In the midst of the Cold War, the possibility of a nuclear attack was deeply feared, but at the same time strangely unthinkable. The stark terror of nuclear disasters persisted for years, highlighted in the 1984 BBC drama film “Threads”.
The film explored the hypothetical event of a nuclear bomb being dropped on a British city and the societal collapse that followed. People were horrified by the film, and it showed everyone’s deepest and darkest fears about nuclear fallout.
Fast forward almost 40 years, and while nuclear fears still abound, cyber security catastrophe is the new background fear – and in July 2024, we received our first major warning sign.
The CrowdStrike outage highlighted the widespread chaos that could occur if millions of computers crashed simultaneously – reminding many people of the fear instilled during the Y2K fiasco.
Now imagine this chaos, but instead of a software update gone wrong, it’s a cybercriminal targeting critical systems in a power plant, resulting in a city losing power for a week. Or perhaps a vulnerability in a piece of fintech software that triggers a 2008-style financial meltdown.
Although such an event may be difficult to foresee, the interconnectedness of modern systems makes it a real possibility. Achieving operational resilience must be the goal, and that means prioritizing keeping business-critical functions running in the event of a serious incident. But to do that, organizations must first understand their minimum viable operation (MVO).
Director of Critical Infrastructure at Illumio.
What is CSR?
MVO refers to the absolute minimum number of systems a business needs to remain operational or continue to provide services. This includes mapping out detailed recovery protocols and establishing recovery measures to minimize downtime.
Many organizations have realized that it is simply impossible to reduce the probability of a cyber attack to zero. No matter how much money organizations spend on security, it doesn’t make their systems or data any less attractive to cybercriminals.
While money cannot reduce the probability, it can reduce the impact of an attack when used properly. Instead of focusing solely on breach prevention, organizations are increasingly shifting their investments to prioritize breach mitigation and impact mitigation, ensuring they can sustain their CSR.
In the previously mentioned power plant example, the organization’s MVO will include the SCADA and ICS systems that control energy generation, monitoring and distribution. By identifying their MVO, the utility can build a cyber resilience strategy that protects these critical systems and keeps the power on when the inevitable outage occurs.
This approach is not an admission that cybercriminals have beaten us, but an acceptance that it is impossible to guarantee immunity from breaches. Instead, it is about limiting the impact when they occur. There is no shame in being broken; however, lack of preparedness is inexcusable, especially for companies in critical sectors.
Putting the CSR approach into practice
So where should you start? The first step in understanding your CSR is to identify the systems that are critical to sustaining operations, and this is unique to each business. For example, the systems considered as part of an organization’s CSR will be quite different in retail compared to energy.
Once these have been identified, you then need to identify the risks surrounding or associated with these systems. What do they communicate with and how? Consider risk vectors, the supply chain and any third parties connecting to your CSR systems.
Like most organisations, you are likely to rely on a significant number of third parties to function – just look at the large number of suppliers and contractors that keep the NHS running and the impact of the attack on pathology supplier Synnovis. It is critical that you understand which third-party systems are connected to your networks and limit and control what they have access to. Best practice is to enforce a policy based on least privilege to limit the connection to the bare minimum.
This is also where having an “assume breakup” mentality is essential. Assume that a breach shifts the focus from solely trying to prevent unauthorized access to ensuring that the attackers’ movements, once inside, are severely restricted and their impact minimized. This helps you not only strategically manage and mitigate risk, but also protect MVO assets and critical operations.
How Zero Trust supports a CSR approach
One of the best ways to adopt an assumption of breach mindset and protect CSR assets is by embracing Zero Trust.
Zero Trust is a security strategy based on the principle of “never trust, always verify.” It enforces strict principles of least privilege at all access points, minimizing the risk of unauthorized access. This approach significantly reduces the impact of attacks and is consistent with an MVO approach by identifying critical assets, their use and data flows in the network.
Micro-segmentation technologies such as Zero Trust Segmentation (ZTS) are fundamental to Zero Trust as they divide networks into isolated segments with dedicated controls. With micro-segmentation in place, you can limit user access, monitor traffic and prevent lateral movement in the event of unauthorized access, isolate and protect your critical assets.
Not all cyber attacks need to result in the suspension of operations
The UK government has warned of the financial disaster that could unfold if a cyber attack on critical infrastructure was successful. But the reality is that the impact can be catastrophic for any business or enterprise that fails to secure its critical operations.
In Richard Horne’s debut speech as NCSC chief executive, he spoke of the increasing hostility the UK is facing, with attackers looking to cause maximum disruption and destruction. And while a cyberattack may not seem as scary at first as the nuclear attack in “Threads,” its catastrophic impact on society is as great as a weapon of mass destruction.
It is therefore crucial to secure the assets that keep society and businesses running. Not all cyber attacks need to result in business or operational failure. By prioritizing an MVO approach with Zero Trust and micro-segmentation at its core, you can ensure your organization avoids catastrophic fallout from attacks.
We have compiled a list of the best identity management software.
This article was produced as part of TechRadarPro’s Expert Insights channel, where we feature the best and brightest minds in the tech industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing, you can read more here:
