Digital Resilience for SME’s in APEC
Wed 10 Feb 2016 | Michael Mudd
‘Planning for threats with the lowest probability is needed as these scenarios are becoming a reality’. President Eisenhower said that over 50 years ago. He was faced with nuclear war. Japan was faced with the 2011 Tsunami. The next year Thailand had to deal with a ‘one in a hundred years flood’ and in 2013; the most powerful storm ever recorded devastated parts of the Philippines.
These incidents also illustrate the risks in the global supply chain or as it is now often described, the Global Value Chain (GVC). Today businesses large and small are faced with a myriad of threats to their people, facilities, data, equipment, knowledge and intellectual property which in turn affects their business relationships with customers/suppliers and ability to rapidly return to business as usual when one of these threats materialize. As such these need to be identified and a risk mitigation strategy put in place, usually referred to as ‘Business Continuity Management’ (BCM) formerly referred to as Disaster Recovery or DR. Broadly these risks may be grouped and classified as the following;
Man Made, such as terrorism, sabotage, theft, riot, strike, plant failure, fire, water leak.
Natural; such as Typhoon/storm/tornado/hail/lightning strike/earthquake/volcano/Tsunami/ Pandemic.
External Business related; such as power failure/water supply failure/strike/key employee leaving/human error/mass transport outage (so workers can’t get to work) etc.
IT and Data failures; including sabotage/theft, virus and malware, denial of access, human error software and application corruption /failure/connectivity failure.
‘Black Swan’ events; Rare events as those that are unexpected; produce an extreme impact; and, although technically outliers, demand explanations and responses. Extreme weather events may be included here.
Legislative risk; which includes new laws or more rigid enforcement of existing laws covering such areas as environmental/pollution, land zoning, labour, specific industry laws, export laws, financing laws (for exports) Other laws that affect your customers ability to do business with you such as Unfair Competition Laws or anti-corruption laws (UCA or FCPA in the US for example). With respect to UCA/FCPA for example, this is a known risk and non-compliance is a reputational risk as well as a financial one.
Larger enterprises (500+ employees; $100 -$250m turnover) clearly have greater resources than smaller enterprises, and although sound resilience principles also apply to them, they have greater import to smaller enterprises by definition. They generally adopt the PESTEL approach; the political, economic, social, technological, environmental and legal lenses through which the risk analysis is conducted and resilience plans framed and then adopted. Standards for security and resilience are offered by the ISO and other organisations 
With respect however to micro and small enterprises (MSME/SME) that is employing between 5 – 50 staff with turnover less than $1m, their needs as well as resources available are quite different. Equally the effect of any disruption in business is usually greater as they have a smaller financial cushion to absorb losses and costs in the short term.
A key part of risk planning for any business, large or small is to address the ability to ‘bounce back’ in the face of adversity which is generally referred to as ‘resilience’. Resilience, as a noun may be defined in a business context as ‘The ability to recover from or adjust to misfortune or change by having the capacity to withstand stress and catastrophe’. Moving on from traditional DR that dated acronym may now be redefined as ‘Digital Resilience’ (or new DR). Thus the ‘new DR’ may be narrowed down for SME’s, simply as ‘The ability to survive in digital adversity’.
As such it is the final component of a traditional BCM plan – to get back to business as usual in the shortest time possible. For larger enterprises there are comprehensive frameworks available but here we are addressing specifically the Information Technology (IT) used by SME’s that may be assumed not to have technical expertise a dedicated IT department.
Virtually all SMEs now use some form of IT in their business, from a PC for office administration and spreadsheets, to email. In the past 5 years this has rapidly grown to encompass innovations such as IP phones, online banking, online sales and trading sites and social media.
However they are increasingly at risk from business disruption from IT failure due to internal or external actions either through an accident, natural or man-made intervention. Whilst most natural disasters and accidents by definition are hard to predict, the dramatic increase in cyberattacks and spread of malware in recent years that go across all platforms and businesses regardless of size, can be. This is a shared responsibility between all parties in the IT ecosystem.
As such an approach based on ‘assumed breach’ is the most constructive way to look at this. Rather like business travel nowadays where delays and traffic jams are inevitable but general unpredictable, the ability to deal with these disruptions as they appear should be part of any business plan, big or small.
Advance preparation based a few simple principles and will enable MSME/ SME’s be ready for this so they may return their business to normal in the shortest time possible. This may minimise financial losses by being able to deliver to their customers, thus restoring cash flow as an interruption to their cash flow can cripple a small business very quickly.
From the above, the following Principles have been identified;
Principle #1 First Reduce Technical Vulnerability: Each element of a System should run current, patched versions to reduce exposure to compromise.
Principle #2 Element-Level Protection: Each element of a System should be protected both from external compromise and from other compromised elements of the same System.
Principle #3 Element-Level Detection: Mechanisms to detect compromise should be in place for each element of the System.
Principle #4 Localised Containment: Compromises should be contained as close as possible to the initial compromised element.
Principle #5 Automated Recovery: It should be possible to reliably recover a compromised system to a known-good state with a high degree of automation.
Principle #6 Resilience Rating of Systems: Every system should be classified with a required level of resilience based on the criticality of services provided by a System.
Principle #7 Isolation of Untrusted Systems: A System in which any element is compromised. Should be considered untrusted and isolated from other systems.
Principle #8 Dynamic Adaptation: Networks of Systems should be capable of dynamic adaptation in response to a threat or disruption so as to minimise impact and maintain continuity of operation.
With respect to SME’s these principles may be simplified further as follows;
- Identity – People, systems and machines –who and what is running or accessing.
- Platform – The infrastructure; hardware/operating system and Cloud services.
- Process – The applications and programs used.
- Network – the communication link and its gateways and firewalls.
- Data – Storage on and off premise, Cloud outsourcing for primary and backup.
Identity. Access control and who has what passwords are basic security controls, but for accessing banks online for example this has to be tightly controlled as financial fraud is the main insider threat facing SME’s. Using a bank that demand two factor authentication with the second using information only known to the authorised person, greatly reduces this risk.
Platform. No operating system is safe from compromise today; the key is to ensure that the software is authentic and updated by the manufactures on demand. This is generally an automated process for genuine software.
Process. The advent of widely available Cloud computing is a game changing innovation for the SME to embrace Digital Resilience as backups may be set whenever a PC or servers is activated. End to end encryption of data is now the standard and when this is combined with adherence to international standards such as certification under the ISO 27000 series (including ISO 27018 in particular on privacy of personal data), robust security is assured. For an SME there are now multiple services available from major vendors that have the experience a depth of expertise to ensure that they may work seamlessly in the background; backing up files, data, customer information, accounting work in progress including design and development so that in the event of an external event or even a local server or PC failure will ensue that data loss is minimised. Offshore data storage ensures local events do not interrupt this process, be they natural in the case of the examples above, or manmade. Once the immediate cause of the loss is dealt with, that recovery may be made and the business rebuilt.
Network. Tier one telecoms carriers for land line connectivity combined with a secondary cellular carrier (plus on demand prepaid service) will provide the required service levels for all but the most severe interruption which would normally mean a natural disaster. If data is backed up in the Cloud then the minimum amount of data may be lost due to a carrier outage.
Data. Off premise data storage is crucial for digital resilience. As was shown in Japan, data backed up locally may also be wiped out. The Cloud solutions available mitigate this risk.
To summarise; it has never been cheaper nor more convenient to enable Digital Resilience for SMEs by the adoption of Cloud services for the ‘new DR’. There is considerable choice in Cloud Service Providers (CSP’s) that have years of experience in traditional BCM for large enterprises, employing hundreds of experts in areas such as security and privacy that is now available to SME’s at a price point that virtually all can afford.
This will further enable them to participate in the GVC and grow their business by enabling trust in their ability to withstand any disruption and assuring their customers of a rapid return to business as usual.
 The Black Swan: The Impact of the Highly Improbable, Nassim Nicholas Taleb
 ISO/IEC 27001, Information technology — Security techniques — Information security management systems — Requirements: http://www.iso.org/iso/home/store/catalogue_ics/catalogue_detail_ics.htm?csnumber=54534
Council on CyberSecurity (CCS) Top 20 Critical Security Controls (CSC): http://www.counciloncybersecurity.org
 From Mr. James Kavanagh, Chief Security Advisor, Microsoft Australia.