The ideas described in this blog also appear in Business Continuity: Where InfoSec and Disaster Recovery Meet, published in the July 2021 edition of Cyber Defense e-Magazine.
The frequency and intensity of cyber attacks are finally being recognized widely across media and publicly by governments. Individuals are contemplating the hazards of their personal information being compromised by malicious actors or exposed through systems vulnerabilities. Business leaders, for their part, know that information security breaches of any kind are potentially dire. Those breaches put the business operations and even the existence of the organization itself at risk. But knowing the threats are real is, of course, not enough.
Information security, or InfoSec, refers to the active measures businesses use to protect data systems from unauthorized use, disruption, or destruction. For businesses with any online or digital presence, infosec begins with a risk analysis focused on ensuring data confidentiality, integrity, and availability, and that, ultimately, safeguards ongoing business operational continuity. This blog post reviews five essential areas of risk analysis that should inform any business continuity plan.
Begin with a baseline evaluation of assets
Understanding risk and its potential for business disruption starts with knowing your assets. Appropriate management and technical teams should design and implement an evaluation of information and physical assets. Those assets may include intellectual property, customer product, confidential records, servers, contracts, vaults, files, and databases. A thorough baseline evaluation of each asset should be completed, including:
- Identifying every company asset and its location
- Specifying the value of each asset
- Knowing the kinds of risks and protections in place for each
- Detailing the availability requirements for each asset to maintain existing SLAs
- Determining the financial and resource investment that should be made to protect each based on the business’s risk tolerance
If a particular asset were to disappear, the baseline evaluation should also accurately estimate the direct revenue loss and business reputation loss associated with it.
Understand and document technical choices
Software and tool choices made by technical teams are critical in protecting against cyber threats and mitigating risk. Adopting best practices and tools for authentication, authorization, and access is important. Antivirus and malware protections, robust networks, firewalls and/or zero trust solutions, and different layers of application filtering with strong access control systems all need to be architected to work in concert to defend against malicious behavior that threatens infrastructure and data. Additionally, well- tuned logging and monitoring tools should provide full visibility into systems and detect anomalies that signal potential problems.
Examine risk that comes from business processes
To help ensure business continuity, a robust risk analysis is needed to examine daily business processes. Despite CISOs spending millions on security and disaster recovery tools, breaches often occur when business processes are poorly managed.
First, consider vendor contracts, confidentiality agreements, and third-party requirements. Are they all fully understood and well implemented within the organization? Often, regulations and standards like ISO 27001, SOC and HIPAA impact internal protocols. Second, consistent employee education and ongoing training on the wide range of infosec risks, acceptable use policies, and data protection are vital. Change management procedures that prevent accidental or deliberate compromise of data should be airtight. Third, as business and technical processes meld in many SMBs and enterprises with the widespread use of open APIs and low- or no-code tools, ensuring that the human processes around application development and platform use are understood and secure is key in analyzing and controlling risks.
Factor in amount and duration of data loss
When disaster does strike, business continuity is fundamentally tied to two quantitative concepts, RPO and RTO. RPO (Recovery Point Objective) refers to the amount of data (expressed as time between backups) a company can afford to lose before it impacts business operations. RTO (Recovery Time Objective) refers to the timeframe after a disaster is declared until business operations are functioning normally again, with resources available for use. A risk analysis should assess RTO and RPO, and the systems needed to achieve those requirements.
Align cloud and on-premises investments with infosec needs
With the dramatic improvements in cloud services in the past decade, including hybrid and multicloud deployment options, a fifth essential part of risk analysis lies is evaluating how to best leverage cloud and on-premise resources during both normal operations and a disaster. Public cloud options and protections may make sense for small and midsized companies with straightforward workloads, while on-premise systems and hybrid deployments work best for large enterprises with highly customized infrastructure.
In conclusion, disruptions to normal operations, whether they result from natural or human-made disaster, can devastate a business’s ability to recover. Companies that engage in a thorough risk analysis as part of their infosec strategy and take immediate action when they discover gaps have the best chance of safeguarding business continuity when the next big cyberattack hits — as it will, soon.
For more information on how to safeguard your organization’s business continuity, please schedule an appointment with an Infrascale expert.