Implementing Business Continuity Plans
Table of contents
Why Business Continuity?
Cybersecurity typically looks at confidentiality, integrity and availability of data and the ecosystems around it. Availability is generally considered a basic requirement, as without a fully functional information system, organizations cannot execute their processes. And obviously, if a business can’t execute its processes, it fails…
Business Continuity Management (BCM), therefore, ensures the availability of the business processes. Indeed, it is at the core of a company’s interest as it encompasses all the measures needed to prepare and handle any disruptions that the business faces.
There are various reasons (some combined) why business processes can be disrupted:
- Systems become unavailable due to cyberattacks (e.g., ransomware, distributed denial of service-attacks (DDoS), website defacing, or hacking activity that disrupts or destroys a system
- Outages caused by glitches at data centers or utilities (internet service providers, electricity providers)
- Staff becoming unavailable (e.g., epidemic or pandemic)
Business Continuity Management is part of an overall risk management approach. As such, measures taken must also consider the company’s risk appetite and need for a good cost/benefit relation.
While sound business continuity management and the associated planning is first and foremost about helping a company ensure its survival in case of an incident, it has also become about complying with a growing body of regulations. This is particularly pertinent in the financial industry and for companies responsible for critical infrastructure.
Business continuity management typically comprises three parts:
- Business Impact Analysis (BIA): This identifies the critical business processes and associated requirements
- Business Continuity Plan (BCP): These are the measures identified for each scenario, to ensure each business processes continues or resumes with the Recovery Time Objective (RTO)
- Testing of the various Business Continuity Plan scenarios
What Is a Business Continuity Plan?
There are many definitions on the Internet, which we can summarize as follows:
A business continuity plan is a set of actionable processes, instructions, and resources that prevent or react to different scenarios that can disrupt the business operations of a company.
What Needs to Be Part of a Business Continuity Plan?
First, you need to define a list and provide a description of the scenarios that can impact your business.
For each scenario the following information is required:
- Preventive measures to reduce likelihood of the scenario occurring, or in the event it does occur, measures to reduce impact
- Detailed description of how to react to the specific scenario; this includes alternative processes which can be used when certain resources are unavailable
- Detailed description of how to recover from such a scenario and return to business as usual, including both organizational and technical-level lines of action
Seven Key Success Factors to Implement an Efficient Business Continuity Plan
While not providing you with a cookie-cutter recipe for a business continuity plan, we identified 7 key success factors which can help you to prepare.
Success Factor 1: Senior Management Buy-In
Buy-in by senior management is the fundamental requirement for a working business continuity plan.
Only this way, can the roles and responsibilities be assigned, and the appropriate priority attributed to business continuity management in its entirety.
So, before you even get going, talk to senior management. Suggest/ask for broad direction and keep them updated. Ultimately, senior management also needs to approve business continuity plans. But for a successful outcome, they also need to feel ownership. Being part of the process will help develop this sense of responsibility and ownership.
Success Factor 2: Sound and Thorough Business Impact Analysis (BIA)
A thorough BIA is required as the basis for a business continuity plan, for the risk assessment, and the operational plans. This needs to be done in collaboration with the responsible business areas.
As a first step, the critical business processes need to be identified. As a second step, for all critical business processes, key information should be collected. This includes collected Recovery Time Objectives (RTO), Recovery Point Objectives (RPO), relevant IT services, any special equipment, key staff, facilities, or any other single point of failure, dependencies on other processes, and potential financial impacts of such interruptions.
As a third step, the results are validated especially the RTO and RPO. This may include a cross verification of RTO and RPO between different processes and, most importantly, verification by senior management on the plausibility of requirements.
Make sure that your BIA is kept up to date (updated on a yearly basis, at least).
Success Factor 3: Avoid Business Continuity Incidents
An important part of any business continuity plan is the avoidance of incidents that lead to an outage or a data loss especially when there are low RTOs and RPOs.
This can happen in several ways:
- Prevention of cyberattacks that impact the availability of systems and data
- Cyberattacks can impact the availability of systems or data. Such attacks include ransomware, DDoS-attacks, website vandalism, or hacking that renders a system dysfunctional. Best practice cybersecurity controls can make such incidents less likely and quicker to recover from.
- Reduction in likelihood of a failure of a single asset in the basic infrastructure
- The reduction of likelihood of a failure of a single asset can be achieved through careful planning (e.g., do not build a data center in an area which is regularly flooded) or careful selection of providers (e.g., Internet, electricity, or cloud services) (check out their track record of availability).
- Having redundancy in place
- Another way to avoid business continuity incidents is to have (transparent) redundancy in place that avoids single points of failure. This can happen at all levels (e.g., data centers, redundant power supplies, redundant offices, redundant ISPs, redundant firewalls, or redundant domain controllers)
Success Factor 4: Business Continuity Scenario: Think Out of the Box
When identifying potential scenarios that threaten business continuity, you need also to think outside the box. Ransomware or DDoS attacks have become more common and independent of any business or political exposure; they need to be addressed.
But who would have thought four years ago that a pandemic would be the most significant disruptive force impacting business continuity for a period of three years and that its impact would go way beyond just the processes of individual companies?
It is therefore important also to think about other, maybe less likely scenarios, which might have a big impact on a company. Note that the increased usage of various cloud services makes the environment more complex; it may be more difficult to identify dependencies.
Success Factor 5: Align with Crisis Management and Incident Response
For a business continuity plan to be comprehensive, it needs to interface with the crisis management organization of the enterprise (especially when authorities need to be involved or customers and the public are impacted).
The technical security incident team needs to be involved (or in case of a cyberattack might even be the first internal team to identify an issue) if a cyberattack leads to a business continuity event.
Success Factor 6: Evaluate Alternative Processes
While restoring the resources required for a business process is the most obvious approach, in various scenarios alternative processes can be used to perform a business process. These can be manual workarounds or simple set-ups like working from home or performing bank transactions via phone or at the counter instead of using e-banking.
It is important that these workarounds are also tested, and that staff are familiar with them. (See also Success Factor 7).
Success Factor 7: Regular Testing of Different Scenarios
Testing is important. You do not want to encounter a scenario in real life for which you have not performed a test.
The business continuity plans for the different scenarios you have identified must be tested regularly or, depending on the scenario, as part of regular business (penetration testing). There are several benefits from this:
- Both IT as well as end users become familiar with the scenario and can prepare accordingly (this can also be practiced with table-top exercises)
- The execution of the recovery processes can be optimized, and you can work out how quickly an incident can be detected. While a power outage might be quickly detected, this might not be the case for a sophisticated hacking attack and will depend on a good detection and response mechanism in place
- The impact of new or updated systems on the recovery process can analyzed
In this context it is also important to participate, where possible, in any business continuity test of your critical providers, to understand and handle the impact on your business processes.
While Business Continuity Plans are very specific to every company, considering the Success Factors to achieve good Business Continuity Plans are the same.
There are several ways Kudelski Security can help support your BCM efforts.
- We can work with you to identify and articulate the position of senior leadership on risk and continuity with a view to getting their involvement and backing.
- We can work with you to identify your critical business processes and conduct the respective Business Impact Assessments (BIA) to evaluate the effects of an interruption to critical business and the resources required.
- We can help you to identify business continuity scenarios and define the plans to them. This includes threat analysis and risk assessments.
- We can provide Managed Detection and Response (MDR) services to you to help you detect and action upon cyberattacks as quickly as possible