• 29 Jan, 2025
• 4 read time
• Blog

---

Risk Management & Response as a pillar of Business Continuity

Within the chaotic ecosystem of information security and the panoply of technical solutions from many manufacturers, we find ourselves in the very difficult position of choosing our next steps from each position of responsibility.

• Very rarely do we receive warning messages before the catastrophic event occurs as each case is unique. So how will we approach the security-availability assessment?
• Will we rely on the manufacturer and their own assurances?
• Will we hire an expert to implement the assessment for us?
• Will we proceed without much thought based on the “small chance” of becoming a target?

The correct approach to security scoring should come from the appropriate Risk Assessment and only. This will calculate as many risk scenarios as we can apply, with the most realistic technical countermeasures already in operation.

To the questions:

• Are we safe?
• To what extent?
• What are the next steps for improvement?
• Should I buy a DLP solution or a SIEM solution?
• VPN or Teamviewer?

The correct answer can only be: “a separate list of risks/scenarios with desired countermeasures that we lack” in the areas of “endpoint”, “network”, “Cloud”, “Applications” and “Business Processes”.

Which scenarios have we not faced, for example:

• Theft of a laptop (data leak);
• Power outage (data availability);
• How much sensitive data will leak from the laptop?
• How long can I go without production infrastructure due to power outage?
• Do we have disk encryption for the 1st scenario?
• Do we have a generator for the 2nd scenario?
• If not, how much money does the investment justify spending based on the loss of production (business continuity)?

Ultimately, the assessment of how secure our infrastructure is should result in a series of “pending issues” that should be implemented to add value and solve the most important problems based on the vulnerability of the infrastructure and the risk profile. Otherwise, the process will end up in “studies” where the realistic measure is lost between the ideal and the desired.

The process of creating these “pending issues” could be as follows:

• Is it possible that the file server (critical asset) will be infected if the user “gets” malware on the corporate PC (scenario 1);
• If it is possible, what will it cost me if I lose the data for 5 days?
• What backup software do I need to have the data back in 3 hours (countermeasure 1)?
• What firewall and network design services will I need (countermeasure 2) to reduce the probability of the file server being infected by 50% (probability)?
• If I already have a backup tape (countermeasure 3), how likely is it that the tape will be destroyed by high temperature in a fire (scenario 2)?
• Is it worth paying for a mailbox in a different location (countermeasure 4)?

The application of potential risk scenarios on important ICT assets is the cornerstone of every process start-up and the headache of every Business Continuity (ISO22301) and/or security (ISO27001) consultant. From this correspondence, the probabilities, the degree of vulnerability and ultimately how much time and money we will invest in resolving them will be selected. The last thing we should be concerned about is the model and capabilities of the new firewall or antimalware software. On the contrary, the first thing that should concern us is: “how many risk scenarios have I NOT covered and who will help me discover even more of them?”

Every risk is an opportunity, not just a risk. The IMO shipping directive for the beginning of 2021, the increased teleworking of the entire population, the dissolution of the classic data movement perimeter, GDPR fines and many other mandatory directives offer the perfect opportunity. We can emerge from the crisis much better informed, prepared and with a very good awareness of the necessary Risk Treatment that our own business requires.