This article first appeared in Infosecurity.
Barely a week passes without the announcement of a significant cybersecurity incident - WannaCry was the most recent in a worryingly long list. The diversity of those affected reinforces the fact that nearly every business is dependent on digital business capabilities to achieve their goals. Yet businesses continue to carry significant amounts of IT related commercial risk that is either misunderstood, poorly communicated, or worse still, unidentified.
The simplest way to demystify cyber and engage senior leadership effectively is to take a dependency management approach to identify critical business dependencies, and the potential impacts should the worst happen. Here are four key steps businesses can take to ensure that this is carried out effectively:
1. Identify your critical business functions and related risk appetite
All businesses should know what they exist to do, however, maintaining focus on the functions necessary to ensure the business continues to run becomes harder as they grow. Sadly, when a cyber-incident happens we regularly see the focus on the wrong things, as people lose sight of what the business exists to do.
In a busy city center recently, when the networked till system ‘crashed’, the bar staff focused on restoring the IT system instead of simply finding a price list and somewhere safe to keep the money so they could continue serving their customers.
Simple value chain analysis can be an easy way to begin to understand which business functions are critical, and which are ‘nice to have’ in the short term. HR systems are important however a temporary loss of a HR system will not stop a business operating. Conversely, the loss of tills in a retail outlet will have an immediate impact without an effective back-up plan.
2. Identify your critical dependencies
Once the critical business functions are understood, the digital business capabilities that exist to enable them must be identified. Currently IT systems often only exist to enable business functions and are not a business function in their own right; those companies that think the latter are often the ones with a disconnect between the IT department and business leadership.
Understanding which data and systems are critical provides a crucial insight into a business’ dependencies and therefore the highest priorities for protection; no-one can afford to protect everything all the time. Whether critical assets are physical or virtual, critical dependencies – those things that if compromised could have a significant impact on your business – need to be identified.
Businesses should also consider the time dimension, as time can critically be a key deciding factor when defining protection measures as well as prioritizing recovery actions. Focus on systems which, if lost, will have an immediate impact on your business. It’s also important for businesses to focus on reputation and brand, even if there seems to be no material impact on actual performance.
Want to find out more about our work in defence and security?
3. Mitigate your dependencies
Threats will continue to shift and evolve at an ever increasing pace. There has been a shift from “when, not if, you’ll be attacked” to a recognition that it is now “when, not if, you’ll be breached”. We must also get away from reactive responses to the latest headline and consider how to maintain the business outcome regardless of threat or approach.
Access can be denied by anything from ransomware to physical issues, such as flooding or power outages. Predicting every conceivable way a function can be denied is a fruitless exercise; instead an honest assessment of how each business function could be interrupted as well as affordable mitigation approaches must be considered.
Understanding and removing any critical dependence can be one of the most effective, and inexpensive measures. Most business functions existed before digitization so having a viable and practiced back-up process can be the perfect mitigation measure. In retail, a simple and inexpensive measure would be to have a printed price list as a back-up. Of course, none of this is possible without a strategy and a related implementation plan. Once dependencies are identified, the resultant business risks need to be communicated to those that lead the business.
4. Prepare for the worst case
Too many businesses still take a business continuity function for granted. Too often we see business resilience budgets eroded without detailed understanding of what would happen in case of a complex, but highly devastating cyber-attack or incident.
We often have to cajole CIOs/CISOs into conducting a cyber-resilience test. Either they’re afraid of what they might find out or they have a short-sighted view of how their business can recover from cyber events. A holistic approach should also be applied to planning; risks should be considered together, not in isolation.
The best placed organizations should build resilience
The technical and threat landscape in cyber is moving too quickly for businesses to successfully defend against every threat. Moving to an approach that identifies core business dependencies and expending effort on ensuring resilience around them is the key to success.
A successful business must know which elements of their rapidly increasing IT ‘real estate’ are essential, and then focus on mitigating and hardening any risk of losing those systems.
Mark Barmby is a defence and security expert at PA Consulting Group