In our blog, Mind the Gap, we explored the difference between compliance and cyber resiliency, showing that compliance only solves for a subset of risk management while reasonable cyber resiliency represents the point where investment in cybersecurity mitigations delivers the optimum amount of risk management for an organization. Furthermore, we pointed out that critical infrastructure sectors that lack regulatory guidelines are frequently in a more dire position when it comes to cyber resiliency.

Risk is a constant, no matter the business. But if there is one business lesson for all organizations should take away from the COVID-19 pandemic, it’s that the unexpected can happen at any moment. Good business leaders continuously evaluate the risks that can disrupt normal operations. And while we can presumably expect the unexpected, it is nearly impossible to detect and prevent every risk from becoming a reality. That’s because in some cases, such as the COVID-19 pandemic, even the most effective risk reduction plan would still be insufficient to prevent negative impacts on your business. When such risks come into play, businesses must have a solid business continuity plan at the ready.

Business continuity plans are instructions to be followed when normal operations are no longer possible — like we’ve seen when government authorities issue stay-at-home orders to prevent the continued spread of a highly contagious virus. The last thing that a business wants to be doing during an emergency is figuring out what is required to keep the business functioning, at least at a reduced capacity. A well-crafted business continuity plan is the product of analysis and careful consideration done when time is not of the essence and can keep things running during and after a number of scenarios.

Where to Start

A solid business continuity plan begins with a business impact analysis. This analysis, simply put, identifies which business processes are the most critical to keeping the lights on. Each process requires access to one or more inputs or supporting services such as raw materials, technology, data, etc. Once a business assesses what processes are most critical, then it must identify the required inputs and supporting services to develop a plan for how to access those same processes from a secondary location.

Critical services may not always be obvious needs during times of normalcy. We often take many things for granted because they operate seamlessly in the background without much thought or concern.

Now, for example, with so many people being required to work from home, internet service providers are seeing massive increases in bandwidth consumption that can — if it has not already — cause disruption to business operations. For those who live in rural areas and utilize nonterrestrial internet connections through satellite or cellular networks, conducting video conferences can prove difficult during peak usage periods. Businesses must determine how dependent operations are on face-to-face or real-time communication. This will allow them to understand the impacts that working remotely will have on operations.

All businesses use data is stored on local drives, in data centers, in cloud environments or some mixture of all three. A business must know what data is necessary for operating on a daily, weekly and quarterly basis, and then figure out how to access that data if it cannot be accessed from a normal place of business. Leveraging a backup and recovery strategy powered by cloud services is highly recommended, and there are several affordable options to make this happen. Understanding how the business will function without access to client relationship management data, production run information or quarterly financials, for example, will go a long way in determining a plan for information access.

Never Neglect Security

A foundational principle to any business continuity plan must focus on how to effectively continue operations in a safe and secure manner. The safety of an organization’s people — and seeing that they are able to perform their work free from the threat of physical harm — is imperative.

But security — and cybersecurity, in particular — presents an even bigger risk when employees begin working from various locations. Companies that have invested in an information security program are already protecting sensitive data under normal working conditions. A business continuity plan should also account for how an organization will protect its data when operating during an emergency. With good planning and a flexible architecture, a single data protection program can support both operating models, which will reduce the strain of additional changes.

Organizations that traditionally operate in a single location and do not have much need for a remote workforce will struggle with such a massive shift if proper planning has not been done to accommodate such a change. Even if the change is only effective for a few weeks, it is important to understand how to protect remote personnel from online threats. During the COVID-19 epidemic, for example, researchers have found a massive spike in phishing and malware attacks targeting remote workers. Poor planning will put them and the businesses they work for at undue risk.

Early Planning Yields Positive Results

The sooner a company starts building its business continuity plan, the sooner it can begin testing it to find any possible holes. A solid plan will help a business weather the transition to temporary operating conditions and then the move back to a normal state. Without a plan, businesses will be left to solve for complex issues on the fly while competing with others for necessary resources. Planning today helps to build an effective, succinct business continuity plan for tomorrow, yielding positive results in both the short and long term.

 

Mitigating risk and building resiliency starts with a comprehensive cybersecurity plan.

See Our Perspective

by
Kevin Fuller is managing director for security and risk consulting at 1898 & Co., part of Burns & McDonnell. He has more than 20 years of experience in developing and implementing security strategies and providing physical and cybersecurity solutions across multiple industries and markets. He has a Bachelor of Science in business administration from Truman State University and a Master of Science in information management from Washington University in St. Louis, as well as a Master’s Certification in information assurance from the University of Maryland.