Gary Criddle, Principal Cyber Risk and Resilience Consultant, Sungard AS, shares 6 business continuity strategy planning mistakes to avoid.
Any organisation can face significant downtime, data loss and employee displacement if unprepared when a disaster strikes. All of these can have a serious and detrimental impact on the viability of a business. So, planning for them can help companies identify risks and take relevant steps to mitigate them.
Business Continuity (BC) supports the strategic objectives of an organisation by identifying its priorities and proactively building the capability to continue activities that support those priorities in the event of a disruption. It is an ongoing process of continuous improvement that reflects the internal and external operating environment.
If implemented and maintained correctly, (not simply a tick-box compliance exercise or a rainy-day insurance policy) then BC becomes something that can deliver day-to-day measurable value to an organisation.
In recent years there has been a significant increase in the number of high-profile cyber-attacks on UK businesses. To highlight this increase in prevalence, a survey by Beaming found that cyber-attacks on UK businesses increased by 243 per cent in the summer of 2019, compared with the same period in 2018.
Whether it be the WannaCry attack which cost the NHS £92m in 2018 or the more recent ransomware attacks on Travelex which forced staff to use pen and paper, the detrimental impacts are evident.
Creating a BC programme is only half the battle though, as there are certain things organisations should avoid doing to ensure plans aren’t rendered ineffective.
Focusing on the wrong risks
Don't fall into the trap of concentrating on a narrow set of risks or addressing the wrong risks. A disaster recovery plan needs to be comprehensive, covering all eventualities and identifying as many vulnerabilities as possible. The more situations identified, the more areas for improvement companies are likely to discover which affords the time to fix them.
Failing to update plans regularly
If organisations already have a plan in place then they're ahead of the game, but the plan still needs to be reviewed and maintained on a regular basis. Technology is constantly changing, and ransomware and malware attacks are increasing, almost doubling in 2019. An out of date plan might leave a company vulnerable and unable to effectively recover in the event of an attack.
Not testing plans
As well as keeping the plan up to date, it's also important to practice implementing the plan with pertinent staff through frequent Crisis Management training exercises. Exercising regularly throughout the year will allow businesses to see if the BC programme is working and if there are areas of weakness that need modification.
Threats change and evolve, becoming more sophisticated every year, therefore testing the plan often will help to close the resiliency perception gap that often accompanies safety measures. It will also be invaluable in keeping staff fully informed on how to deal with a myriad of disruptions as recent research found that 78 per cent of companies face unplanned disruption and risks for critical applications.
Not backing up
In the event of an emergency, organisations may be reliant on backup data which could be stored at a different secure location. This practice is a frontline weapon when it comes to mitigating cyber-attacks and should form a central pillar of any BC programme.
Assess which applications are critical to the business' function and dedicate separate efforts to ensuring they're updated, backed up, and recoverable in instances of disruption. If backups do not happen regularly, companies could find that data is rendered useless because it’s out of date. Make sure to keep backed up data secure and look out for any errors and risks.
Overlooking staff training
Failure to include staff in frequent continuity training and plan implementation can leave companies vulnerable no matter how comprehensive the BC plan is. It's vital for staff to know what to do in an emergency – whether it's a natural disaster or a massive data breach. Poorly trained staff can often make a bad situation worse if they're not fully up to date in best BC practices. A successful continuity strategy is one that's communicated to all company staff to a relevant degree; new training should be provided on a systematic or as-needed basis.
Not identifying key systems
When creating a BC strategy, it's tempting to view every application as critical and therefore not tier dedication of resources accordingly. Part of BC planning is addressing resilience thorough business impact analysis (BIA) which helps organisations effectively map which systems are critical to the continued operation and which should be prioritised in terms of risk-management and budget allocation.
This is an instance of working smarter, not harder and ensuring that key systems are effectively protected and swiftly recoverable following disruption to restore normal business function.
Implementing and maintaining business continuity to cope with cyber-attacks or other disasters within an organisation is no easy task. While the theory is reasonably straightforward, the practice is frequently beset by conflicting priorities and agendas, as well as resource and time constraints.
Simply answering the question of whether to pay a ransomware demand or not, is a highly complex issue that not only tests a company’s moral positioning, but its ability to pay for the potentially high costs of recovering data and systems infected by ransomware. This is a conversation a business must have before ransomware hits.
Managing disaster recovery and BC programmes today means achieving effective continuity capabilities in line with corporate policy and regulatory requirements, effectively, efficiently and in line with industry good practice.