Transcript
Hello, and welcome to episode 15 of Strive, where we talk about security, technology, resilience and everything IT, all in a virtual environment. I'm Darren Thompson, your host, and today we're going to be diving into a critical concept for business survival in the wake of cyber attack, and that is the concept of Minimal Viable Company or MVC. But before we start today, my usual disclaimer, the information shared in this podcast is for general informational purposes only. It does not constitute legal advice or professional advice and it may be subject to change. Now let's get into Minimal Viable Company. What This comes from the agile software development world and it's where we create a streamlined version of a product that meets only the core needs of users. So what about Minimal Viable Company and what is this and why is it important in the context of a cyber resilience strategy? As we've discussed in previous episodes of Strive, today's world means that it's not a absolute minimum in terms of your business, the functions that are needed to survive and ultimately recover from a cyber attack. Think of it like this. After a ransomware attack, for example, your entire IT infrastructure could have gone away. You might lose access to critical applications, communication technology, customer data, supply chains, etc. Operations, of course, can't come to a standstill for too long, so you need to define a Minimal Viable Company which lays out what is absolutely required to keep the lights on for your business whilst full recovery can take place. Okay, but why does this matter in terms of resilience? Well, we found that traditional disaster recovery strategies often focus on full recovery. They assume that DR will be enabled and everything will be restored and that's largely because traditional DR strategies were really predicated around the idea of a physical failure and they assume that all data is clean. But let's issue a bit of a reality check here. Firstly, full recovery could take weeks or even months after a sophisticated cyber attack. Secondly, not all systems are equally important. Some can wait for recovery and others can't. And thirdly, every hour of downtime means lost revenue, reputational damage and potential regulatory fines. A well-defined Minimal Viable Company allows you to do a few things. Prioritize critical business functions, recover quickly from the disruption and maintain trust wherever possible with customers, employees and regulators. Okay, but what do we need to define to define essential? Let's break down essential at a high level. When defining MVC, you need to focus on three core areas. Number one, essential business functions. What absolutely must be running first? Think finance, customer service, supply chains and compliance related operations. If you're in healthcare, that could mean patient data systems. If you're in retail, it probably means point of sale and logistics. Number two, a minimal but functional IT environment needs to be defined. Not every application or system needs to be restored immediately. Identify the top base backups, isolated recovery zones, clean recovery environments, clean rooms. They all play a massive role here. And don't forget application dependencies, including software supply chains. And number three, people in process. Who are the key employees needed to run the business at a bare minimum? Do they have the accesses required to do that job? Do they have the necessary tools? What manual workarounds are possible if IT systems remain down for an extended period? And very importantly, how will these people communicate with one another? So how should we go about defining our minimal viable company? Well, I think a good way of thinking about this is to ask yourself the following questions. If your company were hit by ransomware today, could somebody tell you what is the absolute minimum IT infrastructure we need to operate? What data sets and applications must be restored first? Who are the critical employees and what access do they need? And lastly, what workarounds could be put in place whilst a full recovery happens? Importantly, refining your MVC isn't just a one-time exercise, of course. It requires a few things, including business impact analysis to identify mission critical assets, tabletop exercises to test how teams respond to cyber incidents, playbooks that document all of your recovery steps, communication plans, role assignments, and really importantly, exhaustive testing. How do you know that you can get your MVC back if you've only ever tried it on paper? This area is really rife right now with disruptive technologies such as air gapping, immutable data copies, and clean rooms. So to wrap up this session, cyber recovery isn't necessarily about getting back to 100% instantly. It's about keeping the business running with the essentials whilst you rebuild the rest. However, defining what is necessary is not trivial and this is where the concept of MVC comes into play. Your MVC could be the difference between survival and failure in the wake of a catastrophic cyber attack. I challenge you to take this conversation to your IT and security teams and ask the following questions. Do we have an MVC? How quickly could we pivot to minimal viable operations if we needed to? And what's missing in our current cyber recovery plans? Thank you for joining me on this episode of Strive. That's all we have time for today. Stay tuned for more stories and insights and until next time, stay informed, stay secure, and I will see you in the next one. you
