We all know cyber-attacks have reached epidemic proportions. It’s probably true that every company either has experienced a breach or will at some point in the future. It’s a serious issue in need of serious attention.
Realistic Budgeting for Cyber Resilience
How much should you spend on a cyber resiliency strategy? How much time can your business afford to be offline? Have you considered if every single product you’ve bought really has cyber resiliency or cyber recovery features? Which products best fit your strategy for prevention and recovery?
Here are some high-level guidelines I ask clients to consider in this conversation:
- If you have experienced an outage due to a cyber-attack, what did it truly cost your business?
- If you haven’t, what do you estimate the financial impact would be to your business if your three most critical systems were down for 24-48 hours?
The answer to the second question is cheap, by the way, but I find few companies willing to contemplate the reality unless they’ve been hurt badly before.
To give you some scale, I recently spoke with a mid-large sized regional bank who said just the system they use to transfer funds could cost as much as $50,000 a minute if down – that equals $72 Million per day!
How much does Cyber Resilience Cost?
Considering this, it’s not unreasonable that I tell companies to consider anything less than 50% of the cost of their critical systems being down for one day, a bargain in terms of the cost of cyber resilience.
It may seem expensive, but you’ll likely pay it either way. You’ll either pay for protection or pay for recovery in lost revenue, dissatisfied customers leaving, and even missed new business due to lack of confidence. It really is serious.
Once we have a ballpark understanding of the cost of both the problem and the possible solutions, what should we do?
The first thing is to get help. Many consultants have invaluable expertise in this area and can help separate the solutions from the noise.
I highly recommend vendor agnostic assistance rather than the advice (and products) of even a highly trusted vendor. A good consulting company can cut through the sales pitches and help truly assess the best way to spend your money to meet your budget and risk appetite.
How do I adopt a Cyber Resilience Strategy?
There are really two things to consider that are related but very different in practice.
- How do we keep the cyber threats out without locking everything down so tight we cannot conduct business?
- What we do if, or when, they get through our cyber defenses?
There are multiple approaches to the first question, and new products coming out every day. As it is not my area of expertise, I will simply say the most successful companies I work with find answers that both deny accessibility to hackers and preserve usability for workers and customers.
As to the second question, based on my experience I can address more specific issues.
We first need to consider “how fast do you want to get back online?” – and keep in mind that recovering in seconds costs much more than minutes, and minutes costs many times more than hours. Hence why ball-parking your budget comes first.
Companies that haven’t been hit by a cyber-attack often under-budget and don’t pursue aggressive remediation. Conversely, companies engaging in the process post-attack often want everything now and do not dispassionately assess the right answer. They just never want to experience that pain again!
How fast you recover is measured by two metrics:
- A cyber recovery point objective (CRPO)
- A cyber recovery time objective (CRTO)
These are like the RPO and RTO we use for backup, recovery, disaster recovery, and other processes, but they have differences.
Since someone is actively attacking, the major extra step is analysis to prove we aren’t restoring the attack vector the hacker used along with the systems we need to recover. It may also include analysis to discover the attack vector in the first place.
These steps will add time to recovery, but the only thing worse than going down once, is watching it happen over and again. These steps are essential.
How far must we go to achieve Cyber Resilience?
Now we can look at products and equipment that help us achieve our business objectives. We’ll need to think hard about how far we want to go.
Here’s an extreme example that isn’t for everyone, but it made perfect sense for the company I was consulting. They not only set up a ‘clean room’ for cyber recovery with multiple logical firewalls between the clean room and production systems, but they also outsourced all of it. This meant in the case of internal negligence or an internal source of the attack, no one had login capability in both environments.
It’s important to also understand the behaviors of hackers. There have been many examples of malware imbedded in systems and allowed to lie dormant for up to 180 days before activation. This is done specifically in hopes a company will no longer own a clean backup that doesn’t contain their malware. The good news is that your consultants can help devise strategies to subvert the tactics of your likely attackers.
It is only at this point you can get a true cost for your cyber resilience strategy.
Once all the hardware, software, consulting hours, design, professional services for installation, and potential managed services for day-to-day operations and/or support and monitoring have been scoped and priced, the total solution can be compared to your budget and right sized with problem solving and fiscal responsibility in balance.
Cyber Resilience Consultancy and Advice
Devising and adopting a cyber resilience and/or cyber recovery strategy is a huge project that should not be entered into lightly. It will require your best people across multiple business units, IT disciplines, and from your partners to accomplish.
While some remediation can be deployed in the short-term to add some needed protection, these should be carefully considered to see how they fit into the total solution and strategy. Of course, all of this is vastly more complex in a multi-cloud/hybrid cloud world, but not insurmountable.
So, if you would like to speak with Tectrade’s experts to understand more details or to learn about more scenarios where we’ve supported organizations on their journey to a robust cyber resilience strategy, please get in touch.
Read more like this
The IT Skills Gap Is Only Getting Wider in 2024
The IT skills gap is forecasted to widen in 2024 – especially for IBM i skills, what happens next?
Tectrade Change Freeze (Dec-Jan)
We will be operating a ‘Change Freeze’ across our hosted and managed infrastructure to manage risk at this critical time.
The Building Blocks of Zero Trust Architecture
So, what is Zero Trust? First, let’s define Zero Trust, which is fast becoming a marketing slogan. It is best…