The importance of understanding your minimum viable operations
Amid the Cold War, the possibility of a nuclear attack was deeply feared, yet at the same time, weirdly unimaginable. The stark terror of nuclear disaster persisted for years, highlighted in the 1984 BBC drama film “Threads”.
The film explored the hypothetical event of a nuclear bomb being dropped on a British city, and the societal breakdown that followed. People were horrified by the film, and it showcased everyone’s deepest and darkest fears around nuclear fallout.
Fast-forward nearly 40 years, and while nuclear fear still abounds, cybersecurity catastrophe is the new background dread – and in July 2024 we received our first major warning sign.
The CrowdStrike outage highlighted the widespread chaos that could ensue if millions of computers crashed simultaneously – reminding many people of the fear instilled during the Y2K bug.
Now imagine this chaos, but instead of a software update gone wrong, it’s a cybercriminal targeting critical systems within a power station, resulting in a city losing power for a week. Or perhaps a vulnerability in a piece of fintech software triggering a 2008-style financial meltdown.
Whilst such an event may be difficult to envisage, the interconnectedness of modern systems makes it a real possibility. Achieving operational resilience must be the goal and this means prioritizing keeping business-critical functions running in the event of a serious incident. But to do so organizations first need to understand their minimum viable operation (MVO).
Director of Critical Infrastructure at Illumio.
What is MVO?
MVO refers to the absolute minimum number of systems a business needs to remain operational or continue delivering services. This includes mapping out detailed rebuild protocols and establishing recovery measures to minimize downtime.
Many organizations have come to realize that simply reducing the probability of a cyberattack to zero is impossible. Regardless of how much money organizations spend on security, it doesn’t make their systems or data less attractive to cybercriminals.
Whilst money can’t reduce the probability, it can reduce the impact of an attack when spent correctly. Instead of focusing solely on breach prevention, organizations are increasingly shifting their investments to prioritize breach containment and impact mitigation, ensuring they can maintain their MVO.
In the power station example mentioned earlier, the organization’s MVO would include the SCADA and ICS systems that control energy creation, monitoring, and distribution. By identifying their MVO, the power station can build a cyber resilience strategy that protects these critical systems and keeps the power on when the inevitable breach occurs.
This approach is not an admission that cybercriminals have beaten us, but an acceptance of the reality that it’s impossible to guarantee immunity from breaches. Instead, it’s about limiting the impact when they do occur. There’s no shame in being breached; however, a lack of preparedness is inexcusable, especially for businesses in critical sectors.
Putting the MVO approach into practice
So where should you start? The first step in understanding your MVO is identifying the systems critical to maintaining operations, and this is unique to each business. For example, the systems considered part of an organization’s MVO will be completely different in retail compared to energy.
Once these have been identified, you need to then identify the risks surrounding or linked to these systems. What are they communicating with and how? Consider risk vectors, the supply chain, and any third parties connecting to your MVO systems.
Like most organizations, it’s likely you rely on a significant number of third parties to operate – just look at the vast number of suppliers and contractors keeping the NHS running, and the impact of the attack on pathology supplier Synnovis. It’s critical that you understand which third-party systems are connected to your networks and limit and control what they have access to. Best practice is to enforce a policy based on least privilege to limit connectivity to the bare minimum required.
This is also where having an “assume breach” mentality is essential. Assume breach shifts the focus from solely trying to prevent unauthorized access to ensuring that, once inside, attackers’ movements are severely restricted and their impact is minimized. This not only helps you to strategically manage and mitigate risks, but also safeguard MVO assets and critical operations.
How Zero Trust supports an MVO approach
One of the best ways to adopt an assume breach mindset and protect MVO assets is by embracing Zero Trust.
Zero Trust is a security strategy based on the principle of “never trust, always verify.” It enforces stringent least-privilege principles at all access points, minimizing the risk of unauthorized access. This approach significantly reduces the impact of attacks and aligns with a MVO approach by identifying critical assets, their usage, and data flows within the network.
Micro-segmentation technologies like Zero Trust Segmentation (ZTS) are foundational to Zero Trust as they divide networks into isolated segments with dedicated controls. With Micro-segmentation in place, you can restrict user access, monitor traffic, and prevent lateral movement in case of unauthorized access, isolating and safeguarding your critical assets.
Not all cyberattacks need to result in suspension of operations
The UK government has warned about the economic disaster that could unfold if a cyberattack on critical infrastructure was successful. However, for the reality is that the impact could be catastrophic for any enterprise or business that fails to safeguard its critical operations.
In Richard Horne’s debut speech as the NCSC CEO, he spoke about the increasing hostility faced by the UK, with attackers wanting to cause maximum disruption and destruction. And while a cyberattack might not immediately seem as scary as the nuclear attack in “Threads,” its disastrous impact on society is as significant as that of a weapon of mass destruction.
Therefore, securing the assets that keep society and businesses running is essential. Not all cyberattacks need to end in business or operational failure. By prioritizing an MVO approach with Zero Trust and micro-segmentation at its core, you can ensure your organization avoids catastrophic fallout from attacks.
We’ve compiled a list of the best identity management software.
This article was produced as part of TechRadarPro’s Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
Amid the Cold War, the possibility of a nuclear attack was deeply feared, yet at the same time, weirdly unimaginable. The stark terror of nuclear disaster persisted for years, highlighted in the 1984 BBC drama film “Threads”. The film explored the hypothetical event of a nuclear bomb being dropped on…
