Oscar Wilde once stated, “To expect the unexpected shows a thoroughly modern intellect.” In continuing our look into being prepared during Cybersecurity Awareness Month, our second installment will focus on business continuity, what it entails, and the ongoing process to ensure it doesn’t become a "set it and forget it.”
Many times, during various conversations, confusion arises between what a business continuity plan (BCP) is in relation to what a disaster recovery plan (DRP) entails. A BCP is a process of ensuring that a company can continue serving its clients, whether they be internal or external. It allows an entity to protect its critical assets from high-risk data, hardware, equipment, or, most importantly, personnel. A DRP is an extension of a BCP and assists in furthering the success of the plan should an incident/event occur. These events could be natural disasters, fires in the server room, malware attacking your database, or the feared ransomware attack, leaving your network incapacitated. Whereas a DRP will provide you with detailed steps through planned scenarios, a BCP determines what assets you should focus on and how long they can be inoperable until it starts to affect the company’s fluidity.
The BCP is part of an executive awareness of the risks that could hinder a successful outcome on business operations. The National Institute of Standards and Technology (NIST) created a special publication 800-34 that focuses on a Guide for Continuity Planning. It states the following steps to consider when creating or updating your plan:
- A policy should be created and authorized that states the BCP requirements and why it is required. It also gives authority to proceed with the development.
- Conduct a Business Impact Analysis (BIA), which allows for a company to understand and focus on its critical assets and identify threats, vulnerabilities, and calculated risks.
- Identify preventative controls to the critical risks recognized. This will allow a company to achieve an economical and company-driven security posture.
- Develop recovery strategies: If something was to happen, what strategies will be in place for teams to follow? Unlike a DRP, these plans are high-level and used as guidance.
- Develop the contingency plan. These are guidelines to ensure the company can stay functional in a crippled state.
- Test the plan to identify deficiencies and train individuals to prepare them for their expected tasks.
- Maintain the plan. Do not leave the plan in a binder on a shelf for three years without updating it to reflect the changes within your ecosystem.
Companies need to ensure that their recovery plan is ready for an event and tested accordingly. This includes critical data backup and recovery, personnel safety, and relocation. Security resiliency is key during a disruption, as these times of “chaos” are when controls can become weakened and critical information is left vulnerable. Attackers revel these times, as they are “easy pickings.” Finally, ensure that you can recover and keep safe logs that were created during the incident. These can help with forensic investigations and lessons learned to mitigate a reoccurrence.
At ConvergeOne, we have helped clients establish a BCP lifecycle to develop, create, implement, and sustain a valid program. These steps include:
- Identify your current risks via a risk assessment
- Analyze these risks by providing a BIA with recovery time/point objectives
- Design a strategy that takes aim at critical assets
- Execute the plan and continually monitor its progress and success
Allow the Cyber Security and Data Center teams at ConvergeOne to help your company stay resilient in reaching successful business strategies and outcomes.