Business Continuity Planning: Scenarios vs. impact

The core aim of Business Continuity Planning is to ensure that an organisation can continue to deliver its products and services, minimise downtime and recover swiftly when faced with disruption.

There is a fundamental question, often posed when organisations begin: “should I plan for scenarios or impacts?” For example, should we have a plan for fire, flood, terrorist event and gas leak? Or should we instead plan for shared impacts such as the loss of premises?

The simple answer is that the only practical solution is to plan for impacts, not scenarios. The longer answer is that scenarios also have a part to play.

Scenarios play a vital role in bringing planning to life and making exercises ‘real’. In some cases, when a specific risk is highly likely, specific plans may be required to address that scenario. For instance, you may want a specific plan if your premises are located in an area likely to be targeted by terrorists or at high flood risk.

The increasing likelihood of cyber-attacks, along with their specific impacts, mean all organisations should have a plan specific to this threat. As we will explore, it is this practical element that makes impact-based analysis so important – and why organisations should continue to prioritise it over scenarios.

What is Business Impact Analysis?

A Business Impact Analysis (BIA) is the cornerstone of business continuity. By assessing the potential impacts of disruptions, a BIA establishes priorities for recovery, the timeframes for bringing systems back online and the resources necessary to achieve these goals.

It is a process that focuses on the impacts rather than the causes of a disruption. In other words, a BIA helps businesses to understand the consequences of losing critical functions and services, regardless of the event that triggered the disruption.

For example, you might conduct a BIA to determine the Recovery Time Objective (RTO) for key business processes. This establishes the speed at which operations must be restored to avoid severe financial or reputational damage.

The trend towards scenarios

The appeal of scenarios as a core part of a BCP stems from their ability to simulate and test responses to specific crises. In turn, this offers a practical method for decision-makers to understand the complexities of potential disruptions and their consequences.

Scenarios are also effective means of fostering engagement. Realistic, time-bound situations, enable employees and leadership teams to immerse themselves in the experience, helping them to practice decision-making under pressure.

Finally, they can highlight weaknesses in existing plans and reveal areas for improvement, ultimately strengthening readiness for future events. By confronting the ‘what-ifs,’ organisations can implement proactive strategies to manage potential risks.

Assessing impact

Despite the trend towards scenario-based exercises, focusing on impact remains the most crucial aspect of Business Continuity Planning. While scenarios can simulate specific threats, it’s impossible to predict every possible disruption.

Real-life crises rarely follow a neatly scripted structure, and focusing too much on specific threats can lead to an overcomplicated, fragmented plan that is difficult to implement. On the other hand, impact-based planning remains an adaptable and versatile solution.

While there are an infinite numbers of potential scenarios, each will have shared impacts on your organisations key assets. These can be broken down into P-P-R-S:

• People (skills and knowledge)
• Premises (buildings and facilities)
• Resources (IT, information, equipment, materials)
• Suppliers (third-party products and services)

Evaluating the outcomes of disruption (such as lost revenue or reputational harm) rather than the cause, enables organisations to ensure that their continuity plans are flexible enough to handle any event. To achieve this, a BIA is invaluable to highlight critical business functions, as well as the resources to restore them, regardless of the type of disruption.

Striking a balance

The key to effective Business Continuity Planning is to find a balance between impact and scenario-based approaches. While scenario exercises can be invaluable to test your organisation’s response capabilities and prepare for specific crises, the foundation of any continuity strategy must be built around impact.

In an ideal world, scenario-based exercises should be used to test the effectiveness of impact-focused plans. By combining these approaches, businesses can ensure they are both proactive (anticipating potential crises) and resilient (prepared to deal with that disruption).

Recognising the value of both is crucial to develop a robust and comprehensive strategy, ensuring that recovery efforts are focused on the outcomes that matter most to your business.

The post Business Continuity Planning: Scenarios vs. impact appeared first on Cybersecurity Insiders.

March 01, 2025 at 07:34PM

Read More

The New Face of Executive Protection: Why Digital and Physical Security Can No Longer Stand Alone

The security landscape for corporate leaders has reached a critical inflection point. Physical threats against executives have surged by 88%, but what’s even more alarming is how these threats have evolved. Today’s attackers aren’t just gathering intelligence online – they’re weaponizing it for sophisticated, hybrid attacks that exploit the traditional divide between cyber and physical security operations.

In this new reality, digital and physical environments have become inextricably intertwined. Threat actors target everything from Personal Identifiable Information (PII) to social media presence, using this intelligence to orchestrate more sophisticated attacks. The goal isn’t just compromising digital assets – it’s inflicting tangible reputational and financial damage on companies, through their leaders.

The Dangerous Divide

For too long, organizations have treated digital and physical security as separate domains, each with its own teams, tools, and protocols. While traditional executive security measures like bodyguards, corporate security teams, and cyber threat intelligence all play crucial roles, taking a fragmented approach creates dangerous blind spots. Threat actors have recognized this division as a critical weakness, and they’re increasingly exploiting it.

Consider a common scenario: An attacker purchases an executive’s PII through a data broker site and discovers details about their family, including their home address and children’s names and ages. Armed with this intimate knowledge, they craft impersonation scams that leverage these personal details to deceive employees into revealing sensitive company information. This is just one way attackers bridge digital and physical realms to target corporate leaders.

The stakes go far beyond digital deception. What begins as digital reconnaissance can quickly evolve into physical surveillance or attack, made more effective by detailed intelligence gathered online. The diversity of teams and strategies involved in executive security often leads to fragmentation, when what’s really needed is a cohesive solution.

Breaking Down Silos Between Physical and Digital Security

To counter these hybrid threats, security teams need to fundamentally reimagine their approach to executive protection. This means breaking down the artificial barriers between digital and physical security, and creating integrated protection programs that address the full spectrum of modern risks.

First up is establishing systematic monitoring of digital indicators that could signal impending physical threats. This includes analyzing social media sentiment; tracking mentions of executives across the surface, deep, and dark web; and monitoring for leaked personal information that could be exploited by attackers. The power of this approach was recently put to the test, when our analysts identified a threat actor who had posted plans on social media to attack a corporate building with an AR-15 rifle. By cross-referencing various platforms and arrest records, our team discovered the individual had a violent history. And through detailed analysis of background objects in the person’s social media photos, our analysts pinpointed their location, enabling law enforcement to intervene before any harm could occur.

Second, security teams need to develop shared protocols and communication channels that enable rapid response to emerging threats, regardless of whether they manifest in the digital or physical realm. Establishing real-time physical security monitoring that maintains situational awareness is crucial, especially during executive travel. Proactive monitoring of social media accounts, digital platforms, and suspicious activity is critical for identifying and neutralizing potential threats before they escalate to full-scale attacks.

Third, organizations must take a more proactive approach to protecting executive privacy and PII. Data broker sites routinely collect and sell detailed executive profiles containing everything from home addresses to income details and medical records. This information becomes ammunition for sophisticated attacks, including imposter scams where attackers use personal details about an executive’s family to make their deceptions more convincing. Monitoring for, and quickly removing,  this sensitive information helps keep it off the digital marketplace.

Looking Ahead: A Modern Approach to Executive Protection

As the digital landscape expands, so do the opportunities for cyber exploitation targeting executives, and the line between digital and physical security becomes increasingly blurred. Companies that put up barriers between these domains risk creating dangerous blind spots that sophisticated attackers will exploit. The solution isn’t simply to add more layers – it’s to fundamentally reshape how we think about and implement executive protection.

This means creating comprehensive digital monitoring across social media and dark web channels, establishing real-time threat alert systems, and implementing robust personal information protection programs. Organizations should build unified security operations centers where digital and physical teams work together seamlessly, develop integrated response protocols, and ensure all security personnel are trained to recognize how online threats can signal physical danger.

The stakes are too high to continue with outdated executive security models. In today’s world, every digital breadcrumb can be weaponized for physical attacks. The question isn’t whether to integrate digital and physical security – it’s how quickly organizations can adapt before sophisticated attackers exploit their divided defenses.

 

The post The New Face of Executive Protection: Why Digital and Physical Security Can No Longer Stand Alone appeared first on Cybersecurity Insiders.

March 01, 2025 at 06:39PM

Read More

Why Cyber Resilience Legislation is Vital to Safeguarding Our Networks

Mary Ward was a pioneer. She was considered to have a talent for drawing, researching insects and writing several books on microscopy, which made her one of the most prominent scientists in the British Isles – a novelty for a woman at the time. Another novelty was her steam-powered carriage, in which she rolled through Ireland. In 1869, her vehicle earned her a sad notoriety: Ward is considered the first road traffic fatality. On a bend, the 42-year-old slipped off the bench, fell in front of the cart, which then ran over her. Seat belts, which might have saved the life of the mother of eight, were not mandatory at the time. It was only around 1900 that rules for traffic as we know them today emerged. Rules to avert damage and to make the interaction of everyone safer for all, something which is also the case today in the IT world. Countries are pushing ahead with legislation with the aim of protecting companies, administrations, and individuals from dangers from cyberspace.

Traffic regulations for more cyber security

From North America to India and Asia – all over the world, digital traffic regulations are in demand. Politicians are looking for ways to make the digital economy more resilient. The goal: To establish a culture of security in all private and public spheres. A look at Europe shows how this might be achieved. The European Union is currently pushing ahead with the new version of the directive for Network and Information Systems (NIS2). The union of states is pursuing the idea of modernizing the existing legal framework and adapting it to the intensifying threat situation. Although more digitalization also creates more opportunities for value creation, every additional digital opportunity also opens up potential gateways for third parties with nefarious intentions.

Whether it’s the energy, water, banking, finance, or health sectors, NIS2 extends the group of companies and public institutions that must make their IT landscape more resilient. And this applies to all sectors that are of crucial economic and social importance and are particularly dependent on information and communication technologies. The rules apply directly to a wider range of institutions and indirectly to companies that are part of a supply chain. The example of Crowdstrike shows why this is crucial: On July 19, 2024, the cybersecurity provider delivered a faulty update that caused computer systems around the world to fail. Around 8.5 million Windows devices at airlines, hospitals and retailers, were affected. It was a simple glitch, but in a fully digitally networked economy, it turned into an unprecedented problem. 

Authorities, standards and guidelines to mitigate cyber risks

From hackers and botnets to accidents and mishaps, more and more digitalized and industrialized economies are arming themselves against threats like these. In 2022, for example, the Strengthening American Cybersecurity Act was passed in the US. The law updates existing federal information security regulations, requires operators of critical infrastructure to report cyber and ransomware attacks, and improves the security of cloud services for federal agencies. Not unlike Malaysia: Malaysia’s first standalone Cyber Security Act 2024 came into force in 2024. The law sets regulatory standards for cybersecurity and aims to protect the national critical information infrastructure. A dedicated agency – the National Cyber Security Committee – is to implement and monitor the requirements. The same applies to India and Singapore: The subcontinent has set up its own government agency, the Indian Computer Emergency Response Team, which publishes guidelines and recommendations for companies and is responsible for preventing cyber attacks. And the city state aims to protect critical information infrastructures with their Cybersecurity Act introduced in 2018.

Internet Exchanges and cyber resilience: More resilience for providers and customers

Critical infrastructure with a particularly high economic importance and need for protection: This is precisely the situation of telecommunications companies in many countries around the world. The basic principle is that to make networks resilient, all levels – from undersea cables to Internet Exchanges to data centers – must be individually secured. In practical terms, this means that each infrastructure is only as resilient as the individual elements of which it is composed. So, if all the components of a shared infrastructure – be it the roads or the global telecommunications infrastructure – are designed to be redundant and diversified, the overall system will be more resilient for everyone. On the one hand, for the providers who provide their services in this way and, on the other hand, for the customers who build their own IT on such mutually secured services and solutions.

Telecommunications providers in particular are setting a good example in this respect. In contrast to other industries, they often have a fully integrated resilience approach, as figures from PwC’s Global Crisis and Resilience Survey 2023 show: Technology, Media and Telecommunications has the most integrated resilience programs (28%), ahead of Health (24%), Energy (24%), and Financial Services (22%). This includes interconnection providers in Europe and Germany – in view of NIS2, some operators will have to tighten up their identity and access management, but in principle, interconnection services already belong to the “critical infrastructure” category (according to NIS1). In addition, many Internet Exchanges are now certified according to national regulatory requirements such as the so-called IT-Grundschutz from the German Federal Office for Information Security and ISO27001. Both are recognized frameworks and standards for IT and information security, which NIS2 demands.

Not just a compliance exercise: Weighing up IT risks in our own economic interest

Whether in Berlin, Kuala Lumpur, New Delhi or Washington – companies that want to ensure professional and secure IT operations for themselves and their customers have always been well advised to follow guidelines and standards for greater IT security. And that is true even out of pure economic self-interest. The experts at PWC, for example, recommend that laws for more cyber resilience should not be dismissed as mere compliance and checklist exercises, but should be recognized as a competitive advantage. Those who do not base their actions solely on how the law will affect them elevate their own corporate interests to the level of the common good of society.

Self-interest as the basis for the common good? Whether on the information superhighway or on the road, it makes sense. Since they came into force in 1934, Germany alone has amended its road traffic regulations more than 30 times – from speed limits to lane markings to the general requirement to wear seat belts. Very much in the spirit of Mary Ward.

 

The post Why Cyber Resilience Legislation is Vital to Safeguarding Our Networks appeared first on Cybersecurity Insiders.

March 01, 2025 at 05:22PM

Read More