[BreachExchange] Why are Businesses still Taking Unnecessary Risks with Cybersecurity?

[Audrey McNeil]

https://www.infosecurity-magazine.com/opinions/businesses-unnecessary-risk/

Barely a week passes without the announcement of a significant
cybersecurity incident - WannaCry was the most recent in a worryingly long
list. The diversity of those affected reinforces the fact that nearly every
business is dependent on digital business capabilities to achieve their
goals. Yet businesses continue to carry significant amounts of IT related
commercial risk that is either misunderstood, poorly communicated, or worse
still, unidentified.

The simplest way to demystify cyber and engage senior leadership
effectively is to take a dependency management approach to identify
critical business dependencies, and the potential impacts should the worst
happen. Here are four key steps businesses can take to ensure that this is
carried out effectively:

1. Identify your critical business functions and related risk appetite

All businesses should know what they exist to do, however, maintaining
focus on the functions necessary to ensure the business continues to run
becomes harder as they grow. Sadly, when a cyber-incident happens we
regularly see the focus on the wrong things, as people lose sight of what
the business exists to do.

In a busy city center recently, when the networked till system ‘crashed’,
the bar staff focused on restoring the IT system instead of simply finding
a price list and somewhere safe to keep the money so they could continue
serving their customers.

Simple value chain analysis can be an easy way to begin to understand which
business functions are critical, and which are ‘nice to have’ in the short
term. HR systems are important however a temporary loss of a HR system will
not stop a business operating. Conversely, the loss of tills in a retail
outlet will have an immediate impact without an effective back-up plan.

2. Identify your critical dependencies

Once the critical business functions are understood, the digital business
capabilities that exist to enable them must be identified. Currently IT
systems often only exist to enable business functions and are not a
business function in their own right; those companies that think the latter
are often the ones with a disconnect between the IT department and business
leadership.

Understanding which data and systems are critical provides a crucial
insight into a business’ dependencies and therefore the highest priorities
for protection; no-one can afford to protect everything all the time.
Whether critical assets are physical or virtual, critical dependencies –
those things that if compromised could have a significant impact on your
business – need to be identified.

Businesses should also consider the time dimension, as time can critically
be a key deciding factor when defining protection measures as well as
prioritizing recovery actions. Focus on systems which, if lost, will have
an immediate impact on your business. It’s also important for businesses to
focus on reputation and brand, even if there seems to be no material impact
on actual performance.

3. Mitigate your dependencies

Threats will continue to shift and evolve at an ever increasing pace. There
has been a shift from “when, not if, you’ll be attacked” to a recognition
that it is now “when, not if, you’ll be breached”. We must also get away
from reactive responses to the latest headline and consider how to maintain
the business outcome regardless of threat or approach.

Access can be denied by anything from ransomware to physical issues, such
as flooding or power outages. Predicting every conceivable way a function
can be denied is a fruitless exercise; instead an honest assessment of how
each business function could be interrupted as well as affordable
mitigation approaches must be considered.

Understanding and removing any critical dependence can be one of the most
effective, and inexpensive measures. Most business functions existed before
digitization so having a viable and practiced back-up process can be the
perfect mitigation measure. In retail, a simple and inexpensive measure
would be to have a printed price list as a back-up. Of course, none of this
is possible without a strategy and a related implementation plan. Once
dependencies are identified, the resultant business risks need to be
communicated to those that lead the business.

4. Prepare for the worst case

Too many businesses still take a business continuity function for granted.
Too often we see business resilience budgets eroded without detailed
understanding of what would happen in case of a complex, but highly
devastating cyber-attack or incident.

We often have to cajole CIOs/CISOs into conducting a cyber-resilience test.
Either they’re afraid of what they might find out or they have a
short-sighted view of how their business can recover from cyber events. A
holistic approach should also be applied to planning; risks should be
considered together, not in isolation.

The best placed organizations should build resilience

The technical and threat landscape in cyber is moving too quickly for
businesses to successfully defend against every threat. Moving to an
approach that identifies core business dependencies and expending effort on
ensuring resilience around them is the key to success.

A successful business must know which elements of their rapidly increasing
IT ‘real estate’ are essential, and then focus on mitigating and hardening
any risk of losing those systems.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170613/77f2ea60/attachment.html>