What would happen if you suddenly lost access to your offices or the internet? How long could your business survive if you couldn’t take customer orders or payments for goods and services? Understanding the critical parts of your business can help you focus resources on protecting them.
This guide will help you ensure that your core business functions are identified and plans put in place to protect them in the event of a cyber-attack or system failure. Applying these steps can help you mitigate the loss to you and your business. It is prudent to plan for the most common cyber threats that your business may face.
Identifying your business-critical systems and data
An organisation should be able to identify its services, products, and supporting assets. These asset categories should also include people, data, technology and facilities. This analysis of your business will identify the critical business functions and the key people, technology, software and data that are needed to support these.
It is good to do this to understand what you need to protect to keep your business functioning and protected. Informed decisions can be made as to the level of investment you would make in protecting a particular business function, piece of technology, or application from failure or malicious attack.
Carry out a business impact assessment (BIA)
The business impact assessment should analyse the operational and financial impacts of the disruption of business functions and processes. These include everything from lost sales and income, delayed sales or income, increased expenses, regulatory fines, contractual penalties, loss of production, to a loss of customers or their dissatisfaction and the potential delay of new business plans.
The timing of a disruptive event can have a major impact on the loss suffered by a business. For example, if your store is damaged by a natural disaster before a big sale or large seasonal holiday, the impact is obviously greater than during a slower period.
To help prioritise which systems are critical it is useful to do a Business Impact Assessment (BIA). A BIA is looking to measure each system against a set of criteria deemed important to your business. It can contribute towards prioritising investment against any risk mitigation decisions and will inform business continuity planning and recovery decisions.
A BIA might show :-
- Your most critical system is a manual process and the people with the operational knowledge and skills are your most critical asset.
- The systems and devices where your customer information is held and if lost could not be replaced. So investment in backups and data exfiltration protection is critical.
It is a good idea to prioritise these in order of importance to the core functions of your business.
Ensure regular backups are done of business-critical data. Once you have a back-up system in place carry out regular checks to make sure it is working and you can restore the information from it.
Have an asset register
In terms of Cyber Security, it is important to have a register of any business device that has access to your networks and ultimately has connectivity to the internet (wired or wireless). This is particularly important as more and more Internet of Things (IoT) devices being installed and connected to the internet in our offices and homes. A good example of this is a hack on a Las Vegas casino through a thermometer in a fish tank.
Regular checks of software updates and patches should be made to minimise the likelihood of an incident occurring. Checking that you have the latest versions for hardware and software and confirming the lifecycle of the support from the manufacturer will reduce the risk of a vulnerability in any of your IT systems.
Using the information you have already gathered above you can start to get a picture of where your business may be vulnerable. You should use this information to try and see where you may have a weakness in people/knowledge, processes and technology before a malicious attacker can exploit them.
The following questions you should ask yourself are a good starting point:
- Is my business data backed up in a secure off-site location?
- Is my data stored in “the cloud” and if so, how is it protected?
- What network security do I have to ensure employees can only access or change information that they should be able to?
- Do I have appropriate anti-virus software and firewall(s)?
- What do I have connected to the internet?
- Who is allowed to connect to my network and how is this controlled?
Manage risk to an acceptable level
Consider what would happen if you no longer had access to the critical systems or assets you've identified above. By understanding what is important to your business, why it's important, and what you are doing to make sure they are protected, you can then prioritise where you need the most protection.
Discussions should be held at management and staff meetings about organisational risk and should be part of normal business. It is important to highlight how cyber threats differ from physical security threats such as burglary and theft, natural disasters etc and compare these. Steps that you choose to take to reduce the risks should be proportionate to your type of business, as well as being within budget.
The above tasks are not just a one-off then done job. As your business changes and technology changes, you should make regular updates to your continuity plans and make sure staff within your business are also kept up to date.
The National Cyber Security Centre