Updated: Apr 14, 2021
Data breaches have been happening since humans started keeping records. But with the advent of the internet and its ever evolving dynamics, these breaches have become more sophisticated with each attack, as cybercriminals always seem to use more advanced processes to steal data from companies or hold their data to ransom. In order to businesses to survive this cyber crime wave, they need to understand exactly how detrimental cyber crime can be to business operations. To do this, comprehensive Business Impact Analysis must be carried out in order to aid the business’ Cyber Risk Management plan.
BUSINESS IMPACT ANALYSIS CONCEPTS
Business Impact Analysis (BIA) identifies mission-essential functions and critical systems that are essential to the organization’s success. It also identifies maximum downtime limits for these systems and components, various scenarios that can impact these systems and components, and the potential losses from an incident. The analysis also helps identify vulnerable business processes; these are processes that support mission-essential functions.
Some concepts related to this are explained below:
Recovery Time Objective (RTO) and Recovery Point Objective (RPO) are two key metrices in disaster recovery and disaster continuity planning. While the two may seem similar, they are actually very different and distinct metrices that makeup parts of disaster continuity planning. The main difference between the two lies in their purpose.
i. RPO (Recovery Point Objective): refers to the amount of data at risk. It's determined by the amount of time between data protection events and reflects the amount of data that potentially could be lost during a disaster recovery. The metric is an indication of the amount of data at risk of being lost.
ii. RTO (Recovery Time Objective): is related to downtime. The metric refers to the amount of time it takes to recover from a data loss event and how long it takes to return to service. RTO refers then to the amount of time the system's data is unavailable or inaccessible preventing normal service.
The images below summarize, further define and provide additional context
Establishing RTO and RPO will not only decrease the negative effects of downtime, but it will help you more effectively manage a disaster when it strikes.
b. MEAN TIME TO REPAIR (MTTR)
The average time to repair and restore a failed system. It’s a measure of the maintainability of a repairable component or service. Depending on the complexity of the device and the associated issue, MTTR can be measured in minutes, hours or days. (May also stand for mean time to recovery, resolve or resolution.)
c. MEAN TIME BETWEEN FAILURES (MTBF)
The average operational time between one device failure or system breakdown and the next. Organizations use MTBF to predict the reliability and availability of their systems and components. It can be calculated by tracking the elapsed time between system/component failures during normal operations.
d. MISSION ESSENTIAL FUNCTIONS (MEFs)
MEFs are essential functions that an organization must continue throughout, or resume rapidly after, a disruption of normal activities. MEFs are those functions that enable an organization to provide vital services, exercise civil authority, maintain the safety of the public, and/or sustain the industrial/economic base.
e. MAXIMUM TOLORABLE DOWNTIME (MTD)
This is the longest period of time a business outage without this causing permanent business failure. Each organization will has its own MTD.
f. KEY PERFORMANCE INDICATORS (KPI)
This is a measurement of the reliability of an asset such as a server.
g. MEAN TIME TO FAILURE (MTTF)
This is normally an estimate of the expected lifetime of a product, estimated in thousands of hours.
h. SINGLE POINT OF FAILURE
Single Point of Failure (SPOF) refers to any component of a system whose unavailability at any time will lead to the complete crash of the entire system. A SPOF is to systems what a heart is to living things. In cybersecurity, issues with SPOF can be seen in having all business data stored/managed by a single cloud service provider; or just one onsite (and no backup) database for data, especially such crucial data as patient records and medical histories in hospitals. An attack on any of these key points could have devastating consequenses.
It is recommended that any system who’s functions require high availability and reliability should not have a SPOF. Such systems should be made robust with redundancy, i.e. duplication of all critical components. This control applies to business practices, industrial systems and computing systems.