6 steps to building true business resilience

The roadmap to business resilience

To achieve true business resilience, it’s critical that there’s a cohesive relationship between both business continuity and cyber security teams.

This includes having a holistic cyber security strategy that enables organisations to be proactive, protective, and robust. By building business resilience, organisations can have the ability to anticipate cyber threats, ensuring all resources and procedures (human and systems) are in place to respond effectively, recover rapidly, and minimise the impact of the incident on the business.

Step 1: Identify your business-critical assets

To build an effective business continuity plan, an organisation must identify its most critical assets whether that’s people, processes, or technology. Identifying potential business impacts requires casting a wide net: there are potential operation risks, financial risks, legal risks, compliance risks and brand damage risks. This is typically done as part of the business continuity planning process and ultimately leads to completing a Business Impact Assessment (BIA).

Step 2: Conduct a threat assessment

The next step involves performing threat modelling to identify and assess the potential threats that could compromise your business-critical assets. While many of these threats may be non-cyber related, your key focus should be to assess the cyber-related threats which are often overlooked during business continuity planning.

Step 3: Conduct a risk assessment

Identify the risks to your assets by consolidating the outputs of the previous two steps to understand the likelihood and impact (risk = likelihood x impact).

This can be done using your existing risk management framework. ISO 31000 is the de-facto risk management framework that most organisations use without having to redesign their framework entirely. You can also create a risk assessment and management framework from scratch or ask your MSP to do this for you.

Step 4: Update your business continuity plan

Incorporate the cyber-related outputs from the previous three steps. An updated business continuity plan would detail the steps required to minimise the risk of business disruption after a cyber security incident. This will allow the business to remain operational in a crisis.

As part of this step, you should also review and update your Security Incident Response (IR) Plan. The IR Plan details the steps to respond to a cyber security incident, which may involve utilising the business continuity plan in severe circumstances. In addition, the business continuity plan should recognise and define what steps must be taken in case of cyber incidents so that business resilience can be maintained.

Step 5: Test the business continuity plan and incident response plan

To ensure you are building a cyber resilient business, your business continuity plan must be tested, at least to the level of a walk through. This would require all those involved in implementing the plan to detail their responses to scenarios that present possible business continuity failures.

This plan should be owned and sanctioned at the highest levels of the organisation.

For example, changes to the notifiable data breach scheme outlined earlier would significantly increase the financial risk associated with a data breach and would require an appropriate response. Use cyber security specific scenarios to simulate a crisis, test and validate each step in the business continuity plan and IR plans, and evaluate your ability to respond to and recover from a cyber related incident that impacted critical business operations.

Step 6: Revise BCP and IR process

Review the key learnings from the above steps and update the business continuity plan and IR processes.

This process should be regularly repeated with cadence to track and manage progress to improve resilience over time. Be sure to reassess your risk frequently and know the different avenues where you need to put controls in place – that includes laptops, servers, emails and network traffic.

You may end up spending a lot of time constantly reassessing, re-evaluating and checking that each area has suitable controls in place. As a result, you can assess the impact of changes in your environment and the evolving threat landscape on your resiliency.

Ease the execution process – choose the right partner

It is a huge task for any organisation to maintain good cyber security.

Continual re-assessments and re-evaluations can consume a great deal of time and security staff resources.

Using partner capabilities that help gain better visibility and behavioural analytics makes execution smooth and more accurate. Whether you are new to cyber security, have been recently affected by a cyber security event, or are looking for support with building cyber business resilience, Interactive has a team of experts ready to help – reach out and see how our experts can assist you in strengthening your business’ resilience today.