Cybersecurity Foundations – Risk Assessment and BIA
OR Ignorance Is NOT Bliss
We continue our climb up the mountain of Cybersecurity to discuss what is often the hardest meeting to schedule with all relevant parties, the Risk Assessment (RA). The RA is part of a Business Impact Analysis (BIA) that directly feeds policy creation but has the primary effect of shedding light on IT financial requirements. Yes, you should use the BIA to shine a torch on every corner of the business, but IT is by far the financial heavyweight of the budget.
Everyone complains about the IT Budget. Everything costs so much, and vendors have their hands out every year, asking for more. Do we really need hardware maintenance and software assurance on every single device and license? Can we just keep spares? Do we really need cybersecurity training all the time? And they want how much for cybersecurity insurance???
It’s A Party! – By bringing all parties into the same meeting, we eliminate speculation. Everyone explains what each device and software does for the company. Imagine being told your Customer Records Management (CRM) system was going offline for an hour mid-day. Sales would say, “No! Don’t you realize that drives the business?” The RA and BIA allow everyone to fully understand the reliance and importance of IT components in the business.
The Most Important In The App-dom – Sales might dramatically cry if the CRM goes away or loses data. You should close the business. All the customer information was lost! Sure, you can make cold call prospects, but where would you maintain the information from the calls? Finance would be in a similar, likely highly dramatic, panic if the bookkeeping software disappeared. If your Accounts Receivable and Accounts Payable can’t receive and pay invoices, everyone in finance stops, and soon the whole business. A printer is just a printer unless it’s printing orders or checks!
Different Strokes – A deep dive will show each department relies on different software, equipment, and processes to perform its duties. There is a hierarchy, and some departments are not highly available, meaning they don’t need it fully functional all the time. In the discovery process of a BIA, departments, managers, and employees can educate the management on their IT needs and requirements. Rarely will a single software or process be used in a department.
Imagine It Gone – Once you have a listing of the business cogs and gears that run the business like clockwork, the real fun begins. Ask the sales director to provide the loss in dollars if the CRM is down for a certain amount of time or disappears, say in a Ransomware attack or internal failure. The numbers may be shocking or even hard to calculate. But then, the discussion moves to the likelihood of outage events.
What Are The Odds – The chance of being struck by lightning is 1 in 15,300, but what are the odds of a power outage in your office? The US Energy Information Administration (https://www.eia.gov) says that the average electrical outage in 2020 totaled over 8 hours per customer for the year, with one-quarter of outages not tied to major events. Not bad, except you have no control over when those 8 hours of outage occur. What if you run a 24×7 business? Now think about the Internet. I bet you suffered more than 8 hours of an outage or less-than-optimal performance last year.
Don’t Hope For The Best – Averages are good for baselining, but Risk Assessments (RAs) should utilize a range. The average becomes the least often occurrence, and the business can account for unprecedented or extreme events. Businesses in St. Louis or New Orleans may not see the Mississippi flood their cities for another 100 years. This falls into Disaster Recovery, Business Continuity, and Crisis Management, but it is important to understand what risks exist and their likelihood. This creates a ratio with measurable costs included in the budget each year. If the loss to flood is $100,000 and the likelihood is every ten years, your annual loss to flooding is $10,000. Where does that fit on the balance sheet?
The Big Bucks – Management may understand the importance of IT but not until reproduction and lost-time costs are presented. With a completed RA, management can decide how much should be spent to mitigate risk or the cost to assume it. Companies willing to assume more risk are often those who never recover.
What Is The Business Worth? – Many total failures or unprecedented events lead unprepared businesses to close their doors forever. You can’t predict the future or know if a never-before-seen meteorological event, for example, will close your doors. However, you must prepare for the inevitability that basic utilities and access that are commonly taken for granted will disappear for an hour, a day, or forever. Are you ready?
Resources – Ready.gov is a great, free resource to get you started on the BIA path. It includes a BIA Questionnaire and Worksheet to help start the conversation. There are tons of other resources here to help with Risk Assessment and Mitigation, but getting all parties to the table and documenting the IT environment is crucial.
Once you know what you have, the dangers affecting it, and the likelihood of failure, you can properly plan. Next, we will dive into policies driven by this information to protect Human life, property, and data from outside and inside threats.
Congratulations! You are on your way up the mountain to a secure IT environment! We are climbing, but we are still far from the summit.