Cyber attacks and disasters are an unfortunate reality that every company faces in one form or another. It only takes one vulnerability to be exploited by an opportunistic attacker to take down a network or website, or a natural disaster such as a fire to bring a company to a standstill. Staying protected isn’t enough; you need a contingency plan to protect yourself from viruses and other disasters. You need a business continuity strategy.
In a nutshell, a business continuity strategy is an emergency plan designed to help you safeguard normal operations following a disaster such as a malware attack or a natural disaster.
Any business that doesn’t have a business continuity strategy is rolling the dice on its future. Forty to sixty percent of small businesses who lose access to operational systems and data without a disaster recovery plan close their doors forever. Enterprises that don’t have a disaster recovery plan or a data backup plan run the risk of being put out of business.
Many businesses are under the impression that a Business Continuity Plan (BCP) is too complicated and don’t take the steps to protect themselves. While designing a business continuity plan may sound complex, in reality implementing disaster recovery measures is simple. You just need to take the time to put one together.
What is Business Continuity?
Business continuity is a term used to describe a contingency plan that will enable a business to remain operational during a disaster. The plan should include a range of prevention and recovery steps to minimize the damage caused by a disaster. A BCP is outlined in a single document so that employees know how to respond to disruption.
The BCP should have a number of core components:
- Use business impact analysis to identify key business functions and resources
- Document key functions and implement a plan to recover those functions after an event
- Assemble a business continuity plan to manage the business continuity plan and any disruptions
- Detail where employees should go during a disaster (an alternative physical site)
- Identify the contact information of management and other individuals
- Document information on data backup solutions
- Train and test to make sure that employees know how to apply the recovery strategy
What is Disaster Recovery?
The terms business continuity and disaster recovery are often used interchangeably. However, there is a big difference between the two. Disaster recovery is a component of a business continuity plan which is about keeping the business operational as a whole.
A disaster recovery plan is about restoring mission-critical functions after a disastrous event. Enterprises will create a disaster recovery plan to set out how to respond in the event of downtime.
A disaster recovery plan should include the following information:
- Produce a statement and outline the goals of the plan
- Outline emergency response actions to implement after an event
- Identify important IT assets and set a maximum outage time
- Catalogue any software or systems that will be used during the recovery process
- Create a disaster recovery team and record their contact information
- Accumulate documentation from technology vendors on recovery measures and software
The BCP Essentials
In this section, we’re going to look closer at the essential parts of implementing a BCP. These include:
- Create a Business Impact Analysis (BIA)
- Find your greatest risk potential
- Create a communication plan
- Check your insurance coverage
- Back up your data in the cloud
- Test Your Plan
- Install Cyber Security Tools – Antivirus, AntiMalware, and DDOS Protection Software
- Produce Physical Copies of Your Plan
Business Impact Analysis (BIA)
A BIA is the first step you should take when implementing a BCP. The BIA is about taking inventory of your current systems, noting the key resources you rely on, and creating a strategy to restore these resources in the event of a disruption.
The assessment should measure the importance of systems so that you can prioritize the restoration of those mission-critical systems ASAP. To conduct a thorough analysis you need to identify the following information;
- Identify which units, services, and resources are most at risk and what are their roles
- Identify the critical functions that control the operation of these units
- Specify an acceptable level of downtime
- The point in time you need to restore to (files that need to be restored etc.)
- Highlight the impact that failures will have on the business
- Create charts and diagrams to show the potential loss if these units fail
- Create your methodology for the data gathered in the analysis
- Identify or designate employees responsible for responding in emergencies and how to contact them
Remember the goal of the BIA is to identify key systems you need to restore and to highlight the potential damage/cost of failure. The assessment should raise awareness of what systems or functions to prioritize to get the business back up on its feet quickly.
Find Your Greatest Risk Potential
Cataloging the greatest risks your organization faces will help to reduce the likelihood of you being caught off guard. While you can’t control the future you can understand the issues you’re most likely to encounter. You should take into account physical risks on-site and technological risks such as malfunctions or cyber-attacks.
Risks could include:
- Flooding and water damage
- Power outages
- Fire hazards
- Severe weather conditions
- Natural disasters like earthquakes
- DDoS attacks
- Viruses or malware
All of these risks could cause you to have to shut down for a few days or longer. Considering these risk factors in advance allows you to implement measures to address them.
For example, if you are in a region where earthquakes are frequent storing your data in the cloud could help to keep your data available. Similarly, to protect against cyber threats you could deploy an antivirus or antimalware tool.
Create a Communication Plan
The success of your BCP relies on the employees who implement it. If there is a lack of clarity over who is responsible for what, your ability to respond in times of crisis is going to be severely limited. Creating a communication plan and outlining the members of staff involved in responding to attacks will lead to a more effective response.
For long term security, you want to establish a plan to communicate updates on the recovery process and other information. There are many effective ways to communicate but what’s best will depend on the culture and preferences of your employees. All of the following are effective ways to communicate:
- Via phone and texting
- Use an email alert system to provide updates
- Use a collaborative tool like Slack so that employees can communicate in a single chat feed
- Use an application like WhatsApp and create a group chat for employees to communicate remotely
To ensure that you can communicate during a disaster, you want to make sure you can access your website and social media accounts remotely. This way you can release an update to employees (or customers) if there is a problem with the service.
Check Your Insurance Coverage
Even if you’re prepared you might not be able to mitigate all the damage. Insurance is critical for giving you a financial safety net to fall back on if you’re put out of action. A Business Interruption Insurance policy will cover you if you’re hit by a disastrous event.
This type of insurance covers fire, storms, theft and other issues that can force you to close your doors. Your policy can cover profits you would have made if you had stayed operational, operating expenses such as employees’ wages, the cost of temporarily relocating (moving and rent costs), and more.
However, there are some limits to be aware of. Generally, insurance won’t cover utilities, undocumented income, partial closure, or non-covered disasters such as earthquakes and closures due to power lines.
Backup Your Data in the Cloud
One of the easiest ways to safeguard your data from loss or corruption is to move it to a cloud service. Storing important data off-premises means that if something happens to your local environment, your data will still be safe. You will also be able to access that data remotely until your business site is operational.
The advantages of using cloud-based backup solutions are that you don’t have to pay to build and maintain a data center of your own. You can simply pay a cloud provider for access to storage at a fraction of the cost you would be paying to run your own data center. There is also the option to cut costs further by only backing up critical data.
There are a number of providers you can use to protect your data in the cloud:
As a best practice, you should choose a data center that’s far away from your primary premises, in a different geographical area. If your backup is too close to your local premises then one event could potentially put them both offline! A large storm or earthquake could easily affect two locations if there isn’t sufficient distance.
Test Your Plan
Once you’ve created a plan it is important to test it meticulously. You should test the plan to see how it functions for every potential scenario. During your tests, you should find out how long the plan takes to execute, whether your response measures work in practice, how aware first contacts and employees are of their responsibilities, and how much downtime your plan will allow you.
By testing the plan you’ll be able to find issues that you will have missed on paper. For example, if your backup fails or you can’t reach a vital employee. Finding these issues out in advance will allow you to make changes so that your BCP is good to go when the time comes.
During testing, you will want to pay particular attention to the recovery time objective and recovery point objective to measure the success of the plan. You should conduct drills of your plan with employees at least once a year to make sure they become familiar with response procedures; sooner if you have a large number of new hires.
Install Cyber Security Tools – Antivirus, AntiMalware, and DDOS Protection Software
Cyber attacks are one of the most common risks that enterprises face. Viruses, malware, and DDOS attacks can all shut down your business and costs you tens of thousands of dollars’ worth of damage. Installing software agents on devices and servers to protect against viruses and malware is a necessity for cutting down entry points into your network. Antivirus solutions provide alerts when the program discovers a virus.
For preventing DDoS attacks, there are many DDoS protection solutions you can use including log management tools, network analyzers, website application firewalls and managed DDoS protection services. For example, a log management tool will send you a notification when it detects malicious traffic. Taking a step-by-step approach to cybersecurity will enable you to build more comprehensive protections over the long term.
Produce Physical Copies of Your Plan
Lastly, keep physical copies of your BCP on hand. Having a record of the response measures is absolutely invaluable during a crisis. If your plan is only available as a digital document then you won’t be able to access it if you lose functionality. Not having the plan on hand means that unless your team memorizes the steps by heart, you won’t be able to respond effectively to a disaster!
To avoid confusion print off current versions of the BCP and hand it to all relevant employees and partners. Having a paper copy available will give employees the necessary guidance to respond effectively in the aftermath of an event.
Business Continuity: Act Now!
A BCP is a necessary step for acknowledging and protecting your business against any weaknesses. Having the foresight to pinpoint the systems you rely on allows you to prioritize when chaos strikes.
Having a documented continuity process that employees are aware of can reduce your response time and prevent further disruption for your service. Ultimately, the less time your service is down the less money you will lose.
You don’t necessarily need to draft a complex continuity plan to benefit. A small organized plan with a well-thought-out response is a hundred times better than improvising after the event. By planning in advance you enable employees to respond productively and quickly to service disruption.