Jan 28, 2016

It’s probably the hardest question to answer for someone new to Cyber Resilience Best practice. The answer, once you understand Cyber Resilience is easy, but for the uninitiated, it may make them fear this topic, or slide it over to the too hard basket. We all know that eventually that basket for Cyber Resilience is going to get full, overflow and it’s going to start impacting our business, customers and our daily lives. Banks, Weather, Defence or even catching a bus or train to work. At some stage it already has or will in the future cause disruption and chaos, pain or loss. The effects initially may not be of interest to you, or impact you directly, but sooner or later your attitude towards the risks with our increasingly connected cyber world will have to change. To start the ball rolling we need to look at risk. Risk is identified as identifying things that might happen, how likely they are to happen, what impact they may have, and deciding what action to take. There are various methods to assist in managing risk such as M_o_R and ISO/IEC 31000, but at the end of the day it boils down to a very simple list, and a single question that you will need to answer. How hungry are you for risk? Or in other words, what is your risk appetite? To consider this question from a health perspective, how hungry are you for a heart attack? If you eat fast food, smoke and overweight with high cholesterol, then you would be classified as a big appetite for a heart attack. Putting that concept back in a cyber resilience perspective, do you want or can you afford for your business to have a heart attack? The simple list that can help to contribute to identify the risk appetite, can be classified into the following 4 areas:

Asset:

Anything that has value to an organization. Assets can be physical things such as servers and buildings or intangible things such as a company’s reputation.

Vulnerability:

A weakness that could be exploited by a threat – for example, an open firewall port, a password that is never changed, or a flammable carpet. A missing control is also considered to be a vulnerability.

Threat:

Anything that might exploit a vulnerability. Any potential cause of an incident can be considered a threat. For example, a fire is a threat that could exploit the vulnerability of flammable floor coverings.

Risk:

A risk is measured by the probability of a threat, the vulnerability of the asset to that threat, and the impact it would have if it occurred. However, before we can do any risk assessment, we need to speak with the business to identify the VBF’s (Vital Business Functions). The business can help to identify the Business impact from BIAs or assessment of VBFs. The activity in business continuity management that identifies vital business functions and their dependencies. These dependencies may include suppliers, people, other business processes, IT services etc. If a VBF is compromised, hacked, taken offline or destroyed then the business will find it difficult to function, lose money or in some instances lives. So to answer the question of where do we start? Make a list of your VBFs! Some examples of VBFs that if they stopped working or were compromised would cause some pain are:

• Email
• Payment gateway
• Online eLearning site
• Online shop
• HR system
• Payroll

From this list, we need to establish context and speak to the business and ask the following questions.

1. Why would we start a cyber resilience project?
2. What are we worried about?
3. Do we have a list of VBFs? And do we know what hackers or Cybercrime activities are most likely to impact these.
4. How do we govern these VBFs (from a cyber resilience perspective) and how do they integrate with our overall management system?
5. What are our legal, contractual and regulatory obligations around Confidentiality, integrity and availability of the data, information, knowledge held within our services?

There are many other questions we can ask, but these are the starting points. From here we can start the process or identifying risk assessment criteria and risk acceptance criteria, but we will cover off on that in the next blog, so stay tuned, and whilst you’re waiting, start creating that list of your VBFs!