COMP3357 Managing Cyber Risk Richard Henson University of Worcester April 2017
Week 11: Business Continuity to increase competitiveness and gain market share… Objectives: Apply business continuity planning (BCP) to allow a business to contemplate 100% uptime, 24-7! Enhance an asset register (protected through BCP) to include not just hardware but digital resources Use BCP to help a business gain market share
Reminder of the current (2017) business environment All about business<>customer! Physical Environments (shops) Online Environments (websites) All use IT. All need BCP
Physical & Online Markets? On-line B2C only started in 1996 grown every year since! Different growth rates in different countries… fastest rate in early years… US/Canada fastest rate in 2016... UK! driven by people being pushed into technology? argument that online trading will encourage growth?
Variety of Physical Markets: Retail parks (expensive but many customers) High street shops (lower rent; fewer customers?) Side street shops/street traders Almost all physical businesses use IT to run their business (internal IT) even street traders…
Business Functions and IT Finance spreadsheets… apps… (e.g. Sage) Marketing spreadsheets, databases, graphics, etc. Human Resources databases, apps… Purchasing spreadsheets, databases, apps…
Variety of Online Environments No shop! Internal and External IT! customers visit by the www dependent on advertising and search engines Still have internal IT where is the internal/external boundary?
Engaging with the Online Environment Several levels: website separate from business own IT website for advertising and enquiries only website for online shopping website integrated with rest of business IT much larger development and maintenance operation may be outsourced… business needs to keep control of its data!
Competition and Internal IT Smooth operation... pleases… Suppliers want to do business… not have their time wasted Existing customers will return for more will tell others…
Competition and Internal IT Messed up operation… annoys… Suppliers… Customers… if it carries on, will ruin reputation! On-line business cannot successfully integrate internal & external IT if internal operation messed up (!)
Valuing a Business Until recently, based on physical assets no/quality of customers/partners profit (and projections…) Yet businesses dependent on IT! e.g. their data and data structures not a physical asset… so ignored!
BCP Approach to “The Asset Register” Asset list (register) needs to include Software (apps & system/platform) data used with that software! Introduced to business via information assurance… COBIT ISO27001
Reminder of Threats to organisational cyber security … Divides neatly into: “internal”… employees applies to all businesses “external”… hackers specific to online businesses Consequences over and above “messed up” systems
Messed up systems AND Data Losses… not good for the business! Depending on which data a business loses… it may not be able to trade efficiently, or even at all! Worst case scenario: 10 days maximum to recover, or out of business! If business data is stolen, they may ALSO lose trade secrets, customer image, supplier information, market share…
Data Losses & not-for-profit organisations Personal data often not regarded as so important, other than in legal terms hence the catastrophic sequence of errors that led to 25 million records being lost by HMRC HOWEVER… customers do expect their personal data to be safeguarded increasing concern about privacy in recent years source of great embarrassment if data lost
Internal Data Losses Well-meaning employees not following procedures and misusing data or allowing it to get into the wrong hands…. The same employees who could already be dealing with a “messed up” system Employees or temps with bad intent…
External (hacking…) Inside people or business partners accessing data from outside, and either accidentally or on purpose, misusing it People hacking in from outside, usually via the Internet, possibly with help from inside
Do “we” have a problem? Perceptions “from the inside” quite different from “outside looking in”
Stages in BCP… Where to start? Internal systems… need to get them working smoothly keep separate from any online operation until this is a reality Put together a plan to keep them working smoothly Back up plans from: environmental disasters hardware failure software failure (system or app)
Align with Information Security Policy Security of information should be central to organisation’s strategic plan… therefore part of organisational policy… BCP part of same policy? Large organisations… easier to align via ISO27001 & ISO22301 Small organisations… align with simpler standards e.g. PCI-DSS, IASME
Asset Register and BCP Use list of assets… (incl. information assets) devise a plan to protect each one, according to priority (H, M, L) for business continuity another column in asset register stating how a back up for each category H asset Protecting “H” assets make sure a plan is in place to quickly replace that asset if damaged! make sure that plan is put to the test on a regular basis! no good if replacement resources not working or compatible
BCP and Competitors… Good service to customers depends on IT not failing good BCP will help ensure this doesn’t happen steal a march on competitors! Customers don’t think about IT… If all OK, may well return until things go wrong then not much loyalty… Will go somewhere else!
BCP and Reputation Business relationship like all human relationships… can take 25 years to build… And 5 minutes to knock down! BCP should ensure that the business doesn’t lose reputation because of failing IT won’t stop hackers may delay their effects…