Data breaches have been happening since humans started keeping records. But with the advent of the internet and its ever evolving dynamics, these breaches have become more sophisticated with each attack, as cybercriminals always seem to use more advanced processes to steal data from companies or hold their data to ransom. In order to businesses to survive this cyber crime wave, they need to understand exactly how detrimental cyber crime can be to business operations. To do this, comprehensive Business Impact Analysis must be carried out in order to aid the business’ Cyber Risk Management plan.
BUSINESS IMPACT ANALYSIS CONCEPTS
Business Impact Analysis (BIA) identifies mission-essential functions and critical systems that are essential to the organization’s success. It also identifies maximum downtime limits for these systems and components, various scenarios that can impact these systems and components, and the potential losses from an incident. The analysis also helps identify vulnerable business processes; these are processes that support mission-essential functions.
Some concepts related to this are explained below:
Recovery Time Objective (RTO) and Recovery Point Objective (RPO) are two key metrices in disaster recovery and disaster continuity planning. While the two may seem similar, they are actually very different and distinct metrices that makeup parts of disaster continuity planning. The main difference between the two lies in their purpose.
i. RPO (Recovery Point Objective): refers to the amount of data at risk. It's determined by the amount of time between data protection events and reflects the amount of data that potentially could be lost during a disaster recovery. The metric is an indication of the amount of data at risk of being lost.
ii. RTO (Recovery Time Objective): is related to downtime. The metric refers to the amount of time it takes to recover from a data loss event and how long it takes to return to service. RTO refers then to the amount of time the system's data is unavailable or inaccessible preventing normal service.
The images below summarize, further define and provide additional context
Establishing RTO and RPO will not only decrease the negative effects of downtime, but it will help you more effectively manage a disaster when it strikes.
b. MEAN TIME TO REPAIR (MTTR)
The average time to repair and restore a failed system. It’s a measure of the maintainability of a repairable component or service. Depending on the complexity of the device and the associated issue, MTTR can be measured in minutes, hours or days. (May also stand for mean time to recovery, resolve or resolution.)
c. MEAN TIME BETWEEN FAILURES (MTBF)
The average operational time between one device failure or system breakdown and the next. Organizations use MTBF to predict the reliability and availability of their systems and components. It can be calculated by tracking the elapsed time between system/component failures during normal operations.
d. MISSION ESSENTIAL FUNCTIONS (MEFs)
MEFs are essential functions that an organization must continue throughout, or resume rapidly after, a disruption of normal activities. MEFs are those functions that enable an organization to provide vital services, exercise civil authority, maintain the safety of the public, and/or sustain the industrial/economic base.
e. MAXIMUM TOLORABLE DOWNTIME (MTD)
This is the longest period of time a business outage without this causing permanent business failure. Each organization will has its own MTD.
f. KEY PERFORMANCE INDICATORS (KPI)
This is a measurement of the reliability of an asset such as a server.
g. MEAN TIME TO FAILURE (MTTF)
This is normally an estimate of the expected lifetime of a product, estimated in thousands of hours.
h. SINGLE POINT OF FAILURE
Single Point of Failure (SPOF) refers to any component of a system whose unavailability at any time will lead to the complete crash of the entire system. A SPOF is to systems what a heart is to living things. In cybersecurity, issues with SPOF can be seen in having all business data stored/managed by a single cloud service provider; or just one onsite (and no backup) database for data, especially such crucial data as patient records and medical histories in hospitals. An attack on any of these key points could have devastating consequenses.
It is recommended that any system who’s functions require high availability and reliability should not have a SPOF. Such systems should be made robust with redundancy, i.e. duplication of all critical components. This control applies to business practices, industrial systems and computing systems.
PRIVACY THRESHOLD ASSESSMENT (PTA)
PTA is an OPM policy that ensures that all information technology systems that accumulate, sustain, or disseminate information in an identifiable form have a Privacy Impact Assessment (PIA). The purpose of PTAs is to help organizations gauge their systems’ information and determine how to appropriately treat them.
PTAs are used to determine whether a PIAs are required. PIAs are decision tools used to identify and mitigate privacy risks arising from new projects which involve processing personal information. Conducting PIAs is beneficial for stakeholders, the organization itself, as well as customers. A PIA is typically designed to accomplish three main goals:
i. Ensure conformance with applicable legal, regulatory, and policy requirements for privacy;
ii. Identify and evaluate the risks of privacy breaches or other incidents and effects;
iii. Identify appropriate privacy controls to mitigate unacceptable risks.
ORGANIZATIONAL BENEFITS OF PIAs
i. Providing an early warning system - a way to detect privacy problems, build safeguards before, not after, heavy investment, and to fix privacy problems sooner rather than later.
ii. Avoiding costly or embarrassing privacy mistakes.
Iii. Providing evidence that an organization attempted to prevent privacy risks (reduce liability, negative publicity, damage to reputation).
iv. Enhancing informed decision-making.
v. Helping the organization gain the public's trust and confidence
vi. Demonstrating to employees, contractors, customers, citizens that the organization takes privacy seriously.
HOW TO CONDUCT A PIA
i. Identify the need for a PIA.
ii. Describe the information flow.
iii. Identify data protection and related risks.
iv. Identify data protection solutions to reduce or eliminate risks. ...
v. Sign fff the outcomes of the PIA. vi. Integrate data protection solutions into the project.
vi. Integrate data protection solutions into the project.
The process is further explained with the image below.
IMPACT OF CYBER RISK TO BUSINESS
IMPACT TO LIFE & REPUTATION
Loss of critical corporate information could lead to reputational damage for both you and your customer. Stolen customer credit card credentials can be used to purchase illegal goods somewhere, or their email login credentials used to access illegal services on say, the dark web. This could lead law enforceent straight to them and even have them facing jail time, thereby ruining their reputation. Reputation loss to you could be in the form of losing your business credibility, and consequently losing your customers/market. This could lead to bankrupcy.
Another impact to life is with data breaches in healthcare that could lead to actual loss of lives. This was recently proven in the September 9th ransomware attack at Düsseldorf University Hospital in Germany.
IMPACT TO FINANCE
Ransomware attacks can lead a business into dire financial straits. From the ransom payments to having crucial business data POSSIBLY altered, it can result to huge financial losses for the company. Worst case scenario, affected customers could even decide to sue in addition to the aforementioned issues; lawsuits and fines are very expensive and could take many years to settle!
IMPACT TO PROPERTY
Intellectual property theft targets trade secrets of value such as engineering plans, pharmaceutical formulas, manufacturing processes, chip designs, automobile designs, etc. This can result to billions of dollars in financial losses, and in even more sensitive cases, loss of lives due to flawed automobile and engineering executions or low quality pharmaceutical products.
IMPACT TO SAFETY
Breach of cyber safety in a form such as cyber stalking is as real and just as devastating (if not more so) as real-life stalking. This crime has been reported to have such serious consequences of victimization such as increased suicidal ideation, fear, anger, depression, and post traumatic stress disorder (PTSD).
There is also the ever increased risk of central control systems of automobile and industrial mechanical systems being hijacked by criminals. This puts the operators therein at any such time at great mortal risk.
Essentially, the adveres impacts of cyber crimes to businesses can never be over-emphasized. It is therefore imperative that business take to proactive cyber security measures which should, among other things:
a. Protecting the business with insurance coverage designed to address cyber risks.
b. Putting plans in place to manage a data breach.
c. Having data breach prevention tools, including intrusion detection.
d. Including DDoS security capabilities.
e. Limiting administrative capabilities for systems and social footprint.
f. Creating file back-ups, data back-ups and back-up bandwidth capabilities
https://www.nibusinessinfo.co.uk/content/impact-cyber-attack-your-business https://digitalguardian.com/blog/wipout-devastating-business-effects-intellectual-property-theft https://pubmed.ncbi.nlm.nih.gov/24875706/