How Long Can You Afford To Be Down?
Find Out What It Costs…Before Talking Budget…
MTD – Maximum Tolerable Downtime, is the first thing you should be thinking about. Data theft and misuse are equally important – but downtime (ransomware or failure) is unavoidable.
Remember What Security Trends Reports Where a Few Years Ago..
Older threat reports (Symantec, Verizon, FBI/CSI, etc.) focused on likelihood of an attack. They measured the number of companies hit by malware, reporting spam, or suffering DDOS.
Read today’s reports and you’ll discover something different…
Newer reports focus on types of malware, cost of downtime, cost of data exposure, and whether or not insiders were involved. In this ongoing discussion on security assessments, DOWNTIME and COST are the focus.
The Companies Most Important Assets Used to Be People…Not Anymore
Talk to any DR (disaster recovery) specialist and they’ll tell you, People are (or were) a company’s most important asset.
Not any more.
Now it’s data…Not to minimize the value of a person, but even the WSJ calls DATA the Oil of the New Millennium, not people.
In security, there are three pillars to consider. Confidentiality, Integrity, and Availability. In this article, I’m talking about the third – AVAILABILITY.
80% of Cyber-Breaches Result in Downtime
Every major corporation has been breached at this point…and most smaller firms too. It’s just a matter of time. 8 out of 10 experience down time, and based on Cisco’s graph (from their 2017 Cybersecurity Trends Report), 90% of the 8 will be 8 or more hours…
How much downtime can your client stand on any given system?
Even with data moving to the cloud, downtime is a major factor. MTD (Maximum Tolerable Downtime) speaks to the old DR metric that asks, how much downtime your firm can stand on any given application before it severely impacts the business.
The actual number has to be given to you as the assessor. You can discover it through observation…
And while it may seem arbitrary, there are numerous studies available online that tell us how likely a business is, to go out of business, given an outage.
Who Knows The Answer And What Does It Mean?
The problem is, most security assessments don’t actually measure tolerable outage, or the likelihood of exceeding executive management’s tolerance.
IT is generally the focus of these assessments…
To the IT Custodian, outage means, working late, not a failing business. The right approach to assessing risk involves assessing those things which create a risk of something bad happening – in this case, business failure, stock price drop, loss of shareholder value, or customer dissatisfaction (to name a few).
Remember, Customer Experience is the New Brand Metric…And downtime kills customer experience.
So who knows the MTD?
The asset owners know…the ones who use the data to drive the business. And different departments will add more or less value to the overall business success – executive management knows who they are. IT, on the other hand, does not. (Just ask any executive).
Ask the end users, and they’ll tell you they can’t stand any downtime!!!
Of course that’s not true. However, any business critical function probably requires more uptime than IT realizes, and is worth spending more to maintain than most executives would like to admit.
Uptime is always a cost-benefit analysis. The first answer is usually, “No downtime”. Once an estimated cost of zero downtime is displayed, that downtime number suddenly goes up…
Getting Real With Risk And DownTime
What’s really happening here is, when faced with a large financial number, executive management suddenly wants to take on more risk than they can actually stand.
It’s no different than the person with no consistent income getting approved for the sub-prime mortgage, so they can finally get their house.
The house-buyer’s attention is on the house, not the payment. With downtime, it’s the same. The buyer’s eyes are on spending where it feels good, not minimizing risk.
It’s the assessors job to convince asset owners, downtime is only a matter of time. Remember, most breaches (80%) will result in some downtime. Half will be in the range of one day or less…but about the same number will exceed one day by 1 to (pick a number) of days.
What’s the likelihood of downtime? Close to 80% – given the likelihood of being hit with some form of cyberattack is nearly 100% over some time period.
Solving The Problem
The problem of downtime used to be solved with EMC SRDF (mirrored NAS over a wide area connection), or at minimum, redundant systems running a highly available configuration. These are expensive solutions when talking to mid-market and down…
Does your MSP offering include virtual data servers in a hosted (protected) environment? Are you running a virtualized HA configuration?
What about using a dropbox-like solution in addition to backups?
In a recent sales call, one of my clients had a firewall opportunity. The vendor SE accompanied them on the call. When the client was asked about the need for redundant firewalls, they replied, “Not necessary”.
The vendor SE made a note and moved on…but my client, having been through the Security Sales Mastery Program knew better.
IT can’t answer this question!!! A single FW outage would shut down just about everything – all external communications including cloud app access, email, etc. Can any company actually work without their Internet connection anymore? Probably not…
Suddenly, downtime is a serious issue, and one that demands new services…hosted systems, redundancy, HA Internet access, data in the cloud, and more…The risk assessment, when focused on MTD, is your fastest road to up-selling services to your clients.
© 2017, David Stelzl