In the midst of the Cold War, the possibility of nuclear attack was deeply feared, but at the same time strangely unimaginable. The terrible terror of nuclear disaster persisted for years, as evidenced in the 1984 BBC drama film “Threads.”
The film explores the hypothetical event of a nuclear bomb dropped on a British town and the subsequent collapse of society. People were horrified by the film and it showed everyone’s deepest, darkest fears about nuclear fallout.
Nearly 40 years later, with nuclear fear still present, cybersecurity catastrophe is the new fear in the background – and in July 2024, we received our first major warning sign.
The CrowdStrike outage highlighted the widespread chaos that could result if millions of computers crashed simultaneously – reminding many people of the fear sparked by the Y2K bug.
Now imagine this chaos, but instead of a software update gone wrong, it’s a cybercriminal targeting a power plant’s critical systems, causing a city to lose power for a week . Or perhaps a vulnerability in fintech software triggering a 2008-like financial crisis.
Although such an event may be difficult to envisage, the interconnectivity of modern systems makes it a real possibility. The goal should be to achieve operational resilience, which means prioritizing the maintenance of business-critical functions in the event of a serious incident. But to do this, organizations must first understand their minimum viable operation (MVO).
Director of Critical Infrastructure at Illumio.
What is MVO?
MVO refers to the absolute minimum number of systems a business needs to remain operational or continue providing services. This includes developing detailed rebuild protocols and establishing recovery measures to minimize downtime.
Many organizations have realized that it is impossible to simply reduce the likelihood of a cyberattack to zero. No matter how much organizations spend on security, it doesn’t make their systems or data any less attractive to cybercriminals.
Although money cannot reduce the probability, it can reduce the impact of an attack if spent correctly. Instead of focusing solely on preventing breaches, companies are increasingly shifting their investments to prioritize containing breaches and mitigating their impact, ensuring they can maintain their MVO.
In the power plant example mentioned previously, the organization’s MVO would include the SCADA and ICS systems that control the creation, monitoring and distribution of energy. By identifying its MVO, the power plant can develop a cyber resilience strategy that protects these critical systems and keeps the power flowing when the inevitable breach occurs.
This approach is not about admitting that cybercriminals have us beaten, but about accepting the reality that it is impossible to guarantee immunity from breaches. Rather, it is about limiting the impact when they occur. There is no shame in being raped; However, the lack of preparation is inexcusable, especially for businesses in critical sectors.
Putting the MVO approach into practice
So where to start? The first step to understanding your MVO is identifying the systems critical to maintaining operations, and this is unique to each business. For example, the systems considered part of an organization’s MVO will be completely different in retail and energy.
Once these have been identified, you then need to identify the risks surrounding or linked to these systems. What do they communicate with and how? Consider risk vectors, the supply chain, and any third parties connecting to your MVO systems.
Like most organisations, you are likely to rely on a significant number of third parties to operate – just look at the large number of suppliers and contractors who keep the NHS running and the impact of the attack on pathology provider Synnovis. It is essential that you understand which third-party systems are connected to your networks and that you limit and control what they have access to. The best practice is to apply a least privilege policy to limit connectivity to the bare minimum required.
This is also where having an “assume violation” mentality is essential. Let’s assume that the breach shifts focus away from simply trying to prevent unauthorized access, but rather towards ensuring that once inside, attackers’ movements are severely restricted and their impact is minimized. This not only helps you strategically manage and mitigate risks, but also protect MVO’s critical assets and operations.
How Zero Trust supports an MVO approach
One of the best ways to adopt a breach-anticipation mentality and protect MVO assets is to adopt Zero Trust.
Zero Trust is a security strategy based on the principle “never trust, always verify”. It applies strict principles of least privilege to all access points, minimizing the risk of unauthorized access. This approach significantly reduces the impact of attacks and aligns with an MVO approach by identifying critical assets, their usage and data flows within the network.
Micro-segmentation technologies such as Zero Trust Segmentation (ZTS) are fundamental to Zero Trust because they divide networks into isolated segments with dedicated controls. With micro-segmentation in place, you can restrict user access, monitor traffic and prevent lateral movement in the event of unauthorized access, thereby isolating and protecting your critical assets.
Not all cyberattacks necessarily require a suspension of operations
The British government has warned of the economic disaster that could occur if a cyber attack on critical infrastructure is successful. However, the reality is that the impact could be catastrophic for any business or enterprise that fails to protect its critical operations.
In his first speech as CEO of the NCSC, Richard Horne spoke of the growing hostility facing the UK, with attackers keen to cause maximum disruption and destruction. And while a cyberattack may not immediately seem as frightening as the nuclear attack in “Threads,” its disastrous impact on society is as great as that of a weapon of mass destruction.
It is therefore essential to secure the assets that ensure the functioning of society and businesses. Not all cyberattacks have to result in business or operational failure. By prioritizing an MVO approach focused on Zero Trust and micro-segmentation, you can ensure your organization avoids catastrophic fallout from attacks.
We’ve compiled a list of the best identity management software.
This article was produced as part of TechRadarPro’s Expert Insights channel, where we feature the best and brightest minds in today’s technology industry. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you would like to contribute, find out more here:
