Is It Time To Implement A Business Continuity Plan?

Written by Tony McEvoy

The business world has seen organizations globally embracing business continuity over the last few decades. Particularly after seeing the effects of events such as 9/11 attacks, 2004’s disastrous Tsunami, numerous recessions, the recent COVID19 pandemic and the rise in cybercrime attacks, and how they have proven to impact businesses everywhere. The Pandemic especially threw countless new, small and medium-sized businesses into turmoil forcing many to think on their feet and restructure their organizations simply to stay in operation.

Staggeringly though, a recent study shows that 51% of businesses still don’t have a business continuity plan (BCP). A report by the Economic Times demonstrates the value of having this type of plan in place and that it is a proven method for businesses to recover from disaster. (Source: Mercer via Economic Times)
What is a Business Continuity Plan?

A business continuity plan is a document that outlines how an organization will continue operating during an unplanned disruption to its services. It is more comprehensive than a disaster recovery plan and should contain contingencies for business processes, technology, assets, human resources and business partners, every aspect of the business that might be affected.

The threat of business interruption such as cyber incidents, data breaches and danger to premises looms overall organizations. A significant event could cause irreparable damage and attract the attention of regulatory authorities and law enforcement. Therefore, all organizations need a BCP. It should contain a set of processes that helps organizations respond to any form of disruption including cyber-attacks, pandemics, evacuation of buildings, power outages and adverse weather.

Every organization should strongly consider the importance of having robust options in place to recover from a disaster. A BCP needs to be formulated from the executive board level with the support of key teams supplying the critical details and nature of resources and facilities. This would be to ensure that businesses can continue to function or recover quickly supporting and protecting their workforce as well as their customers.

An organization’s BCP should contain four phases:

  1. Initial response
  2. Relocation
  3. Recovery
  4. Restoration

1. Initial response
The first thing you must do after discovering a disruption to operations is to understand and contain the severity of the damage. What systems and locations are inaccessible? Has any sensitive information been compromised? How many people are affected?
Your BCP should list the actions that need to be taken in different scenarios including aligning the damage to all services with the appropriate Recovery Point Objective (RPO) and Recovery Time Objective (RTO) assigned to different applications and services.

2. Relocation
The next step is to move affected areas of your business out of harm’s way. For example, if your infrastructure is damaged, you need to move or utilize new equipment in another part of your office. The same is true for employees: if the normal workplaces are unavailable, will there be other offices for them to work from, or have you provision to allow the workforce to operate remotely?
As with the initial response, your BCP should include specific details based on each scenario. This will probably include things such as setting up temporary offices, asking employees to share desks or work from home.

3. Recovery
With the affected area of your organization isolated, it’s time to correct the problems. You can deal with some disruptions yourself, but there are times when you might need to bring in experts (as will be the case with cyber-attacks, fires, floods or disruptive weather events) to assist with the remediation.
On other occasions, the recovery process might be out of your hands. For example, an electrical outage will probably need to be dealt with by the local power provider, and when disruption is caused by extreme weather, you will simply have to wait for it to subside.

4. Restoration
Once the recovery process is nearing completion, your organization can return to some semblance of normality. Testing the recovery is the first key part, then staggering the return to the normal working environment whilst monitoring the findings.

The final part of this is to review the whole incident with a view to amending the BCP where appropriate to capture things that may benefit the organization in the future. The BCP needs to be regularly reviewed:

  • Which individuals are highlighted as accountable for the BCP?
  • How can you implement a BCP?
  • What do you need to consider at each step of the process?
  • How do you measure, monitor and review your plans?
  • What are the roles your staff will enact?
  • How frequently should you conduct a Business Impact Analysis (BIA) across your organizations and services?

A BCP should not be considered a technical document, rather an “umbrella policy” under which DR (Disaster Recovery) plans are built to meet the constraints of the BCP. The BCP should aim to identify and address resiliency synchronization between business processes, applications and IT infrastructure.

How CyberClan Can Assist Your Organization
CyberClan offers consulting services to help your organization build upon information technology and information security teams. Our vCISO services can cover reviewing existing security frameworks, to designing and implementing network security architecture and evaluating scheduled vulnerability assessment and penetration testing etc. This can also include assisting with creating a robust Business Continuity Plan to help mitigate risk and ensure your organization is prepared should an external factor threaten to derail your business.

For more information on how we can help, take a look here:

Knowledge Base

Digital Forensics, AKA eDiscovery, in a Cyber Security Context

Written by Thibault Dambrine and Laura Smith  Introduction When a cyber breach occurs, it is almost always accompanied by data...

Read More +

Incidentally Informed – Cyber coverage and incident response

During our webinar we discussed “cyber coverage and incident response”. Our Panelists Mikel Pearce – General ...

Read More +

Incidentally informed – compliance issues in ransomware claims and the pitfalls

During our webinar we discussed “compliance issues in ransomware claims and the pitfalls”. Our Panelists Mikel Pear...

Read More +
CyberClan CyberClan CyberClan CyberClan