Building cybersecurity into your business continuity plan

In the digital era, customers have little patience for delay and downtime could easily turn them on to a competitor that’s waiting in the wings. With the large-scale ransomware attacks that crippled critical infrastructure facilities in the United States last year drawing attention to the inextricable link between cybersecurity resilience and service availability, it follows logically that companies must now integrate cybersecurity in business continuity planning.

Business continuity from a technology perspective

Some risks aren’t always addressed and one that can easily be put to one side is setting up and then managing a strong business continuity policy and framework. This will cover a lot of ground such as what to do if the phone lines go down, if the supply chain suddenly breaks, or if your IT network falls victim to an external cyber-attack such as a ransomware threat, or an internal issue such as sabotage from an employee.

Getting a plan together for such eventualities involves almost no risk, just an investment of time and will inevitably deliver a high reward. When it comes to the cybersecurity aspect of business continuity planning, why wouldn’t a business want to take advantage, particularly with the threat landscape so concerning. We only have to look at the continuing rise of ransomware, which Sophos has noted in its ‘The State of Ransomware 2021’ report was responsible for 79% of its rapid response engagements in 2020/21, for evidence of the scale of the threat.

It may be that some businesses don’t address the problem because they see it as too difficult. They just don’t know where to start. But in reality, developing a business continuity framework or plan is a matter of working through a series of processes, gathering information and making sure that you have covered all the bases. With a framework in place, the task is then one of regular revision and review.

Setting out a business continuity plan

The first steps in setting out a cyber-related business continuity plan revolve around understanding what it should include – and that’s every single aspect of technology that’s used within the business. A key part of the plan is an inventory of every element of your technology setup. All the IT equipment including hardware like laptops and phones and all the software including both cloud-based and in-house.

Don’t just list items, but make sure you know the suppliers, the service level agreements (SLAs) and any arrangements for alternative provision due to outages. If there are no arrangements for such provision, ask why not and if you think such arrangements should exist, put them in place.

Make sure that all the contact information needed to invoke any special measures is recorded and can be accessed if the computer system goes down. Imagine how frustrating it will be to know the information you need is recorded but it is not reachable.

Even with every ‘t’ crossed and every ‘I’ dotted in a business continuity plan, the worst might still happen and ‘business as usual’ could be a few days away, or even longer. So the plan should include some practical measures for keeping going in this kind of situation. What are your absolutely critical services and how can you continue to provide these. If some processes can revert to paper systems do you have this set up in such a way that people can start using them immediately?

The disaster recovery process

Knowing what you have, who is responsible for it, how to retrieve those elements which are retrievable and which systems you can run on a temporary basis to get you by is central to a strong business continuity plan.

Inevitably for many businesses, a central pillar of getting up and running post-crisis will be recovering IT services and systems. So central to the business continuity plan should be a highly competent disaster recovery process. You might need to require the ability to recover to a different site in the event that your main premises are inaccessible.

You might need an incremental recovery system which brings critical systems and data on stream first and ancillary ones later. You will certainly need assurances from your provider that disaster recover can bring systems back on line as fast as possible and that any malware which can facilitate ransomware and other cyber-attacks isn’t simply restored with everything else.

Keeping it fit for purpose

The great challenge with business continuity planning isn’t actually doing the planning and getting the right processes in place. Yes, it takes time and requires resources, but the procedures and processes required are well documented and there is professional help available from specialist external organisations.

The challenge for CIOs and others responsible for business continuity planning is that such plans are often only tested when they are needed. By then, if there are faults, it is too late to put them right. There are two ways to address this issue. The first is to set a rule that every time a new piece of technology is added, or any changes or upgrades take place, the business continuity plan is revisited so that both internal procedures and any SLA commitments can be checked. In addition, regular complete reviews should be built into the board’s general review schedule.

The second way of ensuring a business continuity plan is fit for purpose is to do dry runs. Paper exercises are one thing, but trying a plan out for real is something else. How to manage these, particularly in terms of critical technology infrastructure and disaster recovery is something your technology vendors and resellers can help you with. Some will be better prepared than others and some will have ready-made recovery plans and runbooks showing best-in-class ways you can adopt to enhance continuity in your business.

Once the organisation completes a test, it should review how it went and update the plan accordingly. It’s likely that some parts of the plan will go well but other actions will require more work. A regular schedule for testing is helpful, especially if the business changes its operations, vendors and staff frequently. Comprehensive business continuity undergoes continual testing, review and updating.

Inevitably, business continuity planning creates additional workload. But it is an important workload. A solid business continuity plan can help your firm continue with business as usual in the face of challenges and feel confident that the challenges will be dealt with in the shortest time possible. Business continuity planning in itself does not require any risk-taking. But it can deliver very high reward.

By: Gregg Petersen, Regional Director – MEA at Cohesity

For more information, visit: www.cohesity.com