Your business shouldn’t have very many, but it probably has a handful – roles, functions or process that, if compromised or disabled, would cause your operations to grind to a halt. Those critical points are often physical assets like warehouses, delivery channels, storefronts. They are subject to well-known risks common in the physical world – weather, fire, natural disaster – for which we have well-developed mitigation tools.
But at the same time, those critical functions are often reliant on computer systems whose powerful functions are rivaled only by their innate fragility. These systems represent potential failure points with repercussions that are not easily contained; they span the entire operation. Information technology systems represent a meta point of failure that supersedes all other. It is important to understand where these cyber risks originate in order to manage and mitigate them.
The potential for system failures represents your cyber risk. Recognizing and identifying those risks is the first step to securing your operations. The steps below offer a general guideline for defining the business risks you face through cyber exposure:
- List your critical operations – the things that, if ceased, would halt business. Revenue, for sure, but also production, procurement, and vendor operations. Define the things that would escalate to priority #1 in the event of an outage. If the answer is “everything,” then that is a good start toward understanding and de-risking.
- Identify the networks and software involved in keeping each of these operations running. This doesn’t have to be a detailed drill-down of individual applications, just a quick inventory of systems. Identify the people in charge of using these systems each day.
- Ask whether those systems can be restored quickly in the event of failure. Is critical data backed up regularly (and how often)? If the network is taken over by outside actors, can control be restored?
- Understand what is happening in each of those systems. What type of data is being transferred? Is it sensitive (how sensitive)? Are your technicians able to monitor activity on the network? If there is an invasion, are you able to restore the system to its original state? Are you able to analyze what happened to cause the breach?
- Talk to your vendors about their risks. How much of your critical IT or operational infrastructure is reliant on your vendors? Are they able to answer these questions about their own operations? Ask them.
More than likely, the questions you ask in steps 3–5 will unveil some uncertainties. Building a greater understanding of the reality in these uncertain areas will go a long way toward quantifying your business risk. This line of questioning will help you and your team prioritize what needs to be fixed first, which can help you build a budget for security implementation.
It is important to remember that security is strategic, and can be a competitive advantage. Consider that, as a vendor, your goal is to inspire confidence in your customers. Your ability to demonstrate competence and confidence in your operations’ security is a great way to beat the competition and become a preferred vendor.