WE LIVE IN A BUSINESS ENVIRONMENT where cyberthreats, external or internal, are the most likely impactful event that organizations of all sizes face. Your customers need an incident response (IR) plan that presents risk analysis data in an SMB-friendly way.
The challenge for managed service providers, though, is to help customers prioritize which services require the fastest recovery times and then develop a risk framework that works within their budgetary and resource constraints.
The SMB risk framework I discuss here uses data from the four Rs—revenue, reputation, regulation, and resiliency—plus the number of users impacted by system failures to create a matrix (see table) that then forms the basis of a comprehensive IR plan. As a rule of thumb, weigh the impact of at least one full day of downtime when evaluating each of the four Rs.
Synopsis Steps 1, 2, 3, 4
- Assign a somewhat arbitrary value of low (1), medium (2), or high (3) to revenue, reputation, and regulation based on stakeholder interviews and IT department engagement if applicable.
- Treat the resiliency of a business service/activity as a negative modifier, with the thought being that the more resilient a system is the less impact a catastrophic failure will have on the business. So, in this analysis resiliency is assigned low (-1), medium (-2), and high (-3).
- Users/customers impacted is the easiest empirical measure to collect. All that’s required is the total number of users and/or customers affected if the business system in question goes down.
- For each activity/service, add up the revenue, reputation, and regulation values, subtract the negative modifier of resiliency, and multiply the result by the users/customers impacted to generate a “score.” Response plan priorities should reflect those scores.
Breaking Down the “R” Analysis
Analysis by revenue. The information needed should be available from the accounting department. Give some thought to how IT systems may impact revenue-generating activities such as customer billing, trading, and/or production. The general consensus is the higher the revenue from a given line of business, the larger the requirement for IR capability. You’ll need a firm understanding of the revenue impact of activities that are dependent on IT, as well as of services provided by IT, such as DHCP, DNS, internet connection(s), Wi-Fi, and on-site or hosted infrastructure. The business must understand the extent to which disruption of these foundational IT services impacts revenue.
Analysis by reputation. The marketing, public relations, or sales department should be engaged to help determine how downtime for an activity or service could impact the organization’s public image. This may be somewhat arbitrary and is likely to be greater if the organization has a poor reputation to begin with. In highly competitive markets, outages affecting customer-facing services may have a longer-term impact on growth and revenue than disruption of other business systems. An ecommerce site with no internet connection or an inbound call center without VoIP services will directly impact the organization’s reputation.
Contractual obligations or agreements between customers and suppliers are another consideration. Failure of a firm to live up to contractual obligations in the event of a security event could jeopardize the business relationship.
Analysis by regulation. Corporate counsel, the CFO, or the organization’s law firm will likely have information about what regulations are applicable to the business’s operations. Notwithstanding the previous revenue-based and reputation-based analysis, certain systems may have life-safety or critical infrastructure designations that require minimum cybersecurity standards and/or public breach disclosure. Other systems subject to PCI DSS, GDPR, or HIPAA regulations have security requirements with associated fines for violations. In heavily regulated industries, government agencies could bring action against the firm, depending on the nature of the business system outage. Regulatory action is usually handled privately but will certainly impact revenue and reputation.