In the alphabet soup of acronyms that are part of the daily life of every business, one acronym stands out: BIA, or a Business Impact Analysis. But what is BIA in the context of cybersecurity?
What is Business Impact Analysis?
Business impact analysis (BIA) estimates the negative impacts to a business if there is a disruption and strategies to overcome those disruptions.
What is Cybersecurity BIA?
A cybersecurity BIA is a process conducted by security experts to help understand the potential impact of a cybersecurity event on a specific business or business unit. For example, what happens if data is no longer available? What happens if the data is corrupted? What happens if the data is made public? Questions like these form the core of cybersecurity BIA.
A primary goal of a cybersecurity BIA is to establish values for several key performance indicators (KPIs). For example, what is the Maximum Tolerable Outage (MTO) value for this business unit (or business unit system)? What is the Recovery Time Objective (RTO), and what is the Recovery Point Objective (RPO)? It is these values that help guide the cybersecurity team in the selection of appropriate controls in order to meet those KPIs.
There are many steps in a BIA, depending on size and scope of the business unit itself. Our advice is always to keep the process as simple and as manageable as possible. For example, don’t start by doing a BIA on the entire Finance Business Unit, especially if it is a big organization. Start smaller. Do a BIA on Accounts Receivable, for example. Then do a BIA on Treasury, and so on and so forth until you have completed all of the BIAs at the departmental level and can combine them at the business unit level.
3 Key Steps: Business Impact Analysis
Regardless of the business or unit, the basic BIA process is the same:
1. Identify key business functions.
You will need to first identify the key business functions of the unit. By key, we mean those functions that, if compromised, would result in damage to the overall work of the organization.
2. Estimate cost and impact.
Once identified, work with the business unit managers to estimate the actual cost and impact of a disruption. Consider both “hard” and “soft” costs, involving real dollars and possible reputational damage.
3. Align business priorities.
Align the business unit priorities with the business unit’s continuity plan. If one does not exist, the BIA process will help develop it.
In order for any BIA to be a success, you must have two key ingredients: First, the right stakeholders need to be involved, starting at the highest level and reaching down to operations. The second key factor in BIA success is making sure that the data you’re collecting is both diverse, comprehensive, accurate and—importantly—pragmatic.
Every manager will tell you that their Recovery Time Objective is “immediate!” But is that pragmatic? How does this align with the rest of the business needs?
Realistic Business Impact Plan
The third thing you need to keep in mind is… reality! Be realistic. You’re not creating a doomsday scenario, you’re creating a realistic business impact plan. The probability that an asteroid will hit the building should not be your top consideration. A hacker exfiltrating data, on the other hand, should be.
Finally, keep in mind that a BIA is not a “once and done” type of exercise. Businesses change and evolve. So do markets, and so do people. Keep your BIA updated annually to avoid any unpleasant surprises.
Do you need help performing a BIA in your organization? Let us know, and we can help you make sure you make the most out of it, plug any gaps, and ensure your cybersecurity resilience.