The volume of cyber-attacks continues to rise and will reach a new peak in 2024. Complex and customized attack methods, which are being rapidly developed, are a cause for concern. Successful ransomware attacks remain the number one threat to companies, causing billions of dollars in damage annually.
A well-thought-out IT emergency management system can help.
In 2023, small and medium-sized enterprises (SMEs) were a popular target for cyber attacks. There are two main reasons for this:
- SMEs are often part of the supply chains of large, global players. Therefore, SMEs are gateways for attacks on large companies.
- Medium-sized companies are often insufficiently protected against cyber-attacks because, unlike corporations, they tend to have limited resources for IT security.
What can companies do to protect themselves?
This is precisely where IT emergency management – as part of business continuity management (BCM) – comes into play.
To ensure that critical business processes and business continuity continue to exist, preventive and reactive emergency management must go hand in hand. In other words, business operations must not be interrupted even in the event of large-scale damage, or must be able to resume within an acceptable time.
The task of preventive emergency management is to prevent failures of critical business processes. True to the motto “Prevention is better than cure.”
At this point, companies must define RTO (Recovery Time Objective) and RPO (Recovery Point Objective) for the relevant assets, components and processes. The basis of preventive emergency management is the creation of an emergency preparedness concept. Depending on the individual requirements, this includes a description of all organizational and conceptual aspects of emergency management as well as specifications for individual BCM process steps.
Concepts and plans, such as a practice manual or an annual practice plan, are to be derived from the emergency preparedness concept.
A business impact analysis (BIA) forms the basis for the operational level of the preventive part. Here, the (business) processes and the underlying IT systems are identified and described in terms of their maximum tolerable downtime and recovery time.
The questions at the center of the analysis are:
- Which business processes are time-critical for the performance of business activities?
- Which resources are required in emergency mode?
Another part of operational readiness is the emergency drills that are regularly planned, prepared, executed and followed up on.
The role of the emergency officer is central to IT service continuity management. This person is responsible for defining a framework of systematic practice. They are also responsible for documenting the necessary steps in terms of preparation, execution and follow-up.
In addition to the precautions just described (preventive emergency management), plans and measures for emergency response (reactive emergency management) must be implemented and embedded within the company in equal measure.
The aim of reactive emergency management is to prepare suitable options to ensure business continuity in the event of damage.
In other words, business operations must not be interrupted even in the event of large-scale damage, or must be continued within a reasonable time at a defined minimum level. Regarding reactive emergency management, the design and implementation of an emergency manual is a high priority.
Reactive IT service continuity management starts with the question; what is important at the operational level? Here, the emergency scenarios derived from the threat situation, the (internal and external) requirements, the economic, demographic and geographic situation or the BIA must be considered.
The focus is on business continuation and recovery plans for each emergency scenario.
The business continuity plan includes how the company reacts to a business interruption following a resource failure. In this context, emergency measures and work instructions are derived from the business continuity (BC) strategies to determine how the affected (time-critical) business processes can be maintained until recovery.
The recovery plans contain information on how the company will restore the failed resources to an agreed upon emergency operating level.
At this point, a brief example of an emergency scenario
Imagine the following:
A successful ransomware attack has allowed hackers to encrypt critical IT systems and disable business processes. Nothing works anymore. A worst-case scenario has become reality.
Background:
The darknet has practically encouraged and popularized the phenomenon of “cybercrime as a service.” Complete ransomware campaigns are now attributed to this illegal business model.
In a crisis situation like this, keeping calm and using carefully thought-out, tested concepts and workflows are good guides: the main thing is to use the emergency manual to stop the attack as quickly as possible, minimize the effects and restore normal operations immediately.
To do this, it is essential to be able to access alternative communication options outside the compromised network.
Telephone numbers and data of important contact persons should be stored in offline documentation (in paper form) and thus be independent of the company’s own IT. This means that the company must have access to cell phone numbers of relevant contacts that are not part of the company’s own IT infrastructure and thus not affected by the attack. It is about more than just securing IT systems. The purpose of IT service continuity management is to ensure the survival of a company in an emergency. (end of box)
IT service continuity management in BCM: we distinguish between four implementation phases
While IT service continuity management focuses on preparation and rapid response to an emergency, BCM goes further. Here, the focus is on the continuation of a company’s business operations after an incident or emergency.
Realization Phase 1: Analysis of requirements and threat situation
This phase in the BCM lifecycle provides the basis for subsequent steps. The aim is to identify the internal and external requirements, internal catalogues of specifications or implementation recommendations of known authorities and to put them in the right context.
It is also possible to derive these criteria from your own threat situation and the risks facing the company. The threat environment and all business risks should be monitored constantly, reviewed and updated regularly or as needed. The BSI threat catalog can serve as a basis for this.
One final step in the analysis phase is, for example, to identify the essential or time-critical business processes as part of the BIA in order to determine priorities for emergency operations – this also includes the required resources and their RPO and RTO. Phase 1 is therefore about understanding the BCM requirements as well as the corporate threats and risks.
Realization Phase 2: Design
The objective here is to identify and evaluate emergency scenarios based on the company’s requirements and threats, such as staff shortages, ransomware attacks or the loss of data center locations. To minimize the damage caused by the occurrence of possible emergency scenarios, organizational, tactical and technical measures must complement each other. The concept of emergency management must be designed holistically at strategic, operational and tactical levels and supported by technical and organizational steps. These must be established both in the areas of emergency preparedness and response.
Realization Phase 3: Implementation
The focus of the implementation phase is on creating specific manuals, emergency plans and work instructions. These plans are designed to restore operations to the emergency level and to restart the affected resources in the event of an incident. They also contain detailed information on priorities, procedures for business continuation and recovery, as well as role responsibilities and communication plans.
Most importantly, a crisis organization must be defined, including, for example, a crisis management team, an assistance and service team (AST) and operational response teams.
Implementation Phase 4: Validation
Testing, practicing, maintaining and reviewing make up the bulk of this phase. Through solid preparation, follow-up and execution of the emergency drills, errors can be uncovered and improvements made. Relevant documents must be up to date. This includes a review of, among other things, quality assurance through self-assessments, audits, controls by the BC manager and annual management reviews based on BC manager reporting.
The following external requirements for IT service continuity management are particularly relevant for financial institutions:
- Supervisory requirements
- “X” AIT (Chapter 10 IT service continuity management) (VAIT, BAIT, KAIT, ZAIT)
- MaRisk (AT 7.3), MaGo
- DORA (Digital Operational Resilience Act) -> from 2025
- Implementation recommendations:
- BSI standard 200-4
IT service continuity management is not a one-time effort, but an ongoing process. It is essential to regularly update and test the plans in terms of effectiveness and relevance.
The BSI graphic illustrates that there are interfaces to the important topics of information security and crisis management and that they are therefore fundamental to the resilience of the entire organization.
Conclusion: Successfully overcome cyber-attacks with well-thought-out IT emergency management
Cyber-attacks are almost inevitable, crises can arise unexpectedly. The question is not whether your company will have to overcome challenges, but how you deal with them.
Through awareness-raising measures, people can ensure that certain events do not occur in the first place – or that in an emergency, they at least keep a cool head and know exactly what to do.
Our qualified experts are at your side to help you with all topics related to robust IT emergency management. Feel free to contact us.
Let's get talking
Jannick Lutz
X1F