Business Impact Analysis (BIA)

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

5 hours 33 minutes
Video Transcription
Hey, everyone, welcome back to the core. So in the last 30 we talked about some of the things you need to think through after developing your business continuity plan and this video, we're gonna talk about the business impact analysis or commonly called the B I A.
So we're gonna talk about what b. I actually is now. We won't go to a deep dive in anything. We just want to talk through some of the areas we need to think through. Even if you're not working in the I t. Or the cyber security realm or the auditing room and you're not responsible for the B I A or developing that at all, you're still going to think through these areas as party
your job. So that way, when someone does coming us ask you these questions, you do understand
what are some of the critical things that you do is part of your day. So the B I A is gonna focus on the critical functions, right? So not necessarily like who polishes the drinking fountain in the bathroom right? We're really focused on things that will sustain the business. So that's what I mean by critical functions things like actually bringing in revenue, right? So the financial values
waffle things like sales
producing products for customers, these things that are actual critical business functions, that if we take those away, the company can actually effectively fund function anymore, meet the objectives.
Now, when we start talking about things like risk, we need to talk about the financial value of that risk, right? So if this particular system over here went out, what is the financial impact to the company? And when you start thinking through what is the financial impact, even as somebody just working in your cubicle right now,
when you start thinking through, Okay, well, this system goes out that I work with
Does this actually affect the bottom line of the company? Or does this affect revenue? It all. And if the answer is yes, that's gonna be something that you want to bring up. If nobody is aware of it yet say, Hey, look, I work with the system every day. It can impact the company this way and that way. As the company's developing their B, C, P and the D. R. P. Using the business impact analysis,
they can effectively plan for that.
So when we talk about risk, we also want to develop plans to mitigate those wrists. So, as an example, we talked about flooding earlier, right? So if my building floods, if I think that flooding of my building is a risk that my company is facing,
then instead of me having like my data center or my critical systems on the ground floor where it could easily flood what I'm going to do is make sure they're on a top level floor or, additionally, make sure that I have offsite backup. So that way we're not spending any down time at all with those critical systems
costs, right? So we're when we talk about costs we're talking about tangible versus intangible, so tangible, right? Things we can measure. Lost revenue is a big one. Legal penne. Italy penalties, right? So as an example, if we are a health care company and our systems go off line because of some kind of disaster
and we didn't take appropriate steps, there's a possibility. Maybe we're facing some legal penalties, right? Some finds
from the government, like HHS or something like that. So we need to think through those things as well. Also increased waste, right? Let's say we've got a bunch of inventory, but we didn't plan appropriately for hurricanes. And a hurricane comes through and wipes out Oliver inventory. Right? So now we've gotta basically waste all of that stuff on our ballot on our financial statements,
and we've got to figure out a way to recreate that inventory, right? If we don't already have it to set of satisfy our customersneeds. So these are things we need to think through from the tangible aspect, the things we can actually kind of touch and feel and measure right? What about intangibles?
Let's say that we didn't plan appropriately. We don't really care about forming a B, C, P or D R. P were like, Yeah, whatever. I got this right. But something happens. Several things can happen, right? Brand damage being number one right. To think that I think of things like ransomware attacks or the data breaches. Do you really trust Equifax anymore?
Honestly, do you really, really trust
some of these payment processors that have been breached or these hotel chains like Mary on that have been breached? You really trust swiping your card anymore? or are you kind of like me? And you've got a like, a special card that you use to go to these types of places. That way, if something happens, it's not a huge financial loss for you. So
brand damage is a huge thing that can occur with your particular company. If
you're not planning appropriately,
what about employee turnover? Let's see that I'm sitting there telling you we need to do these things. So that way our business, our critical business systems don't go down. And you always ignore me because you're talking about budget and all this other stuff. And then things happen. The right things go south. Terrible things happen.
As an employee, I may say, You know what? I'm not gonna deal with this company anymore, like they're blaming me now for this data breach. But I told them all these things we needed to do to protect the data and they ignored all of that. And now that something's gone wrong, they're blaming me. I'm gonna leave this place and go someplace where I'm appreciated, right, so you may actually end up having employee turnover on scale and not just
one of two people
the confidence from the marketplace. So how are your customers viewing you now, right? Or how are potential customers viewing you? So as an example, if you have a data breach and my trusting you with my data anymore, especially if you're like a cyber security company. And you're telling me you're selling me some product that protects data. But you were breached yourself.
That doesn't make any sense, right? I'm going to say, Well, wait a minute here.
I don't really feel that you can protect my day because you can't even do it for yourself. Let me go to your competitors, er, and sign up with them and then customer goodwill. Right. Well, we need to have that level of trust with our customers. That's how we get them to purchase things and continue a purchasing from us. So if they lose that goodwill, if they don't have faith and confidence in us, we're gonna lose a lot of money.
Just some fun acronyms, cause why not? Right? So m a o r t o N r p l want to talk about these a little bit, so m eo maximum acceptable outage, recovery time objective and then recovery point objective some key terms that you might see as you're doing business impact analysis or developing a B C P into your P.
So the maximum acceptable outage, especially
the period of time we can allow ourselves to be down or are critical systems to be down before we can no longer as an organization, meet our objectives. Right. So, as an example of fine building clicky remotes in my company and our systems go down,
do I have enough inventory to supply all my customers or a period of time? And if if so, what's that period of time? Can I go for maybe a month or two without producing any more and still be able to sell these two customers? So these are things we need to think through as we're developing R, B, C, P and D RP using our business impact analysis
the rt of the recovery time objective, like how long can we actually be Type B down our systems be down before it has a negative impact on our company. So not just the fact that we can't produce any more clicky remote. It might be the fact that if our business systems are down and we can't take orders in.
That's a huge issue, right? And we really don't have a long time that we could be down without taking orders unless we want to go out of business. Or unless we have enough cash reserves, which, depending on the company, that may not have enough cash
and recovery point objective. So how much data could we lose without damage to our company? So going back to that health care company I mentioned earlier in the course in the ransomware example,
they were only doing backups like every three months. Right? So in their situation,
that wasn't a good recovery point objective, right? Three months was not a good period of time because they lost a lot of patient data and they got a lot of litigation, a lot expense from doing so when they almost went out of business. So for them, for a health care company as an example, cause I have a background in that, um,
we probably need to think of things in the aspect of some things can be down for a couple of days, but really patient data. We need that more real time, right? so maybe in the past couple of hours or on a semi daily basis type of thing. We need to be ableto have that information available so patients can actually be treated effectively.
And you'll notice that with a lot of these health care
companies, especially hospitals that were being hit with ransomware attacks a lot of times they can't
They haven't backed up appropriately, so they can't give their systems back online. And they don't have the data to actually treat patients. A lot of times they have to shut down because they can't treat those patients. So keep that in mind when you're planning these things out is gonna be based off your industry and your particular organization.
So important things is well, to think through is again. I want to stress we need support in sponsorship from the top because things are not gonna be successful if we just kind of come together as helped US personnel and try to come up with this stuff. We need somebody at the top to say yes, I support this and they need you out of gate for us,
especially when it comes to things like budget, right, It's hard to do this stuff without any money.
We also need to think through when we're doing the business impact analysis. Who's gonna get this questionnaire? Do we give a questionnaire to everybody? Do we send this out to everyone? Or do we just go interview certain people that are strategic for what we need for the organization training we need to think through like Army. To actually train all these people is a video training. Is it in person training?
Do we train like department leads and that they train their people? How we're going to look do that for our particular organization?
And that's gonna very based off the size of your company, right? If I got a small mom and pop company with five employees, I could just go in and treat train them, right? But if I got a huge enterprise with 100,000 employees, I've got to think through my training a little differently, and I may actually have dedicated people to do the training for this particular thing,
and then once we're training, we need to do the testing of this right. So we need to take through. Excuse me. Not testing, but what we need to do once we've got the data from the questionnaire and we've interviewed people, we need to take all that data in aggregate and that summarize and say OK, these are the critical business systems for our particular company.
These are the things we need to worry about. These are the risk
that we actually have, right, so I don't live in an area with a lot of earthquakes, so that's not a risk that I need to have. Even though somebody might have brought it up during the interview process of like, Hey, what about earthquakes? That's not actually a risk that my company would necessarily care about, right? But flooding is definitely a huge risk that they need to care about.
So just to summarize, we talked about what is a business impact analysis in this particular video, Wilson talked about Artie O, R. P O and M Ao as well
Up Next