Business continuity is like water. It is critical to successfully function, yet it is something we take for granted most of the time. But when it’s unavailable, our dependencies surface and the impacts are crippling. Two serious business continuity planning and disaster recovery threats that businesses face are cyberattacks and data breaches. As a result, smart companies dedicate resources, time and talent to strategic planning and redundancy measures to avoid disruptions.
Since cyberattacks and data breaches don’t look as if they will slow down any time soon, they should be two of the most important threats to address when undertaking business continuity planning and disaster recovery strategy development. Here are a few things to include in a strong business continuity plan:
Business Continuity Planning and Disaster Recovery Tips
Ensure IT is Represented on the Business Continuity Planning and Disaster Recovery Team
Business continuity management, typically handled by organizational Governance, Risk, and Compliance, may not have proper input and/or representation from the IT security team or CISO. Furthermore, cybersecurity considerations for business continuity are still a relatively new concept. Therefore, it is critical that business continuity leadership committees include IT security to help formulate strategies related to cybersecurity threats and risks. As the security team understands the current state of organizational cybersecurity protections and associated risks, representatives from the team should naturally be a part of developing and overseeing the business continuity planning and disaster recover strategy. Organizations that include cybersecurity in their business continuity planning create an atmosphere of more holistic cybersecurity that benefits the entire organization and ensure it will be better prepared for incident response and recovery.
Integrate Key Cyber-Risk Management Variables Into the Planning Process
Business Impact Analysis
Business Impact Analysis (BIA) is integral to the cyber-risk management process. Known cybersecurity threats and associated risks should factor into analysis ratings for typical components, such as maximum outages and impact levels for identified critical business processes and assets.
Additionally, cybersecurity threats and risks should factor into impact categories. For example, a typical category is revenue loss. If malware or ransomware were to hit your organization and impact income streams due to crippled information systems, what recovery times are allowable? What is the scope of revenue loss contribution from that downed system or systems? What redundancy and failover measures should be deployed? Other impact categories such as brand/reputation, customer service, legal/regulatory requirements, penalties/sanctions, and operating expense increases should also factor in cybersecurity threats and associated risks.
Supply Chain Continuity
This is one aspect that can get easily overlooked. Organizations should have a proactive plan to deal with supply chain disruption caused by cybersecurity events. Supply chains often are a web of internal and external business process interdependencies with key suppliers in scope. Therefore, business continuity planning and disaster recovery strategies should consider the impact of cybersecurity threats and risks throughout the supply chain. This may mean that extra resources need to be devoted to managing and monitoring supplier continuity risks from cybersecurity threats. This in turn may influence what the business sees as tolerable risks for identified cybersecurity threats. This can drive investments in people, processes, tools, and systems to achieve continuity of business internally, as well as necessitate additional cybersecurity requirements for supply chain partners.
Define a Backups/Redundancy Plan that Minimizes Downtime
Whether fully in the cloud, hybrid, or on-prem, a clear and detailed backup plan is essential for a successful cybersecurity-minded BCP for your organization’s critical data, applications, and systems and should be based on cybersecurity threats and risks. For example, the risk of encryption from ransomware may drive decisions for your organization to have some cloud-hosted redundancy for certain critical data/systems that is quickly accessible and scalable for continuing business seamlessly. Other considerations are frequency of incremental and full backups, whether to encrypt backups, retention periods, and frequency of testing backups.
Create a Cybersecurity Crisis Communication Plans
Planning for cybersecurity crisis communication is slightly different than communications required from a business disruption by a power outage. A cyberattack attracts far more media attention, subjecting your organization and its stakeholders to higher risks of reputational damage. It is often a pressure cooker when senior management, legal, and the press all want answers that you may or may not be able to provide (and some answer that you should not provide). A solid crisis communication strategy will help ensure the right amount of information is shared at the right time with the right people. Here are a few things to consider during the business continuity planning and disaster recovery strategy development process:
- Internal Communication. Designate an Internal Communication Lead or give that role and responsibility to existing leadership, such as an Incident Response Manager. Ensure the entire organization knows who this person is and defers to them in a crisis situation. Identify other internal stakeholders who will need to be kept informed, and ensure they are aware of the importance of maintaining confidentiality and controlling the dissemination of information. Internal communications should have a designated “SWAT” team to control escalation and determine if the cyberattack is an incident or a crisis.
- External Communication. Designate a public relations official, and include all pertinent external contact information in the plan. The ability to quickly contact local authorities, television/radio stations, and city officials can help mitigate negative publicity. Do it right, and you’ll see potential brand bashing turn into public praise.
- Ensure legal counsel is involved so all notification obligations for regulatory compliance are covered.
There is much to consider when thinking about how cybersecurity impacts business continuity planning and disaster recovery strategies. Proactively incorporating these key points will go a long way to minimizing the damage and speeding recovery. Lastly, if you haven’t developed a solid business continuity plan, do not wait any longer. Build it with cybersecurity threats and risks in mind. If you have a business continuity plan, take the time to review it and make necessary edits to ensure cybersecurity threats and risks are addressed. With incident response costs and ransomware payments that can reach well over $500K, you can’t afford to ignore cybersecurity in your business continuity plan.
Contact us if you need help with business continuity planning and disaster recovery strategies. Our experienced advisory and compliance services team can help.