Business Continuity Management

Cyber-crime is not new.  It is a fast evolving business - Yes, I am describing it as a business - but that is not new either.  Like in so many businesses, and life in general, evolution rewards the adaptable and builds on strengths of those that can adjust. 

Cyber criminals these days probably have MBAs.  I know there are already operations that are structured with multiple units each playing a distinct roles such as the identification of targets (Research & Development: Vulnerability and Discovery Exploitation), Penetration/Capture/collection of information (Logistics: Botnet Deployment), product distribution (Sales: Criminal Actions). 

These may be loosely banded at the moment but how long before they are streamlined?  Will wholesalers be directed to pick their targets to satisfy the various sales channels (Business Development:  Criminal Mobility) that have together set revenue targets and with whom they have built business plans?  Will they begin to employ (or do they already have) assessors who look through the volumes of data they have captured and separate out PII to their identity or credit card fraud divisions.  Intellectual property will be moved into the appropriate sector [car manufacturers in the far east are driving prices up this year while new energy technologies are down] for sale on the international market. 

In fact all the divisions will operate on a global scale [Ransom as a revenue tactic seems to work best in the SME range in the Americas while blackmail (threat of media disclosure of captured information and therefore loss of company reputation) is producing record results in the FTSE 500 targets / European headquartered multinationals]. 

Revenues will grow.  Competitors in this market may start targeting each other to steal what has already been stolen (is that a crime?).  What about 'legitimate' bounty hunters, hired for a fee to steal back what was stolen?  Is it better to pay a bounty hunter than it is to pay the people demanding a ransom?  How will you know which is which?  Cyber criminal businesses will "buy up" these bounty hunter operations (Investment: Money Laundering) and build a set of independence rules that separate them from their core operations, hedging their bets to ensure they get paid either way and driving innovation on both sides.

These scenarios are only partially fiction.  The effects are real.  And, they are really an issue for business continuity.  In order for our businesses to survive, BC needs to evolve, embrace and incorporate more of the contributions made by other security disciplines.  BC does not address cyber-crime issues directly but it is absolutely essential that our ties with other Risk and Security disciplines are strengthened so that the effects are dealt with.  Through Crisis Management exercises businesses hone their decision making and public response mechanisms while vulnerability management experts provide advice and guidance on how to respond.  Information security influence DR solutions by providing suitable controls into the technical solution design.  Physical Security participate in the selection of the recovery site and it's controls. 

Convergence isn't an option or a luxury, it is a necessity for survival.