Pratum Blog

Business Impact Analysis image

Leading a business means deciding which risks are worth taking, and a business impact analysis (BIA) provides a critical resource for making informed risk management decisions. This blog explains how to conduct an effective business impact analysis that will point you toward the right investments for your overall risk assessment strategy.

Let’s start with a few fundamentals: At the basic level, your risk management goal is identifying the likelihood and impact of any given risk. You’re looking for answers to questions such as, “How likely is it that our ERP platform could go down? How long would it take us to restore operations? How much does it cost us every hour that our ERP is down?”

A risk assessment helps you identify your vulnerabilities. With that information in hand, you can then conduct a business impact analysis to help you determine what will happen to your organization if you actually take a hit in a vulnerable area. The business impact analysis assigns actual costs to each risk, which then guides creation of plans and policies that let you prepare accordingly.

Your budgeting process becomes much more clear when the business impact analysis puts a price tag on specific operational interruptions and points to whether you should invest in preventing or mitigating those interruptions. (For help making sense of all the terms used in the realm of incident response, read this blog summarizing the relationships among incident response, disaster recovery and business continuity.)

Disruptions to Consider

Your team assigned to the business impact analysis will need to set their minds to “glass half empty” mode. Think about all the bad things that could befall your organization. Common scenarios include:

  • Hackers encrypting your data in a ransomware attack or shutting down your system with a DOS attack.
  • A natural disaster shutting down your facility or preventing employees from reporting to work.
  • A key employee quitting immediately and unexpectedly.
  • Losing a key application or service that is mission-critical to your overall business.
  • A supplier failing to deliver critical components because they get hit with something on this list.

For each disruption, you should account for special timing that could amplify the situation’s impact. Think about your critical production times in any given year, or even in a given week or day. An issue that shuts you down for two hours at midnight on a holiday weekend is one risk level. It’s quite another if that shutdown hits at 1pm on a weekday.

Also be sure to consider dependencies within your organization. Identify where problems will start cascading to other areas, ramping up the business interruptions and costs.

Costs to Consider

Now that you’re thinking about worst-case scenarios, stay in the zone and start calculating the costs from the various disruptions on your list. Account for factors such as:

  • Financial penalties for failure to meet service level agreements (SLAs) in your contracts.
  • Lost revenue both in the short term (because you aren’t delivering product/services) and in the long term (because customers leave you for another vendor).
  • Hard costs to restore data or physical facilities.
  • Additional interest/fees accrued because you couldn’t pay your bills.
  • Regulatory penalties for data breaches, etc.

Knowing the costs will help you start to establish recovery time objectives (RTOs) and recovery point objectives (RPOs) in each risk area. The RTO sets expectations for how quickly you need to get running again in a specific area. The RPO identifies how far back in time you must go to recover the data you need. For data such as training materials, an RPO of a week or even a month ago may be fine. For other situations, such as market-driven financial data, your RPO may be more like 30 minutes.

How to Conduct a BIA

Your business impact analysis team will follow these common steps:

  • Get Executive Buy-In – You’ll need widespread participation to conduct an accurate analysis. Talk with top leaders to win their support and then have them communicate that they expect others to do their part to make the business impact analysis effective.
  • Assign a Team to Conduct the Analysis – If you don’t have the internal expertise for this work, you can hire a third-party partner like Pratum, to guide you. Along with adding experience in this area, an outside consultant helps make up for any blind spots or inherent biases that come with evaluating your own risks.
  • Establish the Scope – Determine whether your business impact analysis will address one department, the entire organization, etc.
  • Gather Information – To fully assess various interruptions, you’ll need input from a variety of stakeholders throughout organization. Gathering insights from department leaders, managers, etc. will help you discover threats you hadn’t thought about and get more accurate estimates of what interruptions can cost you. The U.S. Department of Homeland Security offers a simple BIA questionnaire you can use as the starting point for your surveys. Most teams follow up on the questionnaires with in-person interviews.
  • Analyze the Information – This is the heavy-lifting stage. The team will designate each business process as critical or non-critical, rank processes by priority for restoration, indicate costs of interruptions and restorations, etc.
  • Issue a BIA Report – This document summarizes all the areas discussed above in clear, quantifiable terms so that your organization’s leaders can make informed decisions. It also provides supporting documentation for readers who want to take a deep dive.
  • Develop Plans – With clear analysis of risk, likelihood and remediation costs, you can start planning your activities and spending.

Take Action

For help with BIA and all other aspects of risk assessment and incident response, contact us today.

A new federal advisory warns users of four VMware products to take immediate action on vulnerabilities that allow hackers to execute remote code.

The Cybersecurity and Infrastructure Agency (CISA) has issued an emergency directive ordering federal civilian executive branch agencies running specific types of VMware to update them immediately or remove them from networks. Private organizations should obviously assess their own risk with these products. CISA says the VMware products’ users should assume they’ve been compromised, disconnect the product from the network and start threat-hunting activities.

VMware, a subsidiary of Dell, offers virtualization and cloud computing software.

The May 18 CISA advisory responds to observed or expected exploitation of vulnerabilities in these VMware products:

  • VMware Workspace ONE Access (Access) .
  • VMware Identity Manager (vIDM)
  • VMware vRealize Automation (vRA)
  • VMware Cloud Foundation, vRealize Suite Lifecycle Manager (impacted VMware products)

Hackers can use the four vulnerabilities to execute remote code on a system without authentication; elevate privileges; and obtain administrative access without the need to authenticate. Hackers have already begun exploiting CVE 2022-22954 and CVE 2022-22960, and experts expect them to exploit the other two in the near future.

The links below provide details on the vulnerabilities and recommended mitigation steps:

While CISA’s emergency directive applies only to federal agencies, CISA Director Jen Easterly said, “We strongly urge every organization—large and small—to follow the federal government’s lead and take similar steps to safeguard their networks.”

Note that VMWare released updates for CVE 2022-22954 and CVE 2022-22960 in April, but threat actors reverse-engineered the updates within 48 hours and began exploiting the vulnerabilities. Experts expect threat actors to do the same with updates related to CVE 2022-22972 and CVE 2022-22973.

For guidance on how these vulnerabilities may affect your system, contact Pratum today.

Team of employees sitting around table doing incident response tabletop exercises

Tabletop exercises provide one of the most effective methods for testing your incident response (IR) plan, short of experiencing an actual breach.

Incident response planning in general has moved up the priority list for most organizations as weekly reports prove that no one is immune to cyberattack. But unless you test your incident response plan, you won’t really know if it covers all the right steps. A tabletop exercise throws your team into a simulated breach, which quickly helps everyone start recognizing the incident response plan as a real-world lifeline, not just a dusty policy statement. Most mature organizations conduct a tabletop exercise at least once a year, and some conduct several each year to cover various parts of the organization.

The guidelines below help you plan and carry out a tabletop exercise (also known as a TTX) that pays immediate dividends in finding places to improve your incident response plan and focusing your team’s attention on the potential challenges. (If you want to take a deep dive into tabletop exercise planning and don’t mind government-speak, review the CISA Tabletop Exercise Package.)

Write Clear Objectives and Outcomes

The exercise’s organizers should have a specific idea of how the tabletop fits into the overall strategy for testing your incident response plan. And since the incident response plan will drive the tabletop exercise, make sure that all participants have a copy of the incident response plan before the exercise. Let everyone know that they’re expected to review it prior to the exercise and to bring a copy to the meeting.

Invite the Right People

With a clear concept of your exercise’s purpose, you’ll know whom to have participate and what kind of scenario to use. The best tabletop exercises include representatives beyond the IT team. While your tech folks will be tasked with the immediate jobs of understanding and stopping a breach, key decisions require perspectives beyond the IT staff. For example, an operations representative should be there to explain the real-world ramifications if someone from IT always suggests “shut it down” as a solution to a breach. Representatives from the public relations and legal teams can help manage messaging and highlight legal traps to avoid. And, if you can get them to come, it’s best to have a member of the C-suite attend so they get a firsthand sense of the potential risks and what it will take to mitigate them. If you’ve identified a full Disaster Recovery team, inviting those people will probably check most of the above boxes.

Create Meaningful Scenarios

The scenario’s quality determines much of the success of the tabletop exercise. An experienced cybersecurity expert can help craft a scenario that reflects the latest real-world threats. They can pace the reveal of information to mimic how actual breaches develop. They can build in multiple attack vectors like the ones you’ll see in real life. The scenario should also bring in third-party concerns, such as clients calling to ask why your services aren’t working or issues that start cascading through your supply chain. The best scenarios typically take a key leader out of the equation by declaring them unreachable during the crisis. That prevents everyone from saying, “We’ll just call the boss, and she’ll know what to do.”

Take It Seriously, But Encourage Honesty

Managers should set the tone by treating the entire exercise with urgency. Don’t let participants short-circuit the process by skipping steps or brushing something off as unrealistic. Following the defined steps is all part of the exercise. This prepares you for the fact that, in some industries, you may not be able to file a cyber insurance claim for a real incident without showing a full root cause analysis (RCA) of the breach. So work the problem as described in the scenario and require everyone to be specific with their answers. But cultivate an atmosphere where people can admit it when they don’t know what to do. After all, you run these exercises to identify exactly those kinds of gaps.

Use an Outside Facilitator

You’ll usually get better results with an experienced third-party expert facilitating the process. They’ll work with the test’s leader to plan a strong scenario, and they’ll keep everyone on track during the actual exercise. They know how to ask the right questions and won’t be held up by internal politics. The facilitator also helps drive everyone to identify action items at the end.

Commit to Follow-Up Steps

Your session should include an immediate discussion about how the exercise went (what CISA calls a “hot wash”). Task someone (your facilitator often handles this step) to write down and assign specific to-do items from the meeting. Those often include updating portions of the incident response plan, getting more information about how your backup system works, etc. Set a deadline for completing the to-do list and/or holding a follow-up meeting to check progress.

Pratum’s consultants lead dozens of tabletop exercises every year for clients of all sizes. Contact us today to learn how we can help you get the most from your next exercise.

The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.