Path To Digital Leadership

The path
to digital
leadership
Business impact analysis
to reinforce the cyber resilience
of your company
These guidelines are part of The path to digital leadership
series dedicated to business continuity management. This
time, we are focusing on the business impact analysis (BIA),
an essential element of an organization's business continuity
strategy. For other publications in the series, visit our website.
The path to digital leadership
In January 2023, BI.ZONE withstood a massive DDoS attack.

Peaking at 1.3 Tbps, it would have had disastrous consequences
for most organizations. In our case, the incident had no impact
on the company’s operations because both our infrastructure
and our employees had been prepared for dealing with worst case
scenarios, including a DDoS onslaught.
Thousands of events affect the business on a daily basis. Many
of them are unpredictable and can lead to dire outcomes. An accident,
a natural disaster, or a cyberattack is enough to bring organizations
of any size to a halt. However, many organizations have only a vague
idea of how damaging certain incidents can be.
In turbulent times, it is especially important to understand
the consequences of adverse events and the means to mitigate
losses. One way to gain such understanding is to run a business
impact analysis (BIA). Hence, getting the best out of this process
2023
is the subject of this publication.

With this material, we are presenting the world’s first publicly available
in-depth BIA guidelines. They contain step-by-step instructions
on how to conduct such an analysis in your organization. To help
you boost your organization’s cyber maturity across functional
domains, we have included recommendations on how to leverage
BIA capabilities. Using them will enable you to get better at managing
and insuring cyber risks, monitoring cyber threats, and raising your
employees’ security awareness.
Studying the BIA requires a thoughtful approach. The guidelines
contain specific terms and expert approaches. Nevertheless, we
aimed to make the material useful for both the security professionals
and business managers that might have different areas of influence
and responsibilities.
I hope that our recommendations will help you boost business
resilience, mitigate the impact of critical risks, and achieve
a market edge.
Muslim Medzhlumov
Chief Product and Technology Officer
BI.ZONE
3
Introduction
06
Essential guidance
07
Business impact analysis.

Preparing your company 08
for adverse events
10 Understanding business impact 12 How a business impact
analysis and its importance analysis is performed
to business
2023
Cyber risk management.

Identifying the main threats 27
to your company
Contents
29 Why prioritizing risks is 33 What benefits come with

important and how to approach a combined approach
this task
31 What standards underpin 35 How to establish effective

our approach to cyber risk cyber risk management
management
Awareness. Mitigating human error

in corporate cybersecurity 42
44 How low cyber awareness 47 How to plan cybersecurity
hurts business training
46 How to identify the areas 49 Which business units are

that would suffer most from most vulnerable to attacks
a cyberattack on employees
50 How to ensure the effectiveness
of training
4
Monitoring. Improving resilience
53
to cyberattacks through rapid

incident response
55 Why preventive security measures 60 How to get the most value
are not enough out of monitoring
56 What is effective cybersecurity 61 How BIA helps at all stages

monitoring of handling security events
57 How SOC improves incident 62 When would your company

monitoring need a SOC
63 SOC: in-house or outsourcing?

2023
Cyber insurance.
Getting the most out of it 66
68 How damaging a cyber 70 How to get the full picture
incident can be of your cyber risks
69 How cyber insurance 71 How to choose the right

Contents
helps to save money insurance plan
5
Introduction
Imagine, you need to cross a street with no traffic lights. Before doing this,
you will look in both directions to assess whether it is safe to go.
What can possibly happen when you are crossing the street? Here are
some of the risks you may face:
1. A lamp post can collapse in front of you. There is no violent storm
in sight, so the likelihood of this situation is miniscule—this risk can be
excluded from the analysis.
2. A cyclist in a hurry may not slow down when approaching
the crosswalk. As the speed of the bicycle is usually not too high,
you may spot the cyclist just in time and stop, so your risk here is not
significant.
3. A careless driver may get distracted and hit you. The likelihood of this
scenario is quite high and its consequences are serious—from a long-
2023
term sick leave to a fatal outcome. Therefore, it makes sense to invest

a bit more time into assessing the traffic situation before crossing
the street.
A similar approach can be applied to managing a business. To make sure
your company continues operating uninterruptedly, you need to develop
a proactive outlook on potential dangers, take steps to avoid negative
consequences, and prepare your business to be financially stable
in the event of a real incident. In these guidelines, we explore how the BIA
works to achieve such resilience.
6
Essential guidance
This publication consists of five independent sections. Each chapter

begins with an overview of key ideas on a given subject and ends with
a general conclusion. This will help you quickly absorb the essentials.
We recommend starting with the first chapter. There we explain what
a business impact analysis is, what value it delivers, and how to run
it effectively. You will also be able to familiarize yourselves with some
BIA standards and terms. This theoretical foundation will help you get
a good grasp of the analysis process and easily comprehend the content
from other sections.
Chapters two through five can be read in any order. They focus on how
the BIA can assist organizations in addressing the following issues:
y building a cyber risk management strategy
y reducing the impact of the human factor on cybersecurity
2023
y improving the effectiveness of cyber threat monitoring operations

y making a reasoned decision with regards to cyber insurance
Enjoy the reading!
7 7
Section 01 / 05
Business impact analysis.

Preparing your company
for adverse events
Key ideas 9
2023
Understanding business impact analysis

10
and its importance to business
How a business impact analysis is performed 12
Conclusion 26
8
Key ideas
1. A business impact analysis

allows a company to analyze
the effects of disruptions, focus
on the factors that cause
them, assess the possible
consequences, and take actions
to address the issues.
2. Business continuity expertise

in management standards
and best practices will help
conduct a BIA efficiently and with
maximum benefit to the company.
2023
We recommend relying
on the ISO/TS 22317:2021
standard that features
a step-by-step description
of the analysis.
Business impact analysis. Preparing your company for adverse events
3. The BIA results allow company

management to make reasoned
decisions about preventive
continuity measures and
the required budget.
9
Understanding business
impact analysis and its

importance to business
Each day, companies face many risks: big and small, critical
and insignificant. One of the manager’s tasks is to safeguard
business processes against adverse situations, though in practice
this is far from easy. How do you define the main threats to your
business? How much would it cost to neutralize them? How can
you be sure that the chosen measures will yield the desired result
at the lowest cost?
The ability to draw up effective security budgets requires a good
understanding of how sensitive the business is to certain events.
Once you figure out the extent of the impact, you can work
on minimizing its potential. A business impact analysis helps
2023
to focus on these areas and form a clearer picture of what

to expect in an emergency.
Business impact analysis, BIA is structured research

of the consequences a company may face as a result of different
events. A team of experts examines the organization’s activities
and processes while identifying key operations and assets.
As a result, the company receives a qualitative and quantitative
assessment of the consequences for the business if a dangerous
scenario occurs.
In 2015, the International Organization for Standardization (ISO)
developed the first global BIA standard, ISO/TS 22317:2015.
It included guidelines for conducting and documenting a business
impact analysis according to the needs of an organization.
ISO/TS 22317:2015 is part of a family of standards dedicated
to business continuity management (BCM).
In 2021, a new version of the standard, ISO/TS 22317:2021, was
released. It became more practical: the authors describe step
by step how to conduct the analysis, focusing on the continuity
of priority products and services while gradually expanding the scope
of the investigation. It is this version of the standard that we
recommend to rely on when conducting a BIA.
10
10 reasons
to conduct a BIA
Obtain reliable data that describes
the impact of malfunctions
1 in the infrastructure and
processes.
Determine the negative impact

2 threshold at which the company
can continue to operate.
Define the resources required

3 for minimum service availability.
Compare how the company’s

4 business units depend on each
2023
other.
Prepare for changes in the external

environment and for possible risks,
5 develop a continuity management
strategy.
Break down abstract threats into

6 understandable risks and manage
their consequences.
Substantially reduce the scope

of risk assessment, target
the threats that can cause
significant damage to your
7 business, and concentrate
on addressing the most
severe vulnerabilities. Learn
more about this in the section
Predict and reduce the effects

of negative events, develop
8 a strategy to protect your
corporate data and assets.
Establish effective budgeting

for preventive measures,
9 relying on realistic estimates
of the potential damage.
Improve the company’s resilience

10 and competitive edge.
11
How a business
impact analysis
is performed
Depending on the size of the organization
and the number of areas being investigated,
the initial analysis can take anywhere from
3 to 12 months. If you start the BIA in the first
quarter, by autumn the company will have
the results to plan and budget process
improvements for the next year.
In cases where a company has limited
resources to conduct an analysis, we
recommend them to focus their initial research
on the primary business processes and to push
2023
the boundaries of their research during annual

BIA revisions. Repeat data assessments are
much faster to do and take up to a couple
of months. These can be conducted
in the middle of the year.
Service level agreement

(SLA)
SLA is a commitment between a service
provider and a customer that stipulates
the particular aspects of the service, such as:
y level of service availability
y guarantees of data safety
y incident response time
y incident mitigation deadlines
y sanctions for non-compliance
with the service levels
12
BIA stages
1 Preparation
y Assembling a team of experts and responsible employees
y Gathering initial information
y Establishing the goals and expected results of the BIA
2 Demarcation
y Identifying key business products and services
y Defining core and supporting business processes
y Planning the terms and stages of the research
y Defining the business process owners and involved units
2023
3 Development of an impact matrix

y Estimating a range of potential impacts from adverse events
y Assessing legal and contractual obligations, including SLA terms for products
and services
y Developing an impact types and levels matrix (impact matrix)
4 Business process profiling

y Reviewing and describing the main and supporting business processes
y Examining the existing continuity measures, the technological part of the processes
and operations, and their dependency on assets and miscellaneous factors
5 Data analysis
y Analyzing the consequences of breakdowns, downtime, and other negative effects
on business processes
y Rating possible damage according to the impact matrix
y Calculating the downtime thresholds and defining continuity targets
y Ranking the products and services on the scale: maximum acceptable downtime
duration, minimum acceptable level of performance in emergency situations
y Classifying business processes by their criticality
6 Conclusions and reporting

y Preparing a final report complete with a disaster recovery plan
y Developing recommendations for further continuity management measures
13
Step 1. Preparation
Main objective: clearly define the goals of the research

and make sure that they are consistent with the results your
company is looking for.
For a BIA to add real value, you need an experienced team of experts
who understand business continuity management processes and
are well-versed in the standards. These can be in-house employees
or external specialists.
Before starting the analysis, the experts, together with the company’s
top management, should communicate the goals, expected results,
and tentative scope of the BIA. It is necessary to record how
the information will be collected and stored, in what form and within
what time frame the final report should be compiled. At this stage,
you can estimate the number of involved departments and inform
them about the start of the research. Additional departments can
be engaged in the course of the project.
2023
In preparation for the analysis

1. Notify the management and process owners of the planned BIA.

2. Assign a team of experts to conduct the analysis.
3. Collect preliminary data:
y Describe the context of the organization (i.e., external and internal
factors significant to the business).
y Prepare lists of products, services, business processes, and their
owners.
y If the company has previously conducted a BIA, retrieve its results,
previous impact assessment data, other business continuity
research.
4. Take notes with experts regarding the goals, tentative scope, expected
results, and BIA timelines.
5. Schedule preliminary interviews between the experts, management,
and key business process owners.
14
Step 2. Demarcation
Main objective: define the scope of work,

develop a list of products, services, and
processes to be researched. It is important to analyze
The team begins by conducting preliminary the entire life cycle of a product
interviews with the staff and collecting open-
source data about the company. This is how Many companies abandon their analysis
the experts identify the products and services at the point of sale. In this case, there is
that make up the business. The order in which a risk of overlooking some events that
the experts receive the data is not so important. are critical to the business. For example,
Often, the information about business customer support issues can result
processes appears first, followed by defining in reputational losses.
the products and services dependent on those It is perfectly acceptable not to apply
processes. The main thing is to clearly define the BIA to the entire set of products
the scope of the work to be done. and services of the company and
In large organizations, products and services focus on the most significant ones
in terms of revenue or other factors.
2023
can be grouped according to SLA requirements,

similar technical processes, common assets, However, within a single product or
operating modes, or business unit owners. product group, we recommend looking
In addition, a company can categorize its at all of the relevant processes without
customers based on what services they use, exception.
what revenue they generate, and so on. This will
allow the company to focus on the continuity

of service to its most valuable customers.
We advise analyzing the life cycle of each

product or service:
15
Step 3. Development
of an impact matrix
Main objective: devise an impact matrix, The result is a table with a description
taking into account the company’s goals of critical events and the level
and strategy. of their impact on the business.
Types of consequences, criteria, and
It is important that the information about
thresholds are defined and agreed
possible damages from negative events is
upon with the management. In the end,
collected for each group of products and
the organization should have a developed
services. The most effective method for this
matrix of the potential damage, taking
is to conduct interviews with top managers
into account the goals and medium-term
and department heads. Each business area
plans of the organization.
must define and document the following:
y contractual obligations—customer
expectations, contract terms, penalties, SLA
y partners and suppliers—opportunities The practical usefulness of BIA depends
2023
and prospects for cooperation on the accuracy of the analysis metrics.

y media and public relations—communication If the rating scale changes significantly
with the company’s target audiences, with each repeat investigation,
definition of reputational risks the company may receive conflicting
data, which would lead to inconsistent
y customer relations—a risk of losing current decisions.
and future customers

y shareholder relations—influence of negative
events on the company’s market value
y competitive positions—opportunity for peers
to take advantage of the circumstances
y human resource management—retention
of valuable staff
y compliance—interaction with authorized
agencies, fines from regulators, changes
in legislation
Example of an impact matrix

The impact levels and their values are given here as an example—in real
life, experts set the scale based on the specifics of a particular company.
Insignificant Critical
Minimal consequences are possible within The event has a serious impact on one or more
the limits of operating losses. business processes, resulting in substantial
damage to the company.
Acceptable
The event leads to lower productivity, but without Unacceptable
significant damage to the business. The event affects key business processes
and the company’s operations as a whole,
resulting in severe damage to business
Significant and its market positions.
The event affects KPIs for certain operations

within the business processes. The damage
is contained in the limits of operational risk
16 management.
Level of impact and assessment criteria
Insignificant Acceptable Significant Critical Unacceptable
Impact type
Customer outflow
Financial damage
(loss of expected
Environmental or
repercussions
Deviation from
health hazard
Reputational
regulatory
objectives
Legal and
Fines and
revenue)
liabilities
business
damage
<0,5% — Occasional complaints <$1,000 — — <1%

that do not spread
to the public domain
0,5–1% 0,1–1% Negative reviews on $1,000–$10,000 — Warnings from 1–3%

2023
corporate social media the regulators

accounts, occasional
public complaints
1–5% 1–5% Complaints and appeals $10,000–$20,000 Moderate damage Warnings, warrants, 3–10%
from customers and and sanctions by
counterparties. Class action lawsuits authorities, including

fines and lawsuits
Possible decrease
in revenue,
dissemination
of negative reviews
5–10% 5–10% Complaints and appeals $20,000–$50,000 Substantial damage Warnings, warrants, 10–20%
from customers and sanctions by
and counterparties, Multiple class action authorities, including
including written lawsuits fines.
complaints
to the authorities, Civil lawsuits,
damage to business court proceedings,
reputation investigative actions.
Suspension of
license
>10% >10% Complaints and appeals >$50,000 Risk of fatalities Warnings, warrants, >20%
from customers, or irreparable damage and sanctions by
counterparties, Multiple class action to the environment authorities, including
regulators, or the public. lawsuits fines.
Civil lawsuits, court

Damage to
proceedings.
business reputation,
dissemination of
Revocation of
negative information
licenses and permits
in the media
and on the Internet.
Complications in
running the business
17
Step 4. Business
process profiling
Main objective: collect maximum data The experts conduct in-depth interviews
to adequately assess the possible losses from with those who know the most about
adverse events and allocate a reasonable the processes—their owners and key employees.
budget for implementing business continuity The list of specialists to be interviewed should
measures. be drafted in the first stages of the research.
Information to be gathered
1. Process description. What is its function?
What does it consist of? How are 5. Business unit interactions. What
the employees involved? This information supportive and related processes do
will help you analyze all the stages core operations depend on? For example,
2023
of the process and lay out the sequence sales can be influenced by IT, marketing,
of operations within technological chains. the legal department, and logistics.
2. Results. What is the outcome 6. Acceptable downtime. What is
of the process? How do the results the maximum duration for which
correlate with certain assets? How are operations can stop without significant
they measured: in money, percentage losses to the business? What happens

of output, fractions, conventional if the downtime is longer? First,
units? These answers will help the owners of the main processes
experts formulate questions about share their views, then the experts talk
the dependencies of business results to the representatives of the supporting
on specific assets. processes. Together, they need to create
3. Resources. What is the full profile of all a clear picture of the processes, and,
the assets and systems that are used for each undesirable situation, identify
in business operations? For example, the threshold at which it begins to cause
in accounting, these would be financial damage.
software, document management systems, 7. Recovery. How long does it take
electronic signature services, banking for a department or business line
applications, etc. to resume operations? What are
4. Effects. What consequences are possible the possible setbacks in the supporting
in this process? How will the company suffer processes, and what are the required
in the event of downtime? What financial actions in the event of such setbacks?
losses are likely to occur? It is necessary Again, this information needs to be
to carefully review the workflow and gathered from both core and supporting
identify all scenarios of potential damage. processes to get a realistic view
For example, if the external e-signature of possible downtimes.
service stops working, the company might
miss the deadline for submitting a tender
application, and thus, lose an important
deal.
18
Step 5. Data analysis
Main objective: obtain a complete and RTO

accurate account of all the possible negative
scenarios for the business and their
(recovery time objective)
consequences. The target time allotted to restoring system
As the experts analyze the information or process availability in the event of a crash
throughout the investigation, it is difficult or system failure.
to pinpoint when exactly the main stage
of the analysis begins. Once all the interviews MTPD
have been conducted, the necessary
(maximum tolerable
information gathered, and the organization’s
operational profile fully understood, the analysis period of disruption)
becomes a full-fledged process.
The length of permissible downtime
This step can effectively be broken down into of a business process (i.e., the time after
two parts: which the impact on the business becomes
y The experts start by analyzing each unacceptable). As a rule, this value is set
2023
business process separately and approve to the upper or lower limit of critical damage.
the reports on them.
y Then the team makes an overall
MAC
assessment for the company. (minimum acceptable capacity)
When analyzing individual business processes,
The lowest acceptable performance index

the experts must investigate the following: of a business process. Calculated in production
1. Potential downtime scenarios, units.
malfunctions, or process disruptions
(determine the impact levels of possible RPO
consequences). (recovery point objective)
2. The effects of service unavailability
on business processes (calculate RTO and The target point of restoration beyond which
MTPD for specific assets). some data might be lost.
3. The impact of individual business operations

downtime on specific processes (assess MTDL
RTO, MTPD, MAC for business operations). (maximum tolerable data loss)
4. The significance of losing data or access to it The largest permissible amount of data loss.
over various time intervals (determine RPO As a rule, this value is set to the upper or lower
and MTDL or the assets in use). limit of critical damage.
5. The impact of operational delays on adjacent
processes.
19
In general practice, the results of the analysis
are drawn up in a table that describes

the impact caused by each resource that
becomes unavailable. The table clearly shows
the extent of business unit dependencies
on particular assets, also how the negative
effects of asset shortages accrue over time.
This way, companies can make motivated
decisions when prioritizing the requirements
for capacity management and business
continuity.
The final document for each business process
includes the following:
y description of the process with the involved
assets and the expected results
y data on the relationship between
the business processes
y description of the supporting processes,
2023
including downtime recovery and process

continuity
y analysis of the possible consequences
in case of malfunctions and disruptions
of the business process
Before compiling an aggregated result

for the company, the experts, together with
the process owners, need to record the levels
of impact when assets become unavailable
and certain activities are disrupted. The team
approves the RTO, RPO, MTPD, MTDL, MAC,
and other continuity requirements previously
defined with the customer.
Companies tend to ignore scenarios and

events at the junctions of multiple systems.
Therefore, experts should make sure
they have analyzed all the consequences
of disruptions in both the business process
and its links with related elements.
20
How it works on the example

of an internet provider
The customers of such a company expect
their internet connection to be stable and fast.
Network unavailability can have an extremely
negative effect on business, with losses
growing dynamically over time.
The internet service provider must promptly
sort out requests submitted to technical
support—this process also needs to be included
in the analysis. When, for example, the support
engineers process customer requests
in CRM, the system must operate steadily
with no interruptions so as not to undermine
the business reputation.
2023
21
Table of the disruptions impact on business processes
All data presented here is for the sake of example.
Level

business process
Product, service,
Downtime
Impact
Asset
(BP)
— <5 min Isolated negative reviews that do not spread to the Internet
2023
Unlikely termination of contracts or loss of potential customers,

— <15 min
the loss of expected revenue does not exceed 1%
Complaints from customers and counterparties. Distribution of negative reviews
— 15 min–1 hour
in the public domain, customer outflow. A decline in expected revenue of 1–5%
Complaints from customers and counterparties. Customer outflow,
— 1–4 hours loss of potential clientele.

A decline in expected revenue of 5–10%. Liability from $10,000 to $20,000
Internet access
Class action lawsuits, complaints, appeals by customers, counterparties,

regulators, or the public. Dissemination of negative sentiments about
— >4 hours the company in the media and on the Internet. Complications in running
the business. A decline in expected revenue of 5–10%.
Liability from $20,000 to $30,000
According to the SLA, the provider has to address a customer appeal

CRM <5 min within 5 minutes.
Such a response time does not result in negative consequences
Minor delays in BP 1. Possible occasional negative reviews

CRM <10 min
that do not spread to the Internet
BP 1 lags. Complaints from customers and counterparties.

CRM 10–30 min Possible customer outflow.
A decline in expected revenue of up to 5%
BP 1 stops during system unavailability. The spread of negative reviews

on the Internet.
BP 1. Technical support
CRM 30 min—1 hour

Customer outflow, loss of potential customers. A decline in expected revenue
of 5–10%
Prolonged shutdown of BP 1, termination of services. Complaints from

customers, counterparties, regulators, or the public. Damage to business
CRM >1 hour reputation, dissemination of negative sentiments about the company in mass
media and the Internet. Complications in running the business.
A decline in expected revenue of more than 10%
22
Once the BIA reports on specific business
processes have been approved, the experts

build an overall company profile.
The same asset can be used in several
business processes simultaneously. Yet,
if the asset becomes unavailable for a day,
some of the processes may only be slightly
affected, whereas others would not last an hour
without it. The experts must identify the most
critical scenario in terms of the company’s
assets and operations.
Based on aggregate assessments, the experts
analyze the inconsistencies. For example,
a company runs an asset for a regular but
non-critical process, while in another process,
its unavailability at a crucial moment may be
treated as a risk factor.
2023
23
Summary table of the disruptions impact
on business processes over time

All data presented here is for the sake of example.
Impact over time

within process (BO)
Business operation
30 minutes
Business
1 quarter
1 month
process
4 hours
1 week
3 days
1 hour
Asset
1 day
BP 1 BO 1.1 Asset 1 A S S C C C U U
2023
BP 1 BO 1.1 Asset 2 S S C U U U U U
BP 1 BO 1.1 Asset 3 S S S C C U U U
BP 1 BO 1.2 Asset 1 S C C U U U U U
BP 1 BO 1.2 Asset 3 I I A A A S S S
BP 2 BO 2.1 Asset 1 A A A S S S S S
BP 2 BO 2.1 Asset 3 S S S C C C U U
BP 2 BO 2.1 Asset 4 A A A A A A A A
BP 2 BO 2.2 Asset 1 S C C C C U U U
BP 2 BO 2.2 Asset 2 I A A A S S S S
BP 2 BO 2.2 Asset 3 S S S C C U U U
24
Step 6. Conclusions
and reporting
Main objective: provide company
management with the information to make
reasoned decisions about the budget Depending on the organization and its initial
for preventive continuity measures. goals, the recommendations can be general or
more detailed. They may contain the following:
The BIA conclusions report is the starting point
for preparing a business continuity plan. y RPO, RTO targets
Approximate content of the report: y estimated asset reserves for capacity
management
y Goals and objectives of the research
y key areas for employee training and testing
y Scope of the analysis (the list of examined
products, services, and business processes) y response and recovery procedures in case
of downtime
y Process of analysis (how the research was
conducted) y recommendations that ensure business
continuity
2023
y Results:
y impact matrix
y potential impact resulting from
a disruption of business functions
and processes
y thresholds at which the business can

operate without critical losses
y continuity targets for the business
to achieve
y situations where current continuity
measures do not meet performance
targets. For example, production cannot
remain idle for more than 24 hours, while
it takes the company 48 hours to restart
it after a malfunction. The report outlines
recommended approaches to eliminate
existing risks. The details are worked out
later with the company’s specialists
y a priority list for restoring normal
business operations. Processes with
the greatest financial and operational
impact should be recovered first
y Expert recommendations
25
Conclusion
The Covid-19 pandemic, the reshuffling

of the global supply chains, and the dramatic
changes in market conditions in recent years have
taught us the importance of building business
continuity. A BIA is the first rational step through this
difficult path.
Such complex research requires time, expertise,

and the commitment of the company’s management.
Once all these factors are in order, the business can
cultivate a competitive advantage more effectively.
The BIA will point out the weaknesses in processes,
help allocate resources rationally, and save
2023
enormous amounts of money that could have gone

to cover damages.
With the BIA, you can also identify the impacts with
the most serious consequences for the company.
See the next section Cyber risk management

for more on how to handle such issues.
26
Section 02 / 05

Identifying the main
threats to your company
Key ideas 28
Why prioritizing risks is important

29
2023
and how to approach this task
What standards underpin our approach

31
to cyber risk management
What benefits come with

33
a combined approach
How to establish effective

35
cyber risk management
Conclusion 41
27
Key ideas
1. When conducting cyber risk assessments, it is

very difficult to account for all the threats that
exist. It is more important to focus on those
that can have the most critical impact on core
business processes. This requires looking
at potential negative scenarios through the lens
of impact on the business.
2. A business impact analysis can help reduce

severalfold the risks for a company to address
in order to maintain cyber resilience.
3. We have developed and tested a combined

approach to risk management. It allows you
2023
to analyze business resilience at the highest

level, look deeper into your processes, and
address specific vulnerabilities that could harm
your company.
Cyber risk management. Identifying the main threats to your company
28
Why prioritizing risks is important
and how to approach this task

Imagine you have a stack of documents
in front of you: business agreements, company
orders, internal memos. Your time to process
them is limited, therefore it makes sense
to start with those tasks where any delay
could disrupt crucial business processes.
For example, without a signed agreement with
a courier agency, your customers will not get
their orders when expected; if tender papers
are not submitted on time, the company will
miss out on a lucrative project, and so on.
Less significant documents can wait.
The same principle can be applied to cyber
2023
risk management: focus on the scenarios

that produce critical consequences and avoid
wasting resources on tolerable situations,
albeit at a cost.
29
A conventional approach to cyber Our own cyber risk management methodology
risk assessment focuses on the threats that builds on this idea. It is based on an iterative
compromise the confidentiality, integrity, or evaluation:
availability of information: from exploitation
y Start from the top, using a BIA to determine
of vulnerabilities to cybersecurity code
the negative consequences for the company
violations. Such assessments show which
as a whole.
systems are vulnerable to a particular
type of cyberattack, for instance, DDoS or y Then proceed down to the key products
ransomware, and the results are compiled and services—those that bring in the main
into a detailed report. profits. Determine the consequences of their
continuity failures.
The report comes out being very bulky:
a minimum of 3 threats are analyzed for each y Finally, move on to the business processes
asset with 2–3 exploit scenarios per threat, and assets that are directly connected
using various vulnerabilities. A small company to profit generation. This way, we focus
may have 2,000–7,000 unique cybersecurity on the risks that are critical to specific
risks that must be addressed. For a large operations or resources.
enterprise or a factory with many production Thus, we gradually narrow down the threats
lines the figure is even higher, reaching tens to the most dangerous vulnerabilities. This
of thousands. method helps to determine how particular
2023
The CEO of a company may not be too risks can unfold and provides a clear and
concerned with the technical issues. straightforward picture to further manage
Instead, they need to understand the impact the issues.
of cyberattacks on their business and estimate The BI.ZONE combined approach was finalized
the possible financial losses. and tested in 2019. In January 2020, having
received high praise from experts, it passed

a BSI2 certification audit for compliance with
Therefore, within the manage- the following international standards:
ment system,1 it would be more y ISO 9001, Quality management systems
effective to manage the risks (QMS)
of consequences for the business,
y ISO/IEC 27001, Information security
rather than the risks of threat management systems (ISMS)
materialization. These effects
Our approach combines several recognized
can be identified and described standards, which we discuss next.
through the BIA.
1
By this term, we mean a variety of systems: quality 2
The British Standards Institution (BSI) was founded
management, information or production security management, in 1901. Today, BSI is the world leader in management
business continuity management, environmental management, systems as well as the leading authority on standardization
30 and so on. and certification.
What standards
underpin our
approach
to cyber risk
management
As our own experience shows, no single
existing risk management standard alone
can deal with the impact of negative events
on the business. However, it is possible
to combine the methods from several
standards.
2023
ISO 31000 promotes the iterative approach

we discussed above: a gradual dive from
the macro level to the lower levels, which is
done to simplify risk analysis. This series
includes the IEC 31010 standard that describes
basic assessment techniques. However,
they do not take into account the specifics

of the cybersecurity industry and hence are
not applicable to our case.
There is an ISO/IEC 27005 standard for cyber
risk management. The document deals with
the technical aspects of risks, assessing
their impact on the security of digital assets.
However, this leaves out the following issues
that are of most concern to a business:
y Can the company achieve its goals in spite
of the incident?
y Would the incident cause damage
to the environment and human health?
y What losses would the business
incur—financial or reputational impact,
loss of market share?
y Does the situation violate legal regulations
or contractual obligations?
31
ISO 31000:2018, Risk management— The situation changes if the BIA method is
Guidelines, IDT used in risk assessment, as described in one

Developed by the International Organization of the ISO/IEC 27005:2022 paragraphs.
for Standardization. Contains general A BIA allows you to examine the range
recommendations on risk management of possible consequences in all business
in terms of economic performance and processes and assess which risks can be
professional reputation. accepted and which need to be further
explored in depth. If the damage exceeds
IEC 31010:2019, Risk management— the critical indicators, the company will be able
Risk assessment techniques, IDT to deliberately allocate a budget to protect itself
Provides an overview of approaches and from losses.
techniques that can be used in the iterative Business impact analysis is outlined
approach. in ISO/TS 22317. However, this standard
by itself would not apply to our task either:
ISO/IEC 27005:2022, Information security, it does not address risk and vulnerability
cybersecurity and privacy protection— assessment of assets.
Guidance on managing information security
risks, IDT A combined approach that incorporates all
of these standards will allow the company
The main document that regulates risk
2023
to look at risk management from a different

management in cybersecurity.
perspective and get a qualitatively different
result.
ISO/TS 22317:2021, Security and resilience—
Business continuity management systems—
Guidelines for business impact analysis
Describes an analysis of the impact of events

on business.
International standards that form the basis

of our combined approach to cyber risk
management
32
What benefits come with
a combined approach
1. The volume of processed information is 3. There are more opportunities
reduced manifold. The analysis includes for risk management in general.
only those threats that can cause significant The approach transcends
damage to the business. cybersecurity and encompasses
the broader context of business
2. It is easier to manage process continuity.
processes.
The company can select measures
to mitigate those risks that are critical
for a particular business operation.
2023
With the conventional approach to risk management, the business gets a rather abstract
definition of risk.
Take the example of a goods vendor that distributes orders through a logistics IT system.
If the system crashes due to a malfunction or a cyberattack, the company will face
customer dissatisfaction, late delivery fines, and other negative consequences. Further
tasks will depend on the company’s strategy for building risk management.
Let us compare:
Conventional approach vs Combined approach

Damage to reputation and breach
Disruption in the availability
of the logistics system of contractual obligations due to
the inability to deliver goods on time
as a result of the logistics system
downtime
What is the main difference? In the first case, the priority is to protect the service itself,
which can be quite expensive. The combined approach helps you focus on delivering
orders to customers. This wording would suggest that the damage from IT system
downtime can be reduced by engaging a courier service, for example.
33
In our experience, the combined approach Mitigation measures should be implemented
speeds up the cyber risk assessment three first and foremost for risks that can
times. In the case of BI.ZONE, an analysis lead to unacceptable consequences
of 5 processes and 400 assets revealed about for the company. Therefore, the CEO will
4,000 risks, which could take up to a month eventually receive from 5 to 20 business critical
and a half to analyze. Now, we only have risks to consider as priority. Below, we will
to focus on half as many assets with respect lay out a step-by-step approach to working
to these processes, and the number of relevant out a list of the most dangerous scenarios
vulnerabilities and threats has decreased for the business.
by three. The overall assessment can now be
completed in about two weeks while the actual
workload has decreased by five, to 800 risks,
without compromising the result. We exclude
scenarios that are obviously irrelevant since
they cannot cause significant damage 3x faster
to the business and therefore do not require
further processing. Only the most significant cyber risk assessment using
and unacceptable scenarios are subject the combined approach
to analysis.
2023
Number of assets
Number of threats
Total number of assessed risks
Conventional approach Combined approach
The combined approach allows us to employ a transversal method and common management
practices in a QMS and an ISMS. When applying a BIA, it does not matter whether the damage
occurred due to poor product quality or an IT system failure. What is important is to look
at the business consequence and assess how critical it is.
34
How to establish
effective cyber
risk management
Step 1. Determine the range of potential
risks and opportunities given the context
of the organization’s activity.
Any standard with reference to ISO 31000
requires that risk management begins with
identifying the business context, the external
and internal factors that may affect it, and
the risks and opportunities associated with
such factors.
2023
The context is not just the company’s core

business, whether it is sales, construction, or oil
production. It is important to consider in what
environment and under what conditions that
business evolves. A construction company can
work from paper blueprints or use the latest
CAD systems, build massive production

facilities, medium-sized residential houses
for real estate developers, or small cottages
for private customers. Each such case is
a different turnover, a different form of contract,
a different level of responsibility, and therefore
a different risk.
How the same factor can carry both risks and

opportunities is well illustrated by the recent
pandemic. The forced transition to remote
work proved to be a difficult process for many
companies. Their infrastructure could not cope
with the excess load, exposure to cyberattacks
increased, and some companies that were
unable to reconfigure their business withdrew
from the market altogether. On the other hand,
this situation served as a strong incentive
to develop all kinds of online sales and services.
35
Step 2. Identify all types of possible negative Let us assume that the goods vendor has
effects and develop an impact matrix that identified three areas of activity: purchasing,
describes their criticality for the business. sales, and logistics. The last item is
a secondary business function that does not
This stage begins the impact analysis.
generate profit by itself. However, problems with
For each activity type it is necessary to:
delivery can lead to undesirable consequences,
y consider its role in the business, identify for example, financial: indemnity, lost profits,
the main stakeholders fines, legal fees and settlements.
y identify all types of consequences As a result, the company receives a high-level
y determine the possible magnitude assessment of the extent of damage: when
and threshold of criticality levels negative consequences are in the acceptable
green zone, and when they become significant
y develop an impact matrix
(yellow zone) or unacceptable (red zone).
Schematically, the matrix may look like this
(the figures are given as an example):
2023
Impact type Potential damage
Acceptable Significant Unacceptable

Financial Operating losses Unforeseen expenses Losses exceeding 25%

up to $2,000 and fines up to $10,000 of turnover/capital
Reputational — Commitment violations Customer outflow
The quality of risk management depends on how well the company

can develop the impact matrix.
36
Step 3. Analyze possible causes and scenarios
of specific negative consequences.

Proceeding with the BIA, for each business
process you should:
y consider all the major resources that are
involved in the process, such as people
or information
y analyze possible disruption scenarios
y identify potential consequences and rank
them according to the impact matrix
Let us continue with our pandemic example

where a company had to reconfigure business
processes and switch to telecommuting.
To assess how critical this is, the company
needs to do a BIA of all its processes.
It may turn out that one of the processes, such
2023
as product development, can be seamlessly

transitioned to telecommuting, in which
case the damage of such changes would be
in the green zone.
Another process, such as production, cannot
be made remote. Stopping it will cause serious

consequences, up to and including loss
of profits and reputation, because the company
will not be able to fulfill its contractual
obligations on time. Such damage can become
significant and even unacceptable. Business
impact scenarios of this kind definitely require
further analysis.
37
Step 4. Plan for risk management Some risks may affect multiple areas at once,
of the consequences in every business and therefore need to be considered within

domain. each area individually.
Following the third iteration, the company will Let us go back to the vendor company that
have a large list with scenarios of negative placed the risk of logistics system downtime
effects across all business processes with links in the red zone. The same event can be viewed
to relevant assets. Since the consequences are in three perspectives:
ranked on an impact matrix, the company can y quality management (a risk of violating
discard “green” risks and focus on the yellow contractual obligations)
and red zones or just the red zone, considering
the current goals and the number of levels y business continuity management (a risk
on the scale. of disruption to business operations)
y information security management

Depending on the asset, causes, and (a risk of disruptions to the information
consequence scenarios, some risks will system accessibility)
fall within the cybersecurity domain, while
Having worked through such a scenario
others will go beyond it. This will determine
using the three methodologies, the company
the method and standards to deal with them
will be able to find the best way to minimize
2023
next. The cybersecurity risks, which we are

the damage. Suppose the vendor organizes
most interested in, will be analyzed using
an alternative method of delivery as part
ISO 27005. While, let us say, QMS risks or
of a continuity management system according
continuity risks will go through the IEC 31010
to the ISO 22301 methodology. This would be
and ISO 22301 analysis, respectively.
the most effective approach, and it would not
be feasible to reduce the risks in other areas

ISO 22301:2019, Security and resilience— by investing in expensive technical solutions.
Business continuity management The opposite may also be the case: it makes
systems—Requirements the most sense to treat the risk across all
systems by combining the most appropriate
Provides a methodology for managing business
measures from different areas.
continuity in an organization.
38
Step 5. Process the identified cybersecurity
risks in more detail at the ISMS level.

In the final stage, cybersecurity risks defined
in terms of business impacts are decomposed
and detailed using an iterative method.
In each iteration, we gradually narrow down
the range of plausible cyber threats, descending
to the level of specific attack scenarios, then
to vulnerabilities, and security events. Thus, it is
possible to identify the conditions that can lead
to the occurrence of risks posing real damage
to the activities and goals of the organization.
In our example with the goods vendor, it is

important to proceed further and analyze
in detail the risk of impact from logistics system
downtime. It is necessary to understand what
exact kind of threat could cause a serious
supply disruption.
2023
In further iterations, it may turn out that

the most relevant threat is the one leading
to prolonged system downtime or irrecoverable
loss of the database. And this, given the existing
vulnerabilities and defenses, may already
point to the most dangerous risk scenarios.

For example, through targeted attacks or
the actions of ransomware.
In this case, the most effective way to
mitigate the damage would likely be to focus
on developing a solution that can guarantee full
recovery of the logistics system within an hour,
rather than investing in expensive defenses
against targeted attacks.
39
A diagram illustrating the steps
2023
Risk assessment should be conducted regularly—every year and also whenever

significant changes occur in the company’s infrastructure.
40
Conclusion
Analyzing and managing risks is

a complex task: the number of risks
and related scenarios can amount to tens
of thousands. Nevertheless, they should be
addressed to ensure business continuity
and competitiveness.
Our approach reduces the resources

required to conduct risk assessments
and increases the cyber maturity
of an organization. Risk management
changes qualitatively—the company gets
more targeted and effective protection
2023
from real losses and allocates its security

measures correctly.
41
Section 03 / 05
Awareness.
Mitigating human
error in corporate
cybersecurity
Key ideas 43
2023
How low cyber awareness hurts business 44
How to identify the areas that would suffer most

46
from a cyberattack on employees
How to plan cybersecurity training 47
Which business units are most vulnerable to attacks 49
How to ensure the effectiveness of training 50
Conclusion 52
42
Key ideas
1. Low levels of cyber literacy 4. Depending on the risks

among employees and and the specific nature
contractors increase security of responsibilities, the company
risks and can bring disruption needs to diversify education: from
to normal workflow. face-to-face and online courses
to newsletters and practical
2. Teaching employees the basics exercises. It is important, however,
of cyber hygiene mitigates to maintain a comprehensive
the damage caused by human approach that combines training,
error. Thus, it can enhance knowledge testing, and attack
resistance to phishing by nine drills.
times.
2023
3. A BIA can help:
• understand the digital risks A competent approach

associated with the human
to training will give your
Awareness. Mitigating human error in corporate cybersecurity
factor
employees practical
• assess the possible skills to avoid hackers
implications of such risks and their tricks.
• identify groups of people
who can impact the risks
(employees of different
business units, counterparties,
contractors)
43
How low cyber
awareness hurts
business
An accountant kept the password to his work
computer in notes on his phone. Hackers
cracked the phone and compromised
the corporate credentials, then leaked
the company’s accounts.
A bank employee was using a public cloud
to send confidential files. The cloud provider did
not take proper care of its security, and the files
ended up in the hands of criminals.
An office manager received a call on Sunday,
2023
allegedly from the company’s IT department.

They reported on doing some urgent
maintenance work and asked the employee
to log in to the workstation at the office.
To avoid the trip, the “IT specialist” helpfully
suggested that the office manager share
the user password over the phone. As a result,
the scammers gained access to the corporate

systems.
All of these examples have one thing
in common: the organizations were
compromised because of an error made
by their employees. Even the most advanced
technology is helpless where the human
element is not factored into the security
processes. The implications can be wide-
ranging, including a complete halt to business.
The consequences of human

error in cybersecurity
• leakage of corporate data
• disclosure of confidential information
• theft of intellectual property
• corruption or complete deletion
of critical data
• unavailability of internal IT systems
and user services
• financial and reputational damages
• fines and regulatory sanctions
44
The number of attacks on companies through
their employees is growing from year to year.

One of the reasons for this trend is the low
level of cybersecurity awareness. Hackers
understand they have a good chance to bypass
security systems by exploiting company staff,
and this trend is expected to persist.
How the human element reduces

the effectiveness of cyber
defenses
1. A company could be downplaying the risks
associated with employees. For instance,
by emphasizing protection technologies
and overlooking the development
of cybersecurity regulations. As a result,
employees might use passwords that are
2023
easy to crack because the organization does

not have a password policy.
2. Even if a company does have cybersecurity
regulations, the language they are written
in may be overly sophisticated. Employees
might end up treating these regulations
as yet another form of bureaucracy, which
can be ignored. It is worth noting that

if top management leads by example and
shows the importance of complying with
cybersecurity requirements, employees are
more likely to do the same.
3. It is crucial that individuals follow
the security guidelines outside of work,
because even their personal smartphones
can be a vector of attack against company
infrastructure. In this regard, it is important
to verify the actual destination of email
links, both in the office and at home. And
it is better not to connect to public Wi-Fi
networks, neither from a corporate nor
a personal device.
This is why we encourage our clients
to consider—as soon as possible—how their
security processes factor in human behavior.
The first step toward this goal is to highlight
the events that will have the greatest impact
on their business.
300%
increase in phishing attacks
recorded globally in 2022 vs 20203
45 3
“Phishing Activity Trends Report 2nd Quarter 2022,” APWG.
How to identify the areas that would
suffer most from a cyberattack

on employees
A BIA allows an organization to understand By analyzing the damage and the nature
which incidents are likely to have the biggest of attacks on different groups of employees,
effect on business. This method helps you can decide on the level and depth
to assess the full range of external and of training for each group. Thus, employees
internal threats, direct and indirect losses from with a high level of cyber awareness, like
incidents: property damage, deterioration cybersecurity specialists, may not need
of service quality, loss of market positions. additional training. Therefore, extra spending
here is probably unnecessary. In contrast,
accountants may need extended cyber training
With BIA, companies can perform
with phishing simulations or practical exercises.
the following steps to mitigate
Based on the BIA results, it is possible to plan
the human factor:
2023
the appropriate amount of training courses,

1. Identify core and supporting business their frequency, and the type of testing
processes with a focus on critical for different categories of employees.
operations potentially vulnerable to human The plan reflects these individuals’ levels
error. of access to information assets and systems.
For example, system administrators have
2. Assess the possible scale of consequences
complete access, so they should be trained and
if an incident does occur.

tested more often, once a quarter. And for users
3. Determine the employees involved in these who do not work with critical IT assets, annual
processes and classify them into target training would suffice.
groups by key factors:
• nature of the activity
• methods and tactics that attackers
are likely to implement when targeting
a particular group
• scale of the possible consequences
of a negative impact (e.g., the most
tangible damage from an attack for one
company might be leaked domain
passwords, while a ransomware
infection might be devastating
for another).
4. Develop awareness activities for each
group and prepare a course of action
in case of a cyberattack.
46
How to plan
cybersecurity
training
When you have conceptualized the potential
damage and figured out who needs to improve
cyber awareness and how, you can devise
a training program that fits your company.
The course activities will aid employees
in understanding the following:
• damage that a business could face
in an incident caused by a staff member
• methods that attackers can use against
your employees
2023
• importance of ongoing training and

knowledge testing as well as correct actions
in an incident
47
The set of training activities varies depending
on the objectives:
Content Benefits
Show the impact A series of internal briefings for target Employees get
of incidents on business groups (accountants, economists, tangible insight into
logisticians, IT specialists, etc.). the impact of an attack
on the operations and
Each group has its own set
are encouraged not to be
of instructions, depending on the work
the cause of an incident
performed and the possible incident
implications
Introduce mitigation Courses, training seminars People gain practical

methods for target groups of employees. knowledge of the mechanics
behind cyberattacks
The activities should cover the most
damaging methods of attacks
2023
on a particular group: phishing

for the sales managers, targeted
attacks on the finance department, etc.
Monitor cybersecurity Testing, practice drills and response You get reports
awareness procedures, routine phishing email on the effectiveness
campaigns. of the training, which you

can apply in further activity
The structure and schedule depend
planning
on the group needs
For each group, we recommend developing If any counterparties have access

a customized set of activities. This will make to the company’s infrastructure, they
it easier to conclude on a suitable training should also be divided into risk groups
plan. depending on how critical their influence
For example, one group can start with is. This enables companies to determine
a training course, then test their knowledge whether to allocate a budget for their
and practice their skills in guided attacks. training, and to assess if any additional
Another group goes through a simulated arrangements are required. For example,
incident and then takes the course. After an agreement with such third party can
each training attack, it is necessary to collect include a condition that external users
statistics and analyze the actions of all undergo theoretical and practical training
participants. For instance, if the majority before they can access the corporate
of a group fail the test, then they should be resources.
given an additional course before the next
activity.
48
Which business units are
most vulnerable to attacks

Using our BI.ZONE Security Fitness
platform, we analyzed and identified
categories of the most vulnerable employees
by department. More often than not, dangerous
practices are observed among employees
outside the IT scope. Thus, we see that at least
half of marketing and office managers open
malicious emails.
How different employees deal with phishing

2023
Procurement 70% 21% 9%
Cybersecurity 70% 20% 10%
IT 67% 23% 10%

Legal 67% 22% 11%
HR 67% 21% 12%
Products 64% 28% 8%
Development 56% 38% 6%
Customer and partner relations 55% 33% 12%
Marketing and communications 53% 35% 12%
Administration
52% 37% 11%
and office management
C-suite 51% 38% 11%
Finance and accounting 50% 31% 19%
Analysts 48% 34% 18%
Project office 46% 42% 12%
Sales 32% 63% 5%
Withstood the attack Opened the email Opened the email, clicked the link,
opened the attachment
49
How to ensure
the effectiveness of training
1. Encourage safe working 5. Create regular newsletters

practices in the office and for the entire company
remotely This is a convenient way to distribute
The content of training materials and tests cybersecurity tips, show correct software
must be updated regularly. This enables people settings and new security techniques, and
to stay informed about new cyber threats, warn staff about cyber threats.
technologies, and security practices. Make sure
to conduct post-training check-ups to track
employee progress. 6. Discourage cybersecurity
violations
Such cases would require sanctions
2023
2. Create a communication and disciplinary action, like withholding

channel to report security bonuses. Employees should have a sense
events of personal responsibility for complying with
the rules. At the same time, the process
This way employees will have the opportunity
of accountability should be as transparent
to report suspected incidents and consult
as possible.
with a cybersecurity specialist.
3. Provide guidance in case 7. Use out-of-the-box training

of a suspected incident services
These can be IT solutions for security
This will ensure that an individual takes proper
awareness—specific cybersecurity training
actions from the very first steps of incident
programs compiled by experts. Such
response. For example, it is important to not
programs help to organize a continuous
reboot the computer, to take screenshots
and monitored cycle of training and skills
for the security service, and immediately report
development.
problems to the IT.
4. Conduct regular phishing attack

simulations
These help to prepare staff for real-life incidents
and reduce the chances for hackers to succeed.
Training attacks should cover the entire
company: from regular business operations
to executive management. The exercise report
provides a true snapshot of how well different
departments are prepared for cyber incidents,
and how thorough their cybersecurity culture is.
50
Case study: cyber literacy vs phishing in fintech

The company owned an e-payment system and had regular encounters with attacks on its
staff. We launched a newsletter about the rising number of phishing messages, describing
their characteristics, and shared valuable response techniques. Unfortunately, this was
not enough, the employees still opened the letters out of curiosity or carelessness. Some
users simply ignored our newsletter due to low engagement in the process.
It turned out that the company had never trained its employees to identify fraudulent
emails. The framework for cybersecurity education was virtually non-existent.
What we did
• Identified target groups by the level of access to critical assets and by information
security skills: “Finance and accounting,” “IT and cybersecurity,” “Operating specialists,”
and “Low risk employees.”
• Developed a schedule of training courses and attack drills for each group.
In doing so, we took into account the specifics of the company, the groups themselves,
2023
the working conditions, and the level of cyber hygiene in each group. The customized
courses included client-specific assets, applications, and types of sensitive
information. In addition, our experts expanded on the sections of secure working with
e-payment systems.
• Implemented a continuous awareness process based on our platform. It included
a series of routine training for employees, attack drills, and improvements
to the motivational scheme.
Results
• In six months, the number of vulnerable individuals dropped by 30%.
• The Security Champion incentive program increased employee involvement
in cybersecurity compliance and strengthened loyalty.
• We updated the psychological profiles of employees.
51
Conclusion
An effective way to prepare your business against

potential attacks on employees is to provide
comprehensive and continuous training on safe digital
workflows. These measures should ideally cover every
person in the company, including senior leadership.
Training can be done internally: you can install special

software, create emails and scenarios, design phishing
attachments and pages. However, it is more effective
to use off-the-shelf solutions that incorporate the latest
mechanics of dealing with cyberattacks. This provides
an opportunity to create a situation as close to reality
as possible. Also, automated services help to collect
2023
statistics and analyze the progress of employees.
You can hire an expert company to simulate

an emergency. The experts will imitate an attack, collect
analytics, and provide recommendations on how to make
people more resilient to digital threats.
52
Section 04 / 05
Monitoring.
Improving resilience
to cyberattacks through
rapid incident response
Key ideas 54
2023
Why preventive security measures are not enough 55
What is effective cybersecurity monitoring 56
How SOC improves incident monitoring 57
How to get the most value out of monitoring 60
How BIA helps at all stages of handling security events 61
When would your company need a SOC 62
SOC: in-house or outsourcing? 63
Conclusion 65
53
Key ideas
1. Regular preventive cybersecurity tools alone are

not enough to protect against all cyber threats.
2. Effective protection is built on proactive collection

and continuous monitoring of cybersecurity
events.
3. A business impact analysis helps to identify

critical areas for monitoring.
4. A security operations center (SOC) can provide

full control over the events in your infrastructure.
2023
5. Before investing in a SOC, the company should

make a reasoned decision about whether to staff
its own team or outsource monitoring altogether.
Monitoring. Improving resilience to cyberattacks through rapid incident response
54
Why preventive security
measures are not enough

Cybercriminals have many ways to conceal
their activity, and this greatly complicates
the task of ensuring cybersecurity. A typical
example: an HR manager’s computer is
being used to investigate account privileges,
launch legitimate remote access software,
and perform other actions that are unusual
for an HR specialist.
Preventive cybersecurity tools, such as
antiviruses, firewalls, and intrusion detection
systems will not react to such activities, not
with their default settings. They look for precise
indicators of a cyberattack, like attempts to call
2023
known dangerous hosts, download malicious

files, or install spyware. Requesting your
account privileges or gaining remote access
to the corporate network via typical software,
on the other hand, is a perfectly legitimate
action for most companies.

Nevertheless, a security specialist will
understand how events can unfold. If
the HR manager’s computer is compromised,
the intruder can, at any moment, connect to it
via remote access and implement malware,
while the information about other user
accounts will help amplify the attack.
To rule out potential hacking, such activities
need to be tracked and controlled. This is what
cybersecurity monitoring is all about.
55
What is effective
cybersecurity monitoring
Without threat monitoring, a company wouldn’t To build such processes, you need to integrate
have a clue about a looming attack until after security event monitoring with proactive threat
it happens—when it becomes impossible not analysis and incident response. An effective
to notice its effects, such as encrypted data approach would be to assign these functions
on servers and workstations. A proactive to a dedicated unit—security operations center.
approach, on the other hand, enables timely This can be done both with the company’s own
detection of illegitimate activity through resources and by engaging a third-party team.
centralized collection, systematization, and By linking technology, people, and
analysis of security events. This can be done cybersecurity, the SOC provides optimal
in different ways. protection in an environment where attacks are
Some organizations assign one specialist becoming increasingly sophisticated.
to monitor all security system alerts, like Below we will explore how a SOC operates
an antivirus being triggered by some suspicious and how to get the most out of it.
2023
activity. This kind of monitoring does not

provide real protection as it only covers
a fraction of the infrastructure.
A more advanced approach, practiced
by many companies, is to implement a security
information and event management (SIEM)

system. It can collect data from different parts
of the infrastructure, piece together a chain
of events, and monitor alerts. Unfortunately,
that may still be not enough merely because
discovering the security event in itself is not
enough.
It takes more to achieve a mature approach
to cybersecurity and a comprehensive defense,
namely:
1. Predicting in advance what kind of incidents
your company might encounter.
2. Analyzing what exactly happened.
3. Responding to the incident correctly.
4. Working on your mistakes to prevent
the same situation in the future.
56
How SOC improves
incident monitoring
Before the implementation of monitoring, 3. Any alerts triggered by the rules are
a company must institute a set of defenses that analyzed by a team of specialists. If
help protect against typical attacks. This step the threat is confirmed, the team initiates
of the process can be referred to as prevention. some countermeasures. This may include
The deployed security tools can automatically specialized IRP/SOAR4 systems that run
block known attacks, but many threat actors (at the command of the analyst or automatically
have long since learned how to bypass them. based on the preset rules) response scenarios,
In order for a company to address “invisible” or playbooks, for the type of incident detected.
threats, it needs alternative security tools, This is known as the response stage.
such as monitoring systems. The SOC completes the cycle with two additional
In essence, the prevention phase is not directly steps: i) continuous vulnerability exposure
part of the threat monitoring process, but (prediction), which allows specialists to promptly
an important precursor to it. address security gaps and reduce the likelihood
2023
of them being exploited by cybercriminals, and

As we mentioned, most companies build
ii) insight extraction (lessons learned), to determine
cybersecurity monitoring based on SIEM
which events could have been averted during
systems. In this case, the process can be
the prevention phase, and to improve the trigger
broken down as follows:
rules. All together, this allows for the most
1. The network is equipped with security comprehensive approach to cyber protection.

tools: antiviruses, firewalls, network security
scanners, and other systems whose main
purpose is to automatically look for signs
of compromise.
2. These security tools, as well as network
equipment, endpoints, applications, and
other sources are used to collect security
events, either passively or by installing
agent software. The events are then fed into
a SIEM system, where they go through a set
of correlation rules to identify potentially
dangerous activity. This can be referred
to as the detection stage, which already
belongs to the threat monitoring process.
4
Incident response platform / security orchestration, automation,
and response is a class of software products for security
coordination and management. These solutions collect security
event data from multiple sources, process it, and automate
57 typical response scenarios.
2023
S e c u rit y to o l s
PREDICTION RESPONSE
Continuous detection Verification, response,
of infrastructure vulnerabilities and investigation
and weaknesses of identified threats
PREVENTION LESSONS LEARNED

Automatic prevention Streamlining cybersecurity
of known threats mechanisms and processes
following the investigation
DETECTION
Detection of ongoing attacks
58
How the SOC handles security incidents

A large company approached us for SOC outsourcing. We set up a data exchange
between our SOC’s SIEM system and the client’s antivirus software. At one point,
the antivirus detected a malicious script on the mail server, the so-called web shell that
executes commands remotely. This information reached the SOC, and the work began.
What we did
• Quickly notified the client.
• Our analysts revealed a compromised account and several servers with a web shell.
At the same time, it turned out that the attacker had obtained an account with domain
administrator privileges and copied all usernames and passwords.
• We prepared recommendations to mitigate the damage. Thus, we suggested isolating
the servers and resetting the passwords to all accounts.
• Using routine SOC tools, the analysts could not figure out how the intruder had
penetrated the infrastructure. Hence, we called in our fellow colleagues from
2023
the forensics department to help with the investigation.

• Together, we identified the points of persistence used by the intruder and all
the compromised accounts.
Results
• The investigation revealed how the attacker had got into the infrastructure—through
an external server that hosted the HR’s employee testing service. The company had
launched the service long before reaching out to us. The vulnerability of the resource
allowed any visitor to find out the usernames and passwords of employees who
accessed the website.
• The key reason for the incident was a lack of emphasis on security in the prediction
stage.
• Following the investigation, the team prepared recommendations to eliminate
the consequences of the attack and improve cybersecurity processes.
Process cycle
Prediction. This stage was not taken into account which resulted in the incident.
Prevention. The company was running an antivirus program in conjunction with
a SIEM system hosted by an external SOC.
Detection. When a malicious script was detected, the information was
immediately sent to the SOC.
Response. The specialists began to analyze the incident, localized the source
of the threat, and initiated an investigation.
This is where it became apparent that the incident was caused by a failure
to address infrastructure vulnerabilities and weaknesses.
Lessons learned. We prepared recommendations on improving cybersecurity

processes to prevent a repeated attack.
59
How to get
the most value

out of monitoring
In addition to common cybersecurity incidents,
a company may experience other events
that can impact its business goals. It is
important for the SOC to detect such incidents.
That is why they should also be placed
on the monitoring list.
Consider a local wastewater treatment plant
as an example. An attack on the automated
process control system (APCS), an operator
error, or an arbitrary command can cause
a discharge of raw sewage. The result would be
2023
an environmental disaster, huge fines, or even

criminal charges against those responsible.
To reduce the damage from such an incident,
technicians monitor the gate valve sensor
around the clock. If the valve opens during
inactive cleaning, the engineers on duty will
be able to take immediate action. A security

operations center would be the right technology
platform for this, provided that you prepare
adequate SIEM event correlation rules and write
the playbooks.
This example shows how a standard
cybersecurity incident like an attack
on the APCS can cripple regular business
practices, and how important it is to expand
the playbook beyond mere cybersecurity.
Because, in order to maintain business process
continuity, the incident should be addressed
by a chorus of business units: public relations,
engineers, the legal department, etc.
A BIA will help to identify such events
and provide you with a wider scope
for monitoring. This will give a realistic idea
of the consequences of incidents and help
to locate relevant risk factors within the realm
of cybersecurity and outside it. These may
range from technical vulnerabilities in IT
services, compatibility issues that result
in the disruption of technological operations
to business process failures. In the case
example mentioned above, a timely BIA would
have helped to find the vulnerable HR portal.
60
How BIA helps at all stages
of handling security events

Prediction Detection
• Determine the business impacts your • Expand the event source pool to identify
company may suffer due to the exploitation incidents related to system interaction
of vulnerabilities. attacks.
• Identify the most disruptive scenarios that • Identify and correlate events to find
can lead to unacceptable consequences instances where an ordinary cyber incident
for your business. escalates into a malicious scenario.
The more critical the damage from exploitation As a result, you will be able to understand
and disruption is, the faster the vulnerability what playbooks your company needs during
has to be fixed—a BIA allows you to keep the response phase, how quickly to act, which
the spectrum of such vulnerabilities in focus business units to engage, and how to prioritize
at all times. events correctly.
2023
• Detect not only the technical vulnerabilities

of individual systems and resources, but Response
also vulnerabilities related to systems • Understand how the impact will build up
interaction that can disrupt technological over time and which units need to be
operations or business functions. involved to reduce or avoid the damage
For example, a fire exit door only opens if altogether.

certain nodes of the fire protection system • Determine the potential incidents, time
exchange data. If the connection is interrupted, to respond, and the required resources,
the exit remains closed. With a BIA, a company so that the company does not incur critical
can quickly identify and eliminate that scenario. damage.
The BIA will help to determine which response
Prevention actions might aggravate the damage from
• Prioritize known threats by their impact an incident. The cybersecurity team sometimes
on business. has to shut down IT systems to isolate
• Define the logic for detecting and attackers or prevent them from conducting
preventing attacks that target both specific malicious operations. Our SOC specialists
vulnerabilities and the interaction between coordinate all response actions with the client
systems. and request a list of critical systems. This
allows the client to assess in advance what
For example, many companies host actions are permissible, how long the systems
information systems on an external perimeter can remain offline, and what systems must
or in the cloud. As such services interact with never be disconnected.
the infrastructure via an API,5 their performance
depends on the limit of simultaneous
Lessons learned
connections. If the limit is exhausted, say,
as a result of a DoS attack, the system will deny • Evaluate to what extent the actual damage
service. A BIA will help to flag such a scenario is consistent with the preliminary estimates.
and point out the need to implement protective
• Analyze the damage that was avoided and
measures.
how the new knowledge complements
the BIA results.
This follow-up work completes the cycle.
The company draws conclusions for the future
and compares its assessment of the cyber
incident with reality.
5
API (application programming interface) is a set
of instructions that allows different systems to communicate
61 with each other.
When would your
company need
a SOC
The answer depends on the risk appetite that
can be understood in the course of a BIA.
It is necessary to consider the damage beyond
the scope of the corporate IT infrastructure.
Thus, a breakdown in business continuity may
arise from external service failures, which
should also be identified by the SOC.
After the analysis, compare the costs
of implementing your own SOC or outsourcing
its functions with those of a delayed response
to security events. Company management
2023
will be able to make decisions by evaluating

specific scenarios. If it becomes clear that
losses from certain incidents are unacceptable
for your company, while the SOC does not
overburden the budget, it makes sense to invest
in preventing those critical losses.
Or perhaps it is the other way around:

the potential losses do not justify the costs
of the SOC. In this case, you can monitor
individual key events and build response
procedures for the most dangerous scenarios.
62
SOC: in-house or outsourcing?
When a company finally decides that it does need a SOC, it has to determine whether
to use its own resources or opt for the services of an expert organization.
The following questions will help you make that decision.
1. Can you independently assess the criticality The specialists need to develop an expert
of your systems in terms of monitoring? set of rules for identifying suspicious events,
as well as keep them up to date, further align
Companies believe that the systems processing
processes, and prepare playbooks—all this
and storing large amounts of valuable data are
requires a lot of time and resources. For example,
a higher priority for monitoring. However, this
it took us more than four years to develop
approach is not always the right one.
the 1,300 rules currently in our SOC database.6
For example, if hackers penetrate these Meanwhile, you can start running an external
critical systems and publish the extracted SOC in just a few weeks.
database online, it will be too late
2023
to protect the information that has been

compromised. But on the way to achieving 3. What incident response time
the goal, the attacker needs to gain access is acceptable for you?
to the infrastructure, conduct reconnaissance, A business impact analysis will show what
create an account with the highest privileges, time limits you can afford when responding
and so on. The company’s objective is to spot to an incident. It may turn out that a one-hour
illegitimate actions as early as possible and failure will have no effect on your business,
react before the intruder has gained access two hours will cause problems, and two days
to critical assets. Therefore, monitoring of downtime will result in major financial and
should not only cover such assets, but also reputational damage. All this should be defined
all the preceding points that the intruder in your playbooks, which provide a clear
passes. These can be mail servers, user response procedure. Some incidents must be
workstations, secondary information systems, addressed within minutes and/or at night times.
the elements of infrastructure that are Consequently, the SOC should operate around
commonly not considered critical. the clock, and, if highly specialized experts
To create an effective private SOC, a company are needed, they must be engaged as soon as
needs dedicated specialists who can properly possible.
rank the systems by significance. If your
Maintaining your own 24/7 SOC is associated
organization does not have such employees,
with high costs. The greater part of the expenses
outside experts can help.
will be personnel—people need to be recruited
and trained. An external SOC already has
2. How quickly do you need to launch experienced professionals who deal with
the monitoring process? incidents in various industries on a daily basis.
It can take several years for a company to build
and get its SOC up and running. The SOC must
reach a certain level of maturity to be able
to detect incidents that standard security
measures fail to notice.
63 6
As of January 2023.
4. Are you prepared to incur 5. Do you have qualified staff?
a large one-time expense?

A SOC should recruit highly qualified specialists
There is no definite answer about whether from the outset, and they should continually
it is less costly to create an in-house SOC develop their expertise. That said, building
or to outsource it. Budgeting for these kinds a dedicated team might be a challenge
of programs is done on a case-by-case basis. in the current climate. There is a worldwide
It depends on the size and expertise of staff, shortage 7 of several million cybersecurity
the required technical solutions and services, employees. It can take months to recruit and
and other tools. onboard a qualified team, while a third-party
It is worth bearing in mind that in-house SOC already has one. Besides, the budget
and external SOC solutions belong to different for an in-house security operations center is
budget lines. In the first case, we are talking not limited to the payroll. You should allocate
about capital expenditures: equipment, the funds for education, certification, and
software, licenses, premises, furniture. professional development of your people.
In the second, the costs are strictly operating.
Accordingly, the creation of an in-house Be aware of your country’s legal requirements
SOC requires a large initial investment, while for handling confidential information. You
outsourcing does not. may need to follow certain rules in order
2023
to transmit data about security events outside

the perimeter. An external SOC must already
be licensed to do this kind of work.
Comparing the two models
In-house SOC External SOC
Systems criticality Competent unassisted analysis Assisted analysis required

assessment
Time to launch May take years Realistically several weeks
Immediate response Yes, but more expensive; Yes

capability not easy to find specialists
Costs More expensive; requires Cheaper; all expenditures are
both capital and operating operating
expenditures
Specialists Hard to find and takes time Readily available with
to adapt the necessary qualifications
64 7
‘‘The (ISC)² 2022 Cybersecurity Workforce Study.’’
Conclusion
Implementing incident monitoring is key

to corporate cybersecurity. Otherwise, you
become vulnerable to threats that may remain
unnoticed. Probably, the worst would be
spending the money without achieving
the desired effect.
Start by analyzing the impact of events

on your business to determine which approach
to monitoring will ensure the expected results.
Keep an up-to-date list of security events that
affect your business resilience. This way, you
will improve the overall quality of monitoring and
2023
enhance the cyber maturity of your organization.

65
Section 05 / 05
Cyber insurance.
Getting the most
out of it
Key ideas 67
How damaging a cyber incident can be 68

2023
How cyber insurance helps to save money 69
How to get the full picture of your cyber risks 70
How to choose the right insurance plan 71
Conclusion 75
66
Key ideas
1. Cyber insurance is a convenient solution

for organizations that take their digital
transformation seriously.
2. Business impact analysis can be useful when it

comes to picking an optimal insurance plan.
3. Insuring cyber risks is especially relevant

for medium-sized and large companies that
accumulate massive volumes of sensitive data.
Technology startups looking for ways to protect
their intellectual property and money can also
2023
benefit from cyber insurance.

Cyber insurance. Getting the most out of it
67
How damaging
a cyber incident
can be
A healthcare provider fell victim to hackers
who stole medical and personal records
of 850,000 patients. Many of them filed
lawsuits against the organization.
A cryptocurrency platform lost $28 million from
its hot wallet as hackers had gained access
to the company's wallet server.
A telemarketing company with a 61-year history
was unable to recover after a ransomware
attack and had to cease its operations.
2023
These examples show that dealing with

the consequences of cyber incidents is
a challenge that not every organization can
handle. Here are some of the tasks that can be
particularly difficult:
• finding the culprit and bringing them

to justice
• compensating the actual damage and lost
profit
• retaining customers and their loyalty
However, cyber threats are so numerous that
securing an organization against all of them is
almost impossible. Breaking into a company
does not even require advanced cybercriminal
skills: hacking tools can simply be rented
on the darknet. This is something that may
attract, for instance, an unethical competitor.
In another situation, a careless employee
can trigger multimillion losses by opening
an infected email.
The ever-expanding cyber threat landscape and
the increased liability associated with incidents
have spurred the emergence of cyber insurance
services.
$4.35 million
the average total cost of a data
breach globally
68
How cyber
insurance helps
to save money
The global cost of cybercrime is constantly
rising and is expected to skyrocket to almost
$24 trillion by 2027.8 On top of that, the average
total cost of a data breach climbed to a record
high of $4.35 million in 2022.9 For companies,
this means more stolen money and data,
damaged reputation, lost productivity, and
disruption to the normal course of business.
If such losses are covered by an insurance
policy, the victim company can better manage
the continuity of its business processes after
2023
an attack and allocate resources to get back

to normal. For example, the damages payable
can include cyber incident investigation costs,
third-party litigation expenses, penalties, and
lawsuit settlements.
Insurance policies can cover a multitude

of cases, including:
• loss of data or software files
• theft of intellectual property
• spam mailings sent out on behalf
of the policy holder
• unauthorized use of corporate resources
(e.g., cryptocurrency mining)
• theft of funds or stocks of the policy holder
• damage or loss of insured property
• production downtime
• reputational damage
A perfect insurance case is an incident with
a specified amount of losses. For example,
a contractor has signed a service agreement
that includes sanctions for certain events,
where the penalty amounts to a percentage
of the contract value. In this case, the risk
of having to pay the penalty is measurable and
hence can be insured. Therefore, by purchasing
a respective plan the contractor will be insuring
itself against specific sanctions rather than
against some abstract digital risks.
8
Anna Fleck, “Cybercrime Expected to Skyrocket
in Coming Years,” Statista.
69 9
“Cost of a Data Breach Report 2022,” IBM Security.
How to get the full
picture of your
cyber risks
It is important to make sure that your insurance
coverage reflects the actual consequences
of cybersecurity incidents. This will enable
you to undo the damage without overpaying
for insurance. Performing a business impact
analysis will allow you to choose the insurance
plan that covers all the relevant risks and their
possible implications.
With the BIA results in hand, you can prioritize
the events that have the most severe
consequences for your business processes.
2023
These outcomes will help you answer two key

questions:
1. What actions are necessary to improve
security and mitigate risks?
2. Does it make sense to insure against
particular situations given the severity

of their consequences and related damage?
In addition, you will be able to:
• measure potential damage and use it
as a basis to calculate the effective price
cap for a cyber insurance plan
• make sure the insurance payout will cover
your damages or those of your partner or
customer
• prepare a list of specific consequences,
scenarios, and incidents which can be
insured
• compare the costs of consequences
and those of security measures to make
an informed decision on whether to insure
a particular risk or simply reduce its
likelihood
70
How to choose the right
insurance plan
Let us use the cyber risks of a hypothetical cloud service provider as an example.
The company offers two key services with different SLAs:
Archive, a file storage solution Access, a tool for managing remote

access to corporate networks
Data loss from this service will cost (VPN tunneling)
the provider 2% of the contract value
per 1% of the lost data. For instance, The service can be unavailable for
20% of the contract value to compensate up to 0.25% of the time, which makes for
2023
for a 10% data loss. about 1 day per year. Longer downtimes are
subject to a penalty of 4% of the contract
value for each 0.25 p.p. in excess
of the maximum permissible 0.25%.
Based on the BIA results and respective SLAs, the provider specifies two essential indicators for data
availability—recovery point objective (RPO) and recovery time objective (RTO):
Archive Access
RPO <1 day 365 days
RTO 10 days <1 day
The BIA outcomes also include a business processes assessment and a disaster recovery plan
(DRP). These inputs enable the company to establish that:
Archive Access
The estimated daily amount of storage The estimated time to recover

data per customer is 20 files, with their after an attack is 2 days.
total size not exceeding 400 MB.
71
Hence, the provider can easily calculate the costs it will have to incur in the event of a disruption:
Per customer:* Per customer:
100/50 × 20 × 1 × 0.4 × 2 = 32% of the contract value (2 − 1) × 4 = 4% of the contract value
100/50 the percentage reflecting 2 the expected time to recovery in days

the entire loss of 50 GB
1 RTO
20 the average number of files per day
4 the compensation for downtime
1 RPO in % for each day
0.4 the size of all files in GB sent

by the customer per day
2 the compensation for data

loss in % per GB
* Assuming that the customer stores

2023
50 GB with the provider.
By calculating the compensation charges for each contract and adding these figures for all customers,
the provider will establish the total amount of potential damages payable.
The BIA also determined the severity of potential incidents for each of the two services:
Archive Access
A loss of data will significantly affect A loss of data will have a marginal
the company’s business continuity impact if any as the service uses
as customers will be less likely to trust end‑to‑end encryption to prevent third
the storage service. parties from compromising the data.
While researching the cyber insurance market, the company has come across the following
annual rates:
Plan 1 Plan 2 Plan 3

Insurance premium $7,000 $14,000 $7,000
Coverage*
Data tampering Up to Up to —
(incl. by ransomware) $500,000 $750,000
Up to Up to —
Data leak
$500,000 $750,000
Denial of service — Up to Up to
(incl. due to DDoS attacks) $750,000 $1,250,000
* Maximum payouts
over the insurance period.
72
In Archive, the files must be backed up at least once a day. At the same time, the SLA allows
the service to be unavailable for up to 10 days. Therefore, a denial of service does not pose a major
threat to it. Thus, the provider can disregard plan 3 as it does not cover the risk of data tampering, but
only protects against DDoS attacks.

Coverage
Critical Data tampering Up to Up to —

for Archive: $500,000 $750,000
(incl. by ransomware)
RPO is less
than 1 day
Up to Up to —
Data leak
$500,000 $750,000
Non-critical Denial of service — Up to Up to

for Archive: $750,000 $1,250,000
(incl. due to DDoS attacks)
RTO is 10 days
2023
Access can be shut down for up to 1 day. Therefore, the risk of a DDoS attack must be covered
in the insurance plan. Backups can be performed once a year as the risk of data tampering
for Access is not high. This is why plan 3 seems like the best option for this service.

Coverage
Non-critical Up to Up to —
Data tampering
for Access: $500,000 $750,000
RPO is 365 days
Up to Up to —
Data leak
$500,000 $750,000
Critical — Up to Up to
for Access: Denial of service $750,000 $1,250,000
RTO is less (incl. due to DDoS attacks)
than 1 day
Finally, thanks to the BIA, the company can make a balanced decision: either to purchase plan 1
for Archive and plan 3 for Access or opt for a combined plan 2.
Archive +
Archive Access
Access
Coverage
Data tampering Up to Up to —
$500,000 $750,000
Up to Up to —
Data leak
$500,000 $750,000
Denial of service — Up to Up to
$750,000 $1,250,000
(incl. due to DDoS attacks)
73
A decision in favor of a particular plan and whether to insure specific risks should
factor in the amount of potential damage, which can be calculated in advance. Your
insurance plan should cover the damage and be less costly than the introduction
of respective security and mitigation measures.
Let us also assume that, according to the BIA, an attack on Archive will have no impact on Access as
the two services are located in different network segments. In this case, to reduce the cyber risks, we
recommend considering the following measures:
Archive Access
Data tampering Full replication: —

$65,000 per year
Data leak — —
Denial of service — DDoS protection:

$4,000 per year
2023
What do these measures mean for each of the services?
Archive Access
Performing regular backups across The risk can be mitigated by enabling

all servers will help the provider a DDoS protection service.
reduce the risk of data tampering.
In the event of a cybersecurity incident
(e.g., the encryption of all drives) the data
can be restored from backup files.
Thus, maintaining data safety and integrity is essential for Archive, while ensuring availability
is of utmost importance for Access.
Archive Access
Given the cost of data replication, If the organization opts for DDoS
this does not appear the best way protection, purchasing plan 3 will be
to mitigate the risk of data tampering. unjustified due to its relatively high
A more sensible solution is to choose premiums.
plan 1.
Plan 1 Full replication Plan 3 DDoS protection
$7,000 VS $65,000 $7,000 VS $4,000
74
Conclusion
In our example, the company offers two

services that significantly differ from each
other in terms of associated cybersecurity
risks. In the real world, organizations have
many more processes, systems, and IT assets,
which makes it impossible to assess the impact
of incidents intuitively. Performing a BIA will help
to determine whether your cyber insurance plan
is enough to protect your business against key
incidents. You will also be able to distinguish
between the risks that make more economic
sense to insure and the ones that can be
mitigated through other measures.
2023
Whether you decide to insure your digital risks

or not, it is important to strengthen the overall
cyber resilience and work on improving cyber
maturity. This will help to minimize the risks and
reduce the current or future cost of insurance.
75
About
BI.ZONE
BI.ZONE is an expert in digital risks
management.
1,000+
We help organizations develop their completed projects
business safely in the digital age.
Our innovation driven products enable
clients to take the best approach to their
400+
tasks, irrespective of company size,
budget, or geography. From consulting
and outsourcing services to ready-made
solutions and customized strategies,
we are focused on delivering tangible protected clients
benefits to our clients as a trusted and
2023
reliable partner.
We can assess your current level of risk,
700+
propose measures for improvement
and optimization, train your employees
to work in the digital environment,
and provide your company with

round‑the‑clock support. investigated incidents
Since its foundation in 2016, BI.ZONE
has completed over 1,000 projects
in finance, telecommunications, energy,
15+
aviation, and many other industries.
We employ certified world‑class
experts and cooperate with a number
of international organizations, such as
the World Economic Forum, INTERPOL,
SWIFT, the CyberPeace Institute,
countries of presence
and others.
We understand what your business
700+
needs to succeed in the digital
development journey, and can help you
set the right vector.
cybersecurity experts
Find out how to maintain business
continuity with BI.ZONE solutions
76
4 Olkhovskaya St., Bld. 2
Moscow 105066, Russia
+44 20 3808 3511
info@bi.zone
www.bi.zone
Visit our website to learn more

about business continuity
management

Path To Digital Leadership

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Path To Digital Leadership

Uploaded by

Copyright:

Available Formats

The path

In January 2023, BI.ZONE withstood a massive DDoS attack.

is the subject of this publication.

Business impact analysis.

Cyber risk management.

29 Why prioritizing risks is 33 What benefits come with

31 What standards underpin 35 How to establish effective

Awareness. Mitigating human error

46 How to identify the areas 49 Which business units are

to cyberattacks through rapid

56 What is effective cybersecurity 61 How BIA helps at all stages

57 How SOC improves incident 62 When would your company

63 SOC: in-house or outsourcing?

69 How cyber insurance 71 How to choose the right

helps to save money insurance plan

term sick leave to a fatal outcome. Therefore, it makes sense to invest

This publication consists of five independent sections. Each chapter

y improving the effectiveness of cyber threat monitoring operations

Enjoy the reading!

Business impact analysis.

Understanding business impact analysis

How a business impact analysis is performed 12

1. A business impact analysis

2. Business continuity expertise

3. The BIA results allow company

impact analysis and its

to focus on these areas and form a clearer picture of what

Business impact analysis, BIA is structured research

Determine the negative impact

Define the resources required

Compare how the company’s

Prepare for changes in the external

Break down abstract threats into

Substantially reduce the scope

Predict and reduce the effects

Establish effective budgeting

Improve the company’s resilience

the boundaries of their research during annual

Service level agreement

3 Development of an impact matrix

y Developing an impact types and levels matrix (impact matrix)

4 Business process profiling

6 Conclusions and reporting

Main objective: clearly define the goals of the research

In preparation for the analysis

1. Notify the management and process owners of the planned BIA.

Main objective: define the scope of work,

can be grouped according to SLA requirements,

allow the company to focus on the continuity

We advise analyzing the life cycle of each

and prospects for cooperation on the accuracy of the analysis metrics.

and future customers

Example of an impact matrix

The event affects KPIs for certain operations

Level of impact and assessment criteria

Insignificant Acceptable Significant Critical Unacceptable

<0,5% — Occasional complaints <$1,000 — — <1%

0,5–1% 0,1–1% Negative reviews on $1,000–$10,000 — Warnings from 1–3%

corporate social media the regulators

counterparties. Class action lawsuits authorities, including

Civil lawsuits, court

they measured: in money, percentage losses to the business? What happens

Main objective: obtain a complete and RTO