Abstract
As a consequence of the evolution and digital transition, organizations depend more on ICT. The behavioral data generated through interactions with ICT is collected and analyzed by the Internet of Behaviors (IoB). In this context, cybersecurity is a critical aspect of business continuity (BC). Organizations must ensure that their ICT systems are protected from cyber-attacks to avoid disruptions to their operations. A BC Plan (BCP) that considers cybersecurity can help ensure the continuity of critical functions in the event of a cyber-attack. Raising awareness is relevant to promote safe practices and minimize the risk of successful cyberattacks and loss of behavioral data. Therefore, a solid BC Management System (BCMS) should address cybersecurity and assure that all stakeholders are aware of the subjacent risks to a business and how to avoid, mitigate, or cope with them. This chapter presents the BC components and activities of a BCP that includes cybersecurity. Following the guidelines of the activities can result in avoiding or mitigating security risks by creating a successful BCP.
TopIntroduction
Modern ICT architectures are key success factors for each and any digital transformation journey, enabling it to evolve iteratively, manage change holistically, and stimulate innovation (Rimboiu, 2020). Therefore, the practical usage of Information and Communication Technologies (ICT) as a driver of value creation, although at different levels of dependency, is nowadays unavoidable.
A network of physically connected objects called the Internet of Things (IoT) uses the Internet to gather and exchange data and information. Most objects process data autonomously in their equipment and preserve it until it is transferred to the cloud (Bhatti et al., 2019). The number of global IoT connections grew by 18% in 2022 to 14.3 billion active IoT endpoints. In 2023, IoT Analytics expects the global number of connected IoT devices to grow another 16% to 16.7 billion active endpoints (Sinha, 2023).
Global IoT connectivity is dominated by three key technologies: Wi-Fi, Bluetooth, and cellular IoT. Wi-Fi makes up 31% of all IoT connections and its technology is leading IoT connectivity in sectors such as smart homes, buildings, and healthcare. Bluetooth represents 27% of global IoT connections, gaining interest in the industrial sector, for example, by allowing for wireless communication between sensors/actuators and an I/O master (IoT Analytics, 2023). Cellular IoT makes up nearly 20% of global IoT connections.
The previous numbers of IoT object collecting data are a strong indicator that industrial data is being collected, but also personal or individual data. IoT devices can collect vast quantities of granular data about individuals' daily habits and activities. The data that these devices can collect include consumption rate data, location data, and health-related data, among other data types (Elvy, 2022). When utilizing and purchasing IoT products and services, people frequently have to agree to a company's privacy policy. These agreements can provide businesses permission to transfer and disclose specific data to third parties as well as utilize personally identifiable information for their purposes.
Now, data that was on the scope of the individual or related to using the IoT device is transferred, preserved, and probably processed and analyzed by business companies. Thus, it becomes part of the company’s data, and the information has to be protected as data produced and owned by the company.
The Internet of Behaviors (IoB) refers to the collection and analysis of behavioral data generated by individuals through their interactions with technology, such as their internet use, social media activity, wearable device usage, and IoT device interaction. This data is used to gain insights into human behavior, as well as to drive personalized experiences and decision-making.
The use of IoT-generated data poses, or can be affected by the same risks as data natively collected by the companies. The Risk Assessment (RA) is an essential step toward the design of a solution that helps protect data (Păunescu & Argatu, 2020). Cybersecurity risks can be considered a class of risks. These risks can pose significant threats to the confidentiality, integrity, and availability of digital information and systems (Cremer et al., 2022), making cybersecurity an important aspect of risk management for organizations and individuals alike.
Cybersecurity and cyberattacks have been a focus of research in the last years (Russo et al., 2023), along with ICT strategies to provide specific planning guidelines for dealing with cybersecurity incidents (Veerasamy et al., 2019) (Pramudya & Fajar, 2019). In this context, cybersecurity fits especially within the scope of disaster recovery (Budiman et al., 2020).
Key Terms in this Chapter
Disaster Recovery: Is an organization's method of regaining access and functionality to its IT infrastructure, to continue the delivery of services that support business processes after a disruptive incident.
Business Continuity Plan: Business continuity plans consist of documented procedures. Organizations use these procedures to respond to disruptive incidents, guide recovery efforts, resume prioritized activities, and restore operations to acceptable predefined levels. Business continuity plans usually identify the services, activities, and resources needed to ensure that prioritized business activities and functions could continue whenever disruptions occur (ISO 22301, 2019).
Incident: An event that can be, or lead to a disruption, loss, emergency, or crisis (ISO 22301, 2019).
Business Continuity: Capability of an organization to continue the delivery of products and services within acceptable time frames at predefined capacity during a disruption (ISO 22301, 2019).
Cybersecurity: Refers to the protection of internet-connected systems, including hardware, software, and data, from attack, damage, or unauthorized access.
Business Impact Analysis: The process of analyzing the impact (the outcome of a disruption affecting objectives) over time of a disruption on the organization. The outcome of BIA is a statement and justification of BC requirements (ISO 22301, 2019).
Resilience: Resilience is the capacity of a person, group, or system to withstand stress and emerge stronger from it. It is the ability to adjust, recover, and flourish in the face of difficulties, adjustments, or trying circumstances. Building and maintaining a solid foundation that permits efficient coping mechanisms, problem-solving abilities, and the capacity to recover and rebuild following setbacks are all components of resilience. It includes psychological, emotional, and physical components as well as the capacity to take lessons from past mistakes and adapt them to new circumstances. Resilience enables people and institutions to overcome challenges and grow stronger as a result.
Risk Assessment: Overall process of risk (effect of uncertainty on objectives (ISO 22301, 2019) identification, risk analysis, and risk evaluation.