Why the Business Impact Analysis Has Become a Critical Part of Cyber-Risk Planning

Running a business is a continuous process of risk management. And as organizations come to rely like never before on their IT operations, cyber-related risk has risen to become a critical area of focus. An increasingly critical part of risk assessment and management is the Business Impact Analysis (BIA): a means to predict the consequences of disruptions to the organization.

In a cyber context, the BIA can help organizations to understand what might happen in a specific breach scenario, and thus enable them to prioritize resources accordingly. Increasingly, data-centric security technologies are identified as a best practice to mitigate impact in this scenario.

Why do we need BIAs?

In a cyber-risk context, threats to business operations and finances are everywhere. They include:

• Phishing: A common pre-cursor to covert malware installation or credential theft. When targeted at specific employees these attacks can grant threat actors access to highly sensitive corporate assets
• Passwords: Often poorly managed and secured by individuals, they provide seasoned phishing actors with an easy way to circumvent perimeter defenses to achieve their objectives.
• Ransomware: Regarded as one of the most serious cyber risks to today’s businesses. Can lead to data theft and major operational disruption.
• Vulnerability exploitation: Software flaws are another key chink in the cybersecurity armor of most organizations. Record numbers were found last year, enabling hackers to access networks and perform other malicious actions.
• Supply chains: Threat actors are increasingly targeting business suppliers including software providers as a stepping stone into their networks and/or to their data.
• Mobile device threats: It’s claimed that 60% of endpoints accessing enterprise assets are now mobile devices. This makes them a major target, especially for phishing, malware and vulnerability exploits.

A single data breach could cost on average $4.4m globally, rising to $9.4 in the US. It’s therefore clear that organizations need a formalized framework to understand how an incident could impact them, from a financial, reputational, operational and regulatory compliance perspective.

Why BIAs are increasingly essential

BIAs are the answer. They help improve resilience to cyber-related and other disruptions by identifying the organization’s most critical business functions and IT assets and how they inter-relate, and documenting what would happen in any given worst-case scenario. A data breach for example could lead to:

• Lost sales
• Regulatory fines
• Contractual penalties
• Customer churn
• Diminished brand value
• Costs related to forensics and breach notification
• Potential legal risk/costs
• Delays to business plans/new initiatives

How to carry out a BIA

At a high level, there are four key stages to performing a BIA:

1- Get senior-level buy-in
It’s vital to get senior management to approve the objectives, goals and scope of any BIA. Once it has been green lit, it’s time to pull together a project team, or else enlist the help of a third party.

2- Collect the data
Next, use a questionnaire devised by the BIA team to elicit the information on which to base the assessment. This will require interviews with key stakeholders/business process owners, as well as potentially partners from outside the organization. Knowing who to contact will require detailed insight into the organization’s IT assets and business processes.

3- Review the data
This stage will allow the BIA team to prioritize the business processes, document the user/IT resources needed to ensure they are maintained throughout a disruptive incident, and establish a recovery timeframe.

4- Document the findings
Finally, it’s time to issue the report, including a detailed impact analysis for each business function and recommendations for recovery.

How data-centric security can help

A core recommendation for any BIA looking at the impact of a serious data breach incident is likely to be data-centric security. By automatically discovering, classifying and protecting the organization’s most sensitive data, enterprises can render useless any data that may be accessed by threat actors. This in turn will minimize:

• The risk of regulatory action and time/cost spent on compliance
• The reputational impact of incidents
• Breach notification costs
• The risk of contractual penalties
• Legal risk such as class action lawsuits
• The impact on business operations