In the midst of the Cold War, the possibility of a nuclear attack was deeply feared, but at the same time strangely unimaginable. The raw terror of nuclear disaster persisted for years, as highlighted in the 1984 BBC drama film, “Threads.”
The film explored the hypothetical case of a nuclear bomb being dropped on a British city and the social collapse that followed. People were horrified by the film and it showed everyone’s deepest, darkest fears surrounding radioactive fallout.
Almost 40 years have passed, and while nuclear fear still abounds, the cybersecurity catastrophe is the new underlying fear, and in July 2024 we receive our first major warning sign.
The CrowdStrike outage highlighted the widespread chaos that could ensue if millions of computers crashed simultaneously, reminding many people of the fear instilled during the Y2K virus.
Now imagine this chaos, but instead of a software update gone wrong, it’s a cybercriminal attacking critical systems within a power plant, causing a city to lose power for a week. Or perhaps a vulnerability in fintech software that triggered a 2008-style financial crisis.
While such an event may be difficult to imagine, the interconnectedness of modern systems makes it a real possibility. Achieving operational resilience should be the goal and this means prioritizing keeping business-critical functions up and running in the event of a serious incident. But to do so, organizations must first understand their minimum viable operation (MVO).
Director of Critical Infrastructures at Illumio.
What is the OMV?
MVO refers to the absolute minimum number of systems a company needs to remain operational or continue providing services. This includes mapping out detailed rebuild protocols and establishing recovery measures to minimize downtime.
Many organizations have realized that simply reducing the probability of a cyberattack to zero is impossible. Regardless of how much money organizations spend on security, that doesn’t make their systems or data any less attractive to cybercriminals.
While money cannot reduce the probability, it can reduce the impact of an attack when spent correctly. Rather than focusing solely on breach prevention, organizations are increasingly shifting their investments to prioritize breach containment and impact mitigation, ensuring they can maintain their MVO.
In the power plant example mentioned above, the organization’s MVO would include the SCADA and ICS systems that control the creation, monitoring, and distribution of power. By identifying its MVO, the power plant can build a cyber resilience strategy that protects these critical systems and maintains power when the inevitable breach occurs.
This approach is not an admission that cybercriminals have defeated us, but rather an acceptance of the reality that it is impossible to guarantee immunity from breaches. Rather, it is about limiting the impact when they occur. There is no shame in being raped; However, the lack of preparation is inexcusable, especially for companies in critical sectors.
Putting the MVO approach into practice
So where should you start? The first step to understanding your MVO is to identify the systems critical to maintaining operations, and this is unique to each business. For example, the systems considered part of an organization’s MVO will be completely different in retail compared to energy.
Once identified, it is necessary to identify the risks surrounding or linked to these systems. What do they communicate with and how? Consider risk vectors, the supply chain, and any third parties connecting to your MVO systems.
Like most organizations, you are likely to rely on a significant number of third parties to operate; Just look at the large number of suppliers and contractors that keep the NHS running and the impact of the attack on pathology provider Synnovis. It is critical that you understand which third-party systems are connected to your networks and limit and control what they have access to. The best practice is to apply a policy based on least privilege to limit connectivity to the minimum required.
Here, too, it is essential to have an “assume a violation” mentality. Suppose the breach shifts the focus from trying only to prevent unauthorized access to ensuring that, once inside, attackers’ movements are severely restricted and their impact is minimized. This not only helps you strategically manage and mitigate risks, but also safeguard MVO assets and critical operations.
How Zero Trust supports an MVO approach
One of the best ways to adopt a breach mindset and protect MVO assets is to adopt Zero Trust.
Zero Trust is a security strategy based on the principle of “never trust, always verify.” Enforces strict principles of least privilege on all access points, minimizing the risk of unauthorized access. This approach significantly reduces the impact of attacks and aligns with an MVO approach by identifying critical assets, their usage, and data flows within the network.
Micro-segmentation technologies like Zero Trust Segmentation (ZTS) are critical to Zero Trust as they divide networks into isolated segments with dedicated controls. With micro-segmentation in place, you can restrict user access, monitor traffic, and prevent lateral movement in the event of unauthorized access, isolating and safeguarding your critical assets.
Not all cyber attacks have to cause the suspension of operations
The UK government has warned of the economic disaster that could occur if a cyber attack on critical infrastructure were successful. However, the reality is that the impact could be catastrophic for any company or business that does not safeguard its critical operations.
In Richard Horne’s debut speech as chief executive of the NCSC, he spoke about the growing hostility facing the UK, with attackers wanting to cause maximum disruption and destruction. And while a cyberattack may not seem as terrifying as the nuclear attack in “Threads,” its disastrous impact on society is as significant as that of a weapon of mass destruction.
Therefore, it is essential to secure the assets that keep society and businesses running. Not all cyberattacks have to end in business or operational failure. By prioritizing an MVO approach with Zero Trust and micro-segmentation at its core, you can ensure your organization avoids catastrophic consequences from attacks.
We’ve compiled a list of the best identity management software.
This article was produced as part of TechRadarPro’s Expert Insights channel, where we feature the best and brightest minds in today’s tech industry. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing, find out more here:
