BIA & Cyber Threat Readiness

Full BIA Methodology

For those high level business assessments of key assets and processes we have developed a full BIA methodology whereby critical assets and data flows are identified in preparation for threat modelling and incident response development

This includes testing of the senior management GOLD, SILVER and BRONZE team responses.

The benefits from cyberspace are immense but so is the risk. Organisations must embrace uncertainty and develop cyber risk resilience; the real problem is that traditional risk management is insufficient to deal with attacks in cyberspace, especially state sponsored attacks.

Issues can lay dormant for some considerable time and some of these issues are not classed as classic information security incidents. When harvesting information names, emails, social media and business and technical details these are hardly going to hit the radar.

A more structured approach is required where the client is well-informed about the threat, the threat actor, the data assets most at risk, why the organisation is being targeted, weaknesses in its network that are allowing attackers to compromise systems; and what all of this means to the business.

The answers will be different for each engagement, but it is vital they are understood if the organisation is to improve the culture of security awareness.

One of the most effective ways of understanding the business is to identify the primary assets of the company such as critical business processes, systems, data flows, information assets or organizational structures.

Our approach identifies those assets that support revenue streams or future P+L, understands business context and processes, maps revenue to assets and thus build a BIRT using the business to define the criteria.

The assets are then assessed in terms of confidentiality, integrity and availability from a criticality perspective. This includes recording their dependencies and inter-dependencies.

To avoid subjectivity a business impact reference table is presented in order to help stakeholders employ a common scale of harm and to consider all possible types of harm an enterprise can suffer. This is easily updated to suit any concerns the client may wish to include.

A good Cyber Security Strategy will have senior or board level buy-in, will document the measures in place, the programmes of work which need to be completed to improve defences, the roles and responsibilities before, during and after an incident and how the business will respond if data is compromised and/or publicised.

Understanding why the organisation may be a target and determining where the requirement for specific data to be stolen originates from, while understanding the technical methodology of an attack, can help with an investigation and aid future protection.

More importantly it will help reduce costs to the necessary optimum.