge risk. Cybersecurity is a business problem, and everyone needs to be a cyber risk manager.
From a BCM professional’s perspective, regular business continuity exercises must incorporate cyberattacks in their scenarios or make it a sole scenario. To not do this is to ignore what is now considered the number one threat globally.
If you’re a BCM or Resiliency professional, whether at the practitioner or management level, you’re in a unique and pivotal position to bring together many different parts of your organization together to plan, prepare and practice response to what is inevitable, and not just a possibility anymore.
Cyberattacks have changed the very fabric of organizational resiliency. So too, we as BCM professionals must change with it, or be left in the cyber dust.
The Disaster Recovery Information Exchange (DRIE) is a non-profit, member funded association of BCM, and Resiliency professionals dedicated to the exchange of information on all aspects of Business Continuity Management from emergency response to the resumption of business as normal. DRIE has chapters or affiliates across Canada and in the Caribbean.