As of late I've been met with an increased number of questions from our clients on how much they should prepare for a data-related disaster, followed with concerns around whether they are adequately protected. Most recently, the Colonial Pipeline cyberattack has heightened our awareness again on how data vulnerability and business continuity are so tightly coupled.
Nobody will argue that Business Continuity and Disaster Recovery Planning (DRP, BCP) are not important, needed or deserve little attention. But exactly how much attention (and cost) is warranted for your organization? My usual answer: Well, that depends - on your own tolerance for risk.
I realize this is a very general answer, but I would argue that with the right tools and processes, it is fairly straight forward to decompose this generic answer and design a very specific disaster recovery plan for every organization. I feel that the most important attribute of a proper risk analysis is that it is holistic, meaning it covers all the threats and risks associated with the organization's way of handling sensitive data, not just the systems it is stored on. For example, why spend large amounts of time on closing every single vulnerability on your cloud-based database application, while keeping unencrypted copies of data exports on unsecured laptops? Clearly, risky end-user behaviour is just as much a threat as a vulnerable web server.
At the beginning of any disaster planning process is an top-level threat analysis, in which we list out all the nasty threats and activities (hacking, attacking, phishing, spoofing, spamming, password-sharing, scamming, etc) that could affect your business.
We then determine the likelihood of a threat resulting in an impactful event, and the size of the impact, which could range from as little as a single user record being disclosed, to an entire database leaked or destroyed. The impact on the organization can be anywhere from negligible, a minor annoyance, temporary downtime, or a business-terminating catastrophe.
It's in determining this impact where we request our client's input and guidance in terms of acceptance thresholds, to decide jointly which level of prevention or mitigation is appropriate for each particular threat.
The key here is to understand that certainty is costly. Achieving 100% threat prevention is virtually impossible, and a bank-breaking proposition to pursue. But with the appropriate amount of planning, we can reduce the threat likelihood, limit impact on the business, and achieve a risk comfort level appropriate for your business.
If this has been top of mind for you and your business, be sure to contact us about our data security threat and risk assessment tools.
We are happy to answer your questions and help get the process started!
Markus Latzel, CEO