The real value of a Business Continuity Plan !
When a company is compromised by a cyber-attack, recovery time is front of mind: the longer it takes to get back up and running, the bigger the impact on the business.
Even with a robust cybersecurity strategy in place, organisations need to plan for the worst to minimise down-time in case of a cyber event. At that moment, knowing your critical assets and getting ready with a Business Continuity Plan (BCP) can save your business.
An interesting read for Business Continuity Managers, CISOs, IT & management.
How can you build a strong cyber security posture?
When considering your cybersecurity, you need a holistic approach.
Your first thought should be to anticipate attacks through assessments, audits and offensive methods such as penetration testing or phishing simulation tests. By anticipating threats, you have the chance to find and fix your vulnerabilities before a hacker can exploit them.
Then you need to include prevention and protection measures in your plan to stop threats from getting through. Thanks to an appropriate and efficient security governance structure across your entire organisation, you improve your resistance against cyber-attacks.
However, zero risk doesn’t exist! So it is in your best interest to include detection & response solutions to ensure you quickly detect all the vulnerabilities and act efficiently in case of a confirmed attack to limit the damage.
At this time, getting covered by an insurance and deploying your business continuity plan are crucial. That is why recovery should be an integral part of your strategy.
Because once your business is compromised, your only priority will be to fully restore your critical operations as quickly as possible without too higher cost. That is why you need a tried and tested plan to prepare for this eventuality.
How can I minimise my organisation’s down time after a cyber incident?
The most efficient way is to identify your crown jewels: the assets & resources you need to carry out critical processes or to restart them in times of crisis. This can be hardware or software but also information and data. The crown jewels are the assets needed to restart your business and their recovery time needs to be optimised. They are also at the heart of your cybersecurity strategy which should be built around protecting them.
The difficulty is defining what they are. Every department will have resources they believe are essential. The trick is to narrow it down to what is vital! One of the best methods to pinpoint what is truly important is to do a Business Impact Analysis.
What is a Business Impact Analysis (BIA)?
The BIA is one of the first phases of the development of your Business Continuity Plan (BCP) and is a great exercise to get a better understanding of your organisation, the key processes and all of the resources necessary to support them. It is during this phase that you decide what processes and supporting assets are critical. This is achieved by analysing the needs of the business together with your department heads.
When deciding what is vital to your business, it is important to consider not only the critical processes but also the resources that support it. An asset could be considered non-essential on its own but is key to restarting a critical process. It therefore also be considered as one of your crown jewels.
During this process, you also need to do a risk assessment including the identification of your Single Points of Failure (SPoF) and your Single Points of Knowledge (SPoK).
- SPoFs are resources that could stop the entire system from working if they fail. These non-redundant elements can disrupt your entire business.
- SPoKs are related to your human assets. Knowledge & expertise are vital in times of crisis, yet they are not always available when needed.
You should resolve these issues swiftly to avoid financial and business impact in the case of a cyber-attack.
You have identified your critical assets, now what?
With a strong cyber security strategy in place and your crucial assets defined, you also need to determine both your RTO and RPO.
- RTO or Recovery Time Objective is defined as the maximum amount of time within which operations must be restored after a disaster. Your RTO is the threshold after which time your business will suffer serious damage.
- RPO or Recovery Point Objective is the tolerated quantity of data loss after a disruption. In other words, you need to determine what is the maximum amount of data loss that can occur before causing significant harm to your business.
With both RTO and RPO defined, you can now prepare your Business Continuity Plan. Your BCP should provide you with contingencies to keep your operations running after a business disruption (planned or unplanned). It will tell you exactly who needs to do what and when to get things back up and running as soon as possible.
Once you have created your BCP, you need to put it to the test with real life scenarios. Regular testing ensures your teams are ready and prepared for the real thing.
“As we say in cybersecurity, plan for the worst and test for the rest.”