BCP

Conclusion:

There is no denying that the incidence and severity of ransomware cyber attacks, both real and fake, are on the rise. Whether the attacks are State-based or purely criminal in nature, organisations need to address their ability to both defend against such attacks and respond appropriately when they occur. The impact of a successful breach can have a high cost in the areas of productivity, reputation and the potential for financial losses. A good defensive posture against cyber attacks will make your organisation a harder nut to crack for the attackers.

Conclusion

With the growth of dependence on ICT for business to perform effectively, many organisations have increased risk associated with the ability of ICT to provide service continuity. ICT downtime means business is negatively impacted. Many organisations believe the DRP is a problem that is ICTs to solve. Whilst ICT will lead the planning and do a lot of the heavy lifting when a disaster occurs, it can only be successful with the assistance and collaboration of its business partners. It will be the business that sets the priorities for restoration and accepts the risk.

Both business and ICT need to be comfortable that the disaster recovery (DR) plan has been verified to ensure a reasonable expectation that recovery will be successful.

The Latest

29 April 2021: Microsoft briefed analysts on its expansion of Azure data centres throughout Asia. By the end of 2021, Microsoft will have multiple availability zones in every market where it has a data centre.

The expansion is driven in part by a need for additional Cloud capacity to meet greenfield growth. Each new availability zone is, in effect, an additional data centre of Cloud services capability.

However, the true focus is on providing existing Azure clients with expanded options for deploying services over multiple zones within a country.  

Microsoft expects to see strong growth in organisations re-architecting solutions that had been deployed to the Cloud through a simple ‘lift and shift’ approach to take advantage of the resilience granted by multiple zones. Of course, there is a corresponding uplift in revenue for Microsoft as more clients take up multiple availability zones.

Why it’s Important

While there is an argument that moving workloads to Cloud services, such as Azure, has the potential to improve service levels and availability, the reality is that Cloud data centres do fail. Both AWS and Microsoft Azure have seen outages in their Sydney Australia data centres. What history shows is organisations that had adopted a multiple availability zone architecture tended to have minimal, if any, operational impact when a Cloud data centre goes down.

It is clear that a multiple availability zone approach is essential for any mission critical application in the Cloud. However, such applications are often geographically bound by compliance or legislative requirements. By adding additional availability zones within countries throughout the region, Microsoft is removing a barrier for migrating critical applications to the Cloud, as well as driving more revenue from existing clients.

Who’s impacted

  • Cloud architecture teams
  • Cloud cost / procurement teams

What’s Next?

Multiple available zone architecture can be considered on the basis of future business resilience in the Cloud. It is not the same thing as ‘a hot disaster recovery site’ and should be viewed as a foundational design consideration for Cloud migrations.

Related IBRS Advisory

  1. VENDORiQ: Amazon Lowers Storage Costs… But at What Cost?
  2. Vendor Lock-in Using Cloud: Golden Handcuffs or Ball and Chain?
  3. Running IT-as-a-Service Part 49: The case for hybrid Cloud migration

The Latest

18 March 2021: Veeam released a report which suggests that 58% of backups fail. After validating these claims, and from the direct experiences of our advisors who have been CIOs or infrastructure managers in previous years, IBRS accepts there is merit in Veeam’s claim.

The real question is, what to do about it, other than buying into Veeam’s sales pitch that its backups give greater reliability?

Why it’s Important

Sophisticated ransomware attacks are on the rise. So much so that IBRS issued a special alert on the increasing risks in late March 2021. Such ransomware attacks specifically target backup repositories. This means creating disconnected, or highly-protected backups is more important than ever. The only guarantee for recovery from ransomware is a combination of well-structured backups, coupled with a well-rehearsed cyber incident response plan. 

However, protecting the backups is only useful if those backups can be recovered. IBRS estimates around 10-12% of backups fail to fully recover, which is measuring a slightly different, but more important situation than touted by Veeam. Even so, this failure rate is still far too high, given heightened risk from financially-motivated ransomware attacks.

Who’s impacted

  • CIO
  • Risk Officers reporting to the board
  • CISCO
  • Infrastructure leads

What’s Next?

IBRS has identified the ‘better-practice’ from backup must include regular and unannounced, practice runs to recover critical systems from backups. These tests should be run to simulate as closely as possible to events that could lead to a recovery situation: critical system failures, malicious insider and ransomware. Just as organisations need to rehearse cyber incident responses, they also need to thoroughly test their recovery regime. 

Related IBRS Advisory

  1. Maintaining disaster recovery plans
  2. Ransomware: Don’t just defend, plan to recover
  3. Running IT-as-a-Service Part 59: Recovery from ransomware attacks
  4. Ransomware, to pay or not to pay?
  5. ICT disaster recovery plan challenges
  6. Testing your business continuity plan

The Latest

28 March 2021: AWS has a history of periodically lowering the costs of storage. But even with this typical behaviour, its recent announcement of an elastic storage option that shaves 47% off current service prices is impressive. Or is it?

The first thing to realise is that the touted savings are not apples for apples. AWS’s new storage offering is cheaper because it resides in a single-zone, rather than being replicated across multiple zones. In short, the storage has a higher risk of being unavailable, or even being lost by an outright failure. 

Why it’s Important

AWS has not hidden this difference. It makes it clear that the lower cost comes from less redundancy. Yet this architectural nuance may be overlooked when looking at ways to optimise Cloud costs.

One of the major benefits of moving to Platform-as-a-Service offerings is the increased resilience and availability of the architecture. Cloud vendors, including AWS, do suffer periodic failures within zones. Examples include the AWS Sydney outage in early 2020 and the Sydney outage in 2016 which impacted banking and e-commerce services.  

But it is important to note that even though some of Australia’s top companies were effectively taken offline by the 2016 outage, others just sailed on as if little had happened. The difference is how these companies had leveraged the redundancies available within Cloud platforms. Those that saw little impact to operations when the AWS Sydney went down had selected redundancies in all aspects of their solutions.

Who’s impacted

  • Cloud architects
  • Cloud cost/contract specialists
  • Applications architects
  • Procurement leads

What’s Next?

The lesson from previous Australian AWS outages is that organisations need to carefully match the risk of specific application downtime. This new announcement shows that significant savings (in this case 47%) are possible by accepting a greater risk profile. However, while this may be attractive from a pure cost optimisation/procurement perspective, it also needs to be tempered with an analysis of the worst case scenario, such as multiple banks being unable to process credit card payments in supermarkets for an extended period.

Related IBRS Advisory

  1. VENDORiQ: AWS second data centre in Australia
  2. Post COVID-19: Four new BCP considerations
  3. Running IT-as-a-Service Part 55: IBRS Infrastructure Maturity Model

Conclusion

Many security incidents are having major impacts on organisations. In too many cases these are left to the information technology teams to handle.

Yet the group most responsible for an organisation’s continued survival and growth is the chief officer (CxO) group. Incident response therefore ultimately resides with this group. In order to develop the ability to handle a major attack on an organisation, it is imperative that the CxO group also become familiar with responding to cyber security events.

This can be done by running tabletop exercises that then become the basis for building more detailed plans around communications, crisis management, and the organisation’s preparedness.

The Latest

27 March 2021: Google has announced programs with two US-based insurance companies where clients taking up Google Cloud Platform security capabilities will receive discounts on cyber insurance premiums. 

Why it’s Important

The number of serious cyber incidents is on the increase and insurance premiums in the US have tripled over the last two years. Having a cyber incident response plan in place helps mitigate the risks and reduces the recovery time from a cyber incident, but also contributes to lowering the premium for cyber insurance. It is akin to having fitted window locks to a house, lowering insurance premiums in certain circumstances.

Google’s security posture, and threat assessment services, and services to manage security incidents effectively are sufficient to both reduce the frequency of security incidents and lessen their impact. Insurance actuaries see the benefit in such services and have determined there are savings to be made by the lower risk and risk mitigation profiles. 

Notwithstanding any special programs brokered between Cloud vendors and insurers, being able to demonstrate both a strong security posture and, importantly, an incident response plan will drive down an organisation's premiums, especially as insurance companies are inserting their own teams into incident response situations. 

Who’s Impacted

  • CIO
  • Development team leads
  • Business analysts

What’s Next?

If not already done, organisations should undertake a cyber risk assessment and implement a cyber incident response plan backed by appropriate cyber insurance. 

Related IBRS Advisory

  1. Improving Your Organisation’s Cyber Resilience
  2. Incident Response Planning: More Than Dealing with Cyber Security Breaches and Outages
  3. How Does Your Organisation Manage Cyber Supply Chain Risk?
  4. Why You Need a Security Operations Centre

The Latest

16 February 2021: Veeam continues to expand its footprint across the hyperscale Cloud vendors with the introduction of Veeam Backup for Google Cloud Platform. This follows its December 2020 announcement when Veeam announced the general availability of AWS v3 Backup and Azure v4 Backup. As a result, Veeam now provides backup and recover capabilities across - and just as importantly between - the three major hyperscale Cloud vendors. 

Why it’s Important

During a briefing with IBRS, Veeam detailed its strong growth in the Asia Pacific region. It also discussed its strategy for providing backup and recovery capabilities over the major hyperscale Cloud services: Azure, AWS and Google. The demand for Cloud backup and recovery is growing with greater recognition organisations adopting hybrid Cloud (the most likely future state for many organisations) demands more consistent and consolidated approaches to management - including backup and migration of data between Clouds. VMWare is seeing growth in its hybrid Cloud management capabilities as well, and the synergy between Veeam and VMWare productions is no coincidence.  

Who’s Impacted

  • Cloud architects
  • Business continuity teams

What’s Next?

Backing up Cloud resources appears to be a simple process. Taken on as service-by-service, this might be true. However, in reality the backup becomes increasingly challenging. As more and more applications are made up of a myriad of components, this leads to a rapidly evolving ecosystem of solutions. Hence, data recovery and restoration are also getting more complex. This is further exacerbated by the growing adoption of hybrid Cloud. 

Organisations need to explore backup and recovery based on not only current state Cloud architecture, but possible migration between Cloud services and where different integrated applications reside on different Cloud platforms.

Related IBRS Advisory

Conclusion: Ransomware attacks have been in the news lately with Toll, Talman, Travelex and Manheim Auctions all having their day-to-day operations completely shattered. Many pundits and security product vendors are touting their initiatives to help an organisation defend itself against such an attack.

Despite all best efforts, there is no 100 % guaranteed defence against succumbing to a ransomware attack. So rather than investing still more funds in defensive products, it is well worthwhile creating a strategy to allow a rapid recovery or reestablishment of service after being struck by an attack.

It is possible to develop some strategies, all relatively inexpensive apart from time, that will position an organisation to have an excellent chance of quickly returning to normal productivity after a ransomware attack.

Conclusion: The increased proliferation of critical digital services has resulted in ransomware attacks becoming one of hackers’ means to make money. As a consequence, many organisations have become the victims of such attacks. IT organisations should implement a full recovery strategy to restore IT services in the event of ransomware attacks. The recovery strategy should become an integral part of the disaster recovery plan. This will raise business stakeholders’ trust in the service security and reduce the spread of this type of IT organised crime.

Conclusion: Pandemic planning is a strategic approach to business continuity that anticipates and prepares for a widespread outbreak of an infectious disease.

Business continuity planning can have an over-emphasis on short-term technology platforms failing, but as part of business continuity planning consideration needs to be given to the potential risk of an outbreak of a disease that could spread and may not be resolved quickly. The time of risk may go over several months or longer. Some forecasts for the coronavirus speculate it could take 12 to 18 months to come up with a vaccine.

The impact and planning needs to consider both internal and external factors; that is, how the pandemic event may impact employees and the organisation’s ability to keep its business operating. External factors will include the impact of the pandemic event on external service providers, suppliers and customers.

Being prepared: IBRS has created a BCP checklist to help you create and/or update your business continuity plan.

This diagram is to be used in the following ways:

  • A checklist to ensure all BCP steps have been actioned and/or updated as required
  • An easy reminder to update key supporting documents to the BCP to remain current which include:
    • Enterprise risk frameworks
    • Business impact analysis documents
    • Evacuation and lockdown procedures
    • Recovery plans and testing of these plans
    • IT disaster recovery plans
    • Communication plans
    • Regular executive reporting

Conclusion: Australian organisations must have strong disaster recovery plans, be it for natural disasters or man-made disasters. The plans need to deal with the protection and recovery of facilities, IT systems and equipment. It is also critical that the plan deals with the human side of the impact of a disaster on the workforce. What planning needs to be done, what testing will be done, what will happen during a disaster and what needs to be done after a disaster?

This planning can be complex and confronting. Whilst testing the failover of IT systems can be relatively straightforward, testing the effectiveness of the workforce side of a plan will be difficult, and may even disturb employees who may prefer to think “surely it will never happen to us”.

Conclusion: Two key supporting artefacts in the creation of pragmatic incident response plans are the incident response action flow chart and the severity assessment table. Take time to develop, verify and test these artefacts and they will be greatly appreciated in aiding an orderly and efficient invoking of the DRP/BCP and restoration activities.

Conclusion: The adherence to the recently introduced guidelines under ISO:31000 20181 is key to every ICT manager’s responsibilities and leadership remit as they are key in driving and leading the adoption of risk management guidelines across an organisation due to the overarching responsibilities of creating and protecting value. These new risk management guidelines have been deliberately rewritten to be simplified and based around a new reviewed set of principles, framework and processes. Greater emphasis is now placed on leadership to ensure risk management is more integrated and to ensure more actions and controls are in place at critical stages of projects as well as business operations.

Related Articles:

"Risk management – Tips and techniques" IBRS, 2017-10-02 22:35:45

"Testing your business continuity plan" IBRS, 2019-05-31 13:39:29

Conclusion: ICT disaster recovery plans (DRPs) have been in place for many years. Fortunately, invoking these plans is rare, but just like insurance plans, it is wise to ensure the fine print is valid, up to date and tested on a regular basis to minimise restoration of business services reliant on the complex range of IT enablers in place. Adoption of general Cloud services and the ever-changing ICT asset landscape requires careful alignment with the DRP to be ready when the restoration is required.

Conclusion: In times of business disruption, the value of a pragmatic and accessible incident response plan (IRP) will become the main tool in getting the business back to normal operation, and minimising loss of revenue, services and reputation. This holds true during the time of stress when attempting to get back to normal operations. Using the analogy of taking out insurance, insurance is usually highly recommended or great to have, but hopefully rarely required and of little or no use when you need it to find it is out of date and/or incomplete. The same principle applies when you need to activate the IRP to quickly get that critical business function operating to sufficient levels.

Related Articles:

"Pragmatic business continuity planning" IBRS, 2018-08-01 09:12:08

"Testing your business continuity plan" IBRS, 2019-05-31 13:39:29

"Top 10 considerations when running an incident response drill" IBRS, 2018-09-04 13:29:16

"What are the important elements of a Disaster Recovery Plan?" IBRS, 2016-08-30 01:17:08

Conclusion: Regular testing of the business continuity plan (BCP) has many benefits which go beyond ticking the mandatory compliance box to keep audit off the back of executives. Effective testing exercises ensure the BCP has been updated and includes sense-checking the completeness of resources required in the recovery strategies of critical business functions. Running regular BCP exercises also has the benefits of raising the importance of identifying weaknesses, aligning restoration time expectations and ensuring continuous improvement.

Related Articles:

"Pragmatic business continuity planning" IBRS, 2018-08-01 09:12:08

"Top 10 considerations when running an incident response drill" IBRS, 2018-09-04 13:29:16

"What are the important elements of a Disaster Recovery Plan?" IBRS, 2016-08-30 01:17:08

Conclusion: Conducting effective business impact analysis details the business functions and provides further insight into the relative importance of each function and its criticality. The information is then used as the main source to develop business recovery strategies, the priority of restoration and identification of resources to aid in the restoration of business services. However, there are many challenges in performing this critical step in order to be best prepared when those business disruptions do occur.

Conclusion: IT organisations responding to mergers & acquisitions or migrating to multi-sourced environments of Cloud and service contracts should establish service providers governance frameworks that favour federated organisations’ principles. It requires maintaining central consistency (e. g. policymaking) whilst allowing local autonomy in certain areas (e. g. hardware purchases). This will leverage the economy of scale, allow the acquisition of local services and products more efficiently, and permit the introduction of new geographies whenever needed in a consistent manner.

Conclusion: Organisations need to plan to quickly and successfully recover business operations by creating and updating business continuity plans (BCPs) supported by disaster recovery plans (DRPs). However, there are many challenges to overcome in order to keep these plans useful in readiness when business disruption eventuates.

Conclusion: Keeping business continuity plans (BCP) succinct, up to date and easy to read will reap rewards when they are required during a business disruption.

Related Articles:

"Astute Leadership needed in a crisis" IBRS, 2017-01-01 10:35:45

"Investing in Business Resilience Planning - the CIOs hardest sell" IBRS, 2012-08-31 00:00:00

"Running IT-as-a-Service Part 40: Aligning business continuity and IT disaster recovery plans" IBRS, 2018-03-31 06:56:00

Conclusion: Effective risk management, whether it is for a change initiative or for ongoing business operations, will ameliorate harm or at the very least reduce the impact of harm. Leaders must understand risk management, and plan and engage with risks and mitigate the risks as appropriate on an ongoing basis.