Planning for resilience

When disaster strikes, it pays to be prepared. Just ask Marks & Spencer (M&S), which saw profits slump and online operations crippled after a major cyber-attack forced its website to halt orders, costing it more than £300 million in lost sales. Across the globe, there are countless senior executives who wish they’d put more time, money and resources into cyber-resilience before rather than after a major breach.

 

But if they had their time again, how should these organisations have gone about improving business continuity and disaster recovery (BC/DR), to ensure the lights stayed on during a serious cyber-incident? One idea gaining traction is the concept of a Minimum Viable Company (MVC).

 

Planning for the inevitable

Why should organisations start planning their MVC strategy? Because none are 100% breach-proof, and none are off-limits to opportunistic threat actors. It follows that, if 100% protection doesn’t exist, the responsible thing to do is to plan for the worst-case scenario.

 

The MVC model strips back an organisation to its bare essentials: the core business required to deliver its most important services and meet SLAs following a major cyber-incident. In the process of planning the MVC, organisations will work out what their key people, processes and technology pillars are - either to continue operating or to quickly recover essential operations. If done right, this won’t just buy more time to return to full productivity, it will also encourage a resilience mindset to bed in culturally across the organisation. This is about survival, at all costs.

 

Time to prioritise

It’s important to start with an attitude reset. MVC is about understanding the bare minimum needed to keep things operational during and following a serious incident. This could amount to less than 20% of an organisation’s people, applications and infrastructure. That means ruthlessly prioritising what matters.

 

This will vary greatly from business to business and industry to industry. A manufacturer focused on producing high-quality vehicles is going to have a very different MVC model than a hospital whose priority is patient care and wellbeing, for example. The latter may calculate via its MVC that it can afford to cancel elective procedures and non-urgent operations in the event of an IT outage. But electronic health record (EHR) systems are deemed essential to ensure that patients get the right medication.

 

The MVC profile might also change depending on the time of year. For retailers, point-of-sale (PoS) systems are essential all-year round. But some may decide to prioritise IT systems that support online ordering and delivery in the run-up to the busy festive shopping period.

 

Active Directory in the spotlight

That said, there are some critically important infrastructure elements that virtually all organisations will struggle to do without, even as an MVP. A network, DNS infrastructure, and some physical hardware to host servers or virtual machines on, for example. Identity systems are also critically important. If users aren’t able to log into any of their applications, nothing will work.

 

For most organisations, this will mean Active Directory (AD), the de facto system for centrally managing users, computers and network resources on-premises. When you look at the chain of dependencies running from applications to infrastructure, it usually comes back to AD. This is Tier 0 infrastructure - the foundation on which everything else sits. Until AD is restored following a serious incident, there’ll be no way to get critical ERP, CRM, payroll and other business-critical systems back up and running.

 

Identity planning is a critical part of MVC planning because, as well as being one of the first systems that need restoring post-incident, identity systems are also among the most complex to recover. That’s especially true if the organisation is running a hybrid environment combining on-premises AD with Entra ID.

 

Kicking things off

Be in no doubt: MVC planning will require significant time, effort and resources. It should start at the very top. Every employee or team will have their own views about which apps should be included in the organisation’s MVC posture - i.e. the ones critical to their day-to-day work. And everyone will believe their own role is indispensable. What is required is a dispassionate view taken in the best interests of the business. And that can only come from senior leadership.

 

They will also need help from IT to understand those infrastructure dependencies for the applications deemed critical to an MVC state. And they will need to work out which teams are needed to get those apps back up and running, and who will be required to use them as the organisation works through its post-incident response. Allow too many employees to log on too soon, and the MVC could come crashing down. Difficult decisions will need to be made about who to prioritise.

 

Step by step

Tabletop exercises are a great way of working through these problems and gradually helping the organisation to understand the people, applications and infrastructure it needs to stay operational post incident. They can highlight which automated, IT-driven processes could be replaced with manual work during a crisis. And to help teams understand how long the business has to rebuild systems from scratch if necessary, before it’s too late. For a healthcare organisation, even an hour or two offline could be a matter of life and death.

 

Which servers in which datacentres should be prioritised? How can production systems be brought back online safely without reinfection? How should the organisation handle its cloud services and infrastructure? And how much budget will be required? These are all things that can be worked through iterative testing and drills in non-production environments. And when the MVP plan is finalised, consider practising it every quarter. It must be fit for purpose as the business evolves.

 

The value of the business-savvy CISO

There’s an important role here for the CISO. As M&S and countless other incidents have proven, business leaders often prioritise cyber-resilience only after suffering a major breach. The cost of doing so can be infinitely higher than it would have been to proactively plan for the worst-case scenario before it becomes reality.

 

It’s the CISO’s job to make sure the board understands the value of doing so. They’ll need to talk pragmatically in terms of business risk, rather than using technical jargon and nebulous cyber-security metrics. The MVC is a great mechanism for turning the concept of cyber-resilience into reality. But it will need good old-fashioned communication skills to get boardroom buy-in.

 

---

 

Guido Grillenmeier is Principal Technologist EMEA at Semperis

 

Main image courtesy of iStockPhoto.com and Dragos Condrea