Business Continuity Is Part of Cybersecurity

Whatever your organization does, you want to avoid unplanned downtime. You want continuity of operations, which we call "business continuity" for short. What interrupts business continuity? Anything that interferes with operations: sickness, power outages, bad weather, cyber attacks (threats), system failures (vulnerabilities) and data integrity issues (a mixture of both). The usual stuff.

In cybersecurity, most of the attention is on cyber attacks but we rarely hear about system failures or data integrity issues. But cyber attacks are not the only business disruption in the cyber domain.

Hey, look what I just did: I restored a file. A file that I needed. A file that I was working on and had accidentally clobbered. How does an expert computer user with over four decades of experience clobber a file? The short answer is that people make mistakes. The long answer is too long, involving many unlikely unfortunate elements lining up in a really bad way--injured left wrist, recent surgery on right pinkie, slippery bandage on said pinkie, stiffness in left wrist, fingers going astray while using a command line interface.

The point is that data gets lost or corrupted and these data issues can disrupt operations. The most common cause is (ahem) human error. But hardware failure does its part, as does bugs in software. And yes, sometimes evildoers do evil, despite cybersecurity.

Why draw attention to my blunder? Because I am on a mission to get people to understand that once your data is corrupted or gone, the restoration process is the same whatever the cause. It makes no difference who is responsible or what is responsible. It especially does not matter what motive, if any, is behind the problem. Missing or scrambled data has the same solution: restoration. Restoration is a function of backup procedures and policies, so we refer to them as a single thing: Backup & Restore.

Is Backup & Restore part of system administration or part of your cybersecurity program? The answer is "both."

You can choose to consider Backup & Restore as solely a system administration function and that works unless and until the data loss or corruption is due to cyber attack, at which point somehow Restore morphs from being a system administration function into being part of your cybersecurity Respond  phase and/or Recover phase. (Respond and Recover are part of the NIST CSF. Check out this post for more.)

(For my fellow nerds, I offer this rather specific observation which non-nerds may wish to skip: generally, restoring configuration data is part of Respond and restoring business data is part of Recover.)

How is system administration part of cybersecurity? Just as IT Security is a part of cybersecurity, but not all of cybersecurity, so it is with Backup & Restore. 

The goal of a cybersecurity program is lower liability and higher business continuity. Another way to say this is "maximizing authorized access to critical business systems and data while minimizing unauthorized access to those critical business systems and data." If some blockhead (ahem) trying to type using two damaged hands clobbers a file you need, then you have lost access to critical business data. In order to maximize business continuity you need your Restore capability.

Some people don't want the administrative hassle of including Backup & Restore in their cybersecurity program. If Restore is sometimes part of your cybersecurity program, can we just include Restore? No. You cannot separate Backup from Restore because one defines the options for the other. As some point, your cybersecurity program will depend on your Restore capability and your Restore capability always depends on your Backup policies and procedures. That means that Backup & Restore is part of the toolkit. You need policies and procedures that cover their use in Respond and in Recover.

Thank God we have good backups and I was able to restore this file easily. Is this a Cybersecurity Incident, requiring a report? Alas, it is: uptime was imperiled. There is something to be learned, mostly about my bad judgement and not doing this again. But there is a world of difference between silently telling myself to be more careful in future and gritting my teeth and documenting my mistake. Alas, the embarrassing and painful option is the correct one, mostly because it is embarrassing and painful.

(As with so much of cybersecurity, the fact that my group has a reasonable and supportive culture helps enormously: I may get some grief for my clumsiness but I won't be mocked or belittled or hurt my career. Behavior matters in cybersecurity, more deeply than we tend to admit.)

Right now I am flooded with relief and gratitude for our data management policies and procedures. They also serve who backup and restore, even if the reason you need them is a vulnerability and not a threat. You can get everyone pulling in the same direction and Pythia Cyber can help. Don't overlook systems administration, even if films and TV shows don't ever revolve around them.

Now I am going to take my fumbling fingers off the keyboard before I need any further Rescue by Restoration.