Cyber-attacks are on the increase across all areas of commerce, and they are impacting businesses both large and small.  According to the UK Government’s Cyber Security Breaches survey, 39% of UK business reported being subject to a cyber-attack in 2022 with one in five experiencing more complex attack methodologies including Distributed Denial of Service (DDOS), malware and ransomware.

These attacks can have serious consequences for businesses, ranging from loss of revenue through a reduced level of customer confidence to significant financial penalties form industry regulators and other government departments such as the Information Commissioner’s Office (ICO).

How are industries responding?

The increase in frequency and severity of security breaches has prompted regulators to act. Within the Financial Services sector the Financial Conduct Authority (FCA) requires organisations within its sphere of influence  to develop a cyber security strategy – approved at board level – which details how they will respond effectively to these incidents how they will identify and protect their critical assets and how they will be able to maintain a satisfactory level of customer service during and in the immediate aftermath of such an event. The FCA has set a deadline of March 2025 for these evidenced measures to be in place.

A significant cyber-attack can constitute an existential crisis for businesses. Understanding which business services are vital to the continued operation of the organisation, how best to protect all the components that comprise those services and having an established, widely understood and frequently tested plan for recovery is critical. A key step in gaining that understanding is to embrace the concepts of Minimum Viable Company, Important Business Service and Minimum Viable Service.

What’s a Minimum Viable Company?

Minimum Viable Company (MVC) is defined as the fewest business services an organisation requires to maintain a pre-determined level of functionality. An organisation may have many dozens of business services, but it is imperative that only those that are defined as mission-critical are included in the MVC.  Developing this view of the business is important as it will define the scope and complexity of its recovery efforts.

What’s an Important Business Service?

Within the Financial Services sector the FCA defines an IBS as a service provided by a firm, or another person on behalf of a firm, to their clients, that if disrupted, would cause harm to any client, or pose risk to the UK financial system or orderly operation of the financial markets. These services often comprise many hundreds of elements, including servers, databases, applications, and other supporting infrastructure.

What’s a Minimum Viable Service?

When an organisation has ascertained which of its IBS constitute its Minimum Viable Company, it is essential that each of these services are then forensically ‘mapped’ to identify every component of each IBS. This is an extremely complex and time-consuming task, but one which is essential in determining the scope for eventual service recoverability.

The ‘mapping’ of every component of every IBS will provide a detailed structure for each IBS and highlight where dependencies exist between services such as shared databases, servers, and applications. From this full inventory of components, it can be determined which it is essential to recover for the delivery of a service at a reduced level of functionality, this reduced level of functionality is called the Minimum Viable Service.

Optimise your cyber recovery today.

Due to the complexity, cost and time required to develop a cyber recovery strategy which incorporates the concepts of MVC, IBS and MVS, there is a temptation to ignore MVC, IBS and MVS and simply define all business services as priorities for recovery. This is not a sensible approach as not only does it place an enormous burden on recovery management systems, networks, storage elements etc. it also adds significantly to the size, complexity, and cost of any recovery solution.

To ensure that organisations strike the right balance, BSS is ready to advise on all aspects of cyber recovery, MVC, IBS, MVS and Asset Mapping. We can provide a range of cyber security services tailored to all business needs, with experts on hand to design solutions that safeguard your enterprise.

In summary, none of what has been written above will reduce the likelihood of sustaining a serious cyber-attack in the future, but ultimately, organisations who have embraced these concepts will be able to recover from a cyber-attack far more quickly and efficiently that those that have not. By adopting this approach business continuity for key services is assured, resulting in the maintenance of customer confidence, and dramatically reducing the likelihood of regulatory sanctions.

Click here to get in touch and learn more about how BSS can help you.

The process of ‘Asset Mapping’ will be covered in detail in a later blog and will need to be linked to from here when it is published.