I was recently asked to speak to a group of local businesses on the topic of Business Continuity and thought I might share some of my observations and thoughts. The first is that of how many people, security professionals included, share misconceptions about the fundamentals of Business Continuity usually confusing them with Disaster Recovery or something else.
Business Continuity can be defined as the ability of an organization to maintain its operations and services in the face of a disruptive event (Ciampa, 2009). He goes on to discuss the breadth and depth of these kinds of disruptions including power outages and Hurricanes (Ciampa, 2009). Anything that disrupts the day to day operations of a company can be classified as a business continuity issue.
Some of the misconceptions that company CXO’s as well as some Security Professionals hold are that Business Continuity means keeping offsite backups in th event a critical server fails. While vital and certainly disruptive these are in fact issues fall more under the heading of disaster recovery.
Business Continuity is and does mean being prepared for things like the following:
- Disgruntled employees (either still employed or recently discharged) and the havoc they can wreak on a worksite. This is particularly true if that employee worked in IT and had access to critical data or applications.
- Natural disasters such as fires, tornado’s, floods, and even simple things such as a roof leak. Any or all of these can have a dramatic effect on business operations if no plan has been prepared. You’d be surprised how many companies have NO plan for dealing with natural disasters such as who to call phone lists, employee rosters to be able to provide law enforcement in the event they are needed for victim location, etc.
- Providing some sort of appropriate plan for redundancy. One common example would be if you lost internet connectivity because of a cut service line do you have a backup plan in place to keep business running. If a fire were to damage but not destroy your facility do you have somewhere you could relocate to temporarily so that you could keep the business running? Do you have spare hardware for those times when some critical piece of gear fails? During the Katrina disaster in Louisiana the state was able to recover almost all of their servers and workstations but the keyboard and mice were destroyed. And there was no place to obtain new hardware so their perfectly good machines were useless.
- Have you identified your vulnerable spots? Have you reviewed your insurance coverage lately to see if you have adequate coverage? We all like to put off things like this until forced to do so but some assets depreciate over time while others become more valuable. It’s a good idea to review your coverage annually. Do you have a succession plan in place in the event something happens to yourself or other key employees?
- Are you educating your employees on good security procedures? Do you have monthly, quarterly, or annual meetings to go over company security policies? Are your security policies well defined?
- Are you keeping an eye on any companies with whom you outsource? Is their staff trustworthy? Do they do background checks? Can they provide you with documentation? Are they adequately insured? Can they provide you with proof?
- Do you have an incident response plan? Is anyone trained and do you test it regularly? Do you know who to call and what to do in the event of an incident? Do you even understand what an “incident” might consist of? Do you have it defined?
- Do you have a trusted outside third party advisor that you can turn to before a crisis?
- Are you aware of reporting requirements for your specific industry if any exist? Data breaches can bring huge liability to the table and you need to know what the local state and Federal laws are governing such breeches.
- Where, when, and how are you using encryption. You should be using whole disk encryption on ANY mobile platform in order to protect what you DON’T know is on your hard drive. But more importantly do you have a way to recover as well as report and deal with stolen or lost mobile devices. A high percentage of breached data comes from lost or stolen laptops and the vast majority of those are either left in a car or cab. Not having those assets secured could cause your company devastating consequences.
The point in all this that I want to make is that Business Continuity planning is like shopping for life insurance. No one wants to do it but we all know we should. My advice is, find a trusted security professional party with whom you can work and at least get the dialogue going on the subject. Business disruption is just like death and taxes. It’s not an if scenario but when. So plan for it and you may just save your company and everything you have worked so hard to obtain.
If you have further questions or would like to schedule a free assessment you can contact me at firstname.lastname@example.org . Until next time…