Establishing MVC for Cyber Resilience

On a recent episode of the STRIVE podcast, host Darren Thomson delved into an introduction of the concept of minimum viability for your organization. With the threat of cyberattacks ever present, you must be prepared to respond to potential disruptions to your business operations.

But what if there was a way to help your business survive and even thrive in the face of such threats? Enter the concept of the minimum (sometimes referred to as minimal) viable company (MVC) for cyber resilience.

What Is a Minimum Viable Company?

MVC is the absolute minimum set of functions and assets required to keep your business operational and recover from a cyberattack. Imagine a scenario where your entire IT infrastructure, critical applications, communication technology, customer data, and supply chains are compromised. In such a situation, having a well-defined MVC can be the difference between a quick recovery and a complete standstill.

Why Is MVC Important?

1. Prioritizing critical functions: MVC helps you identify the essential functions that must be running first. These might include finance, customer service, supply chains, and compliance-related operations.
2. Rapid recovery: By focusing on the bare minimum, you can recover more quickly than waiting for a full recovery. This is crucial in minimizing the negative impact to your finances and your reputation.
3. Maintaining trust: In the aftermath of a cyberattack, trust is a precious commodity. A well-defined MVC helps you continue to operate, even if it’s at a reduced capacity, which helps maintain trust and confidence.

How to Define Your MVC

1. Business impact analysis: Start by conducting a business impact analysis to identify functions and assets that are mission-critical and which can be temporarily suspended.
2. Tabletop exercises: Test your team’s responses through tabletop exercises that simulate cyber incidents and help you identify gaps in your response plan. These exercises are crucial for verifying that everyone knows their roles and responsibilities during a crisis.
3. Playbooks: Create detailed playbooks that document recovery steps and communication plans. These playbooks should be accessible and easy to follow, even in high-stress situations. They should include step-by-step instructions for restoring essential services and communicating with stakeholders.
4. Exhaustive testing: Testing is not a one-time activity. Regular, thorough testing is essential to confirm that your MVC can be effectively implemented when needed. This includes testing your IT environment, communication plans, and manual workarounds.

Key Strategies and Practices

1. Essential business functions: Focus on the functions that are absolutely necessary for your business to operate. This might include finance, customer service, and supply chain management.
2. Minimal but functional IT environment: Identify and restore top-priority services in a secure and clean state. Tools like cloud-based backups, isolated recovery zones, and clean rooms can be invaluable in this process.
3. Key people and processes: Identify key employees who can operate the business at a bare minimum. Enable them to have the necessary accesses and tools, and establish manual workarounds and communication plans for extended downtime.

Continuous Refinement

MVC is not a static concept. It requires ongoing refinement through business impact analysis, tabletop exercises, and testing. These activities help you stay ahead of potential threats and help enable your business to respond effectively to any cyber incident.

By focusing on essential functions, a minimal but functional IT environment, and key people and processes, you can maintain continuous business and trust. Establishing your minimum viability is a powerful tool for business survival and remaining resilient in the face of any challenge.

Watch the full podcast here.