Menu

Blog

Cyber Security and your Business Impact Analysis

Cyber Security and your Business Impact Analysis ... Understanding RPO and RTO in Disaster Recovery

While all businesses need to survive a future disaster and the problems that follow, it’s nearly impossible to predict when a disaster will happen.  Businesses will often push cyber and IT security out as an optional expense with an attitude of “if it ain’t broke don’t fix it.”  When the disaster strikes (and odds are increasing at a fast pace for both natural disasters and cyber attacks), don’t leave your business unprepared.  Planning will help you respond quickly.

An important aspect of your IT and Cyber Security plan is to work with your IT security provider to complete a business continuity plan that includes a complete business impact analysis (BIA).  Often, this is the first step to identify critical system and components that are essential to your organizations success.  Key questions during the BIA include

  • What are your critical systems and functions
  • What are the dependencies related to these critical systems and functions
  • What is the maximum downtime limit of these critical systems and functions
  • What scenarios are most likely to impact these critical systems and functions
  • What is the potential loss from these scenarios

Walking through these questions will help you identify key processes and dependencies as part of your overall disaster recovery and business continuity planning.  Each step of this plan must satisfy two measurements: Recovery Point Objective (RPO) and Recovery Time Objective (RTO).  RPO and RTO are measured in specific time intervals or number of hours relating to the loss of data and service time.   It’s important to evaluate each system and application independently to ensure the best possible return on investment.  You may need different arrangements for accounting data, your email access or files stored on a shared drive.  The plan needs to be very specific and consider every detail of your business.

How long can your business be without the service before you incur substantial loss? 

RTO (Recovery Time Objective) can be defined as the start of the interruption and time to establish recovery and end when you can successfully release the service back to your users.  The goal is to calculate how quickly you need to recover and then to map out the people, processes and budget allotment you will need towards business continuity.

RPO (Recover Point Objective) often refers to the last available restore backup and the maximum time between backups being safely stored offsite.  This focus is on your data and your company loss tolerance – how long can you afford to operate without your data before your business suffers. 

Have you ever had a computer crash or lose power while you are in the middle of a huge spreadsheet with lots of data entry, calculations and detailed graphs?  How much time and effort would it require for you to try to recover the spreadsheet from your last save, or what happens if you can’t recover and need to start over from scratch.  It’s simply painful.  Multiple that pain by every person, device and data point in your organization. 

Both RTO and RPO influence the type of redundancy and backup infrastructure you need to have in place.  Besides time and money, you will need to consider compliance and your trust reputation with your clients.  At what point would you begin to lose customers?  Another factor to consider is your RTA (Recovery Time Actual) or the actual performance of your disaster recovery / business continuity plan.  After planning and implementation, your DR/BC requires continued testing to validate success.  If there is significate gap between your goal (RTO) and your actual results (RTA), you’ll want to rethink your strategy to improve the time it takes to restore and become operational again.

Business Impact Analysis

Key takeaways from the business impact analysis should detail a listing of your critical systems and processes ranked by priority.  This list should include 3rd party vendor software, cloud software usage, on premise software, on premise hardware that affects day to day operations (phone systems, devices used by employees, fax machines), IT infrastructure and even access and security to your property.  As you walk through each system, you will record these items:

  • Potential impact scenarios
  • Dependencies
  • RTO
  • RPO including actual back up times
  • Likely impact
  • Potential loss

Ranking all of your systems and infrastructure by priority will give you a clear map of what needs to be recovered first and what can possibly wait.  Identify the manual process and the automated processes as well and include vendor contact information for assistance on each of these systems. 

If you are subject to compliance regulations, protecting your data isn’t optional, it is a legal obligation.  Disasters happen, cyber warfare is real, and the best resolution is to detail and plan, assign priority duties and communication paths, practice and budget accordingly.

Check your Risk

Expedient provides a basic tool that will allow you to check your company's risk. You know what a credit score is. It’s a number given to you that quantifies your credit risk based on your financial history. You may even know your exact score.

Now, take that same scoring and assessment system, apply it to your organization’s information security risk, and get a FISASCORE (click to begin)

FISASCORE allows businesses and organizations to know and understand where they are vulnerable and how they compare with peers within similar industries.   FISASCORE can also be used to communicate the level of information security risk to interested third-parties (customers, stakeholders, auditors, regulators etc).  Expedient Technology Solutions is providing this service to you because we believe it's important to understand where you need guidance or some assistance to fully protect your company's information.   Once you complete your assessment, we will walk through the strengths and weaknesses with you.  We are here to help with a next step of a Gap and Business Impact Analysis as needed.  (937)535-4300 for more information or email Kathy.