Nearly 2/3rd of Businesses are Without a Crisis Agnostic Continuity Plan. Are You One?

Written By Dylan Winn-Brown

Fluking it, has anyone really ever done it? We’ve all seen those trick shot or first time try videos, but they all have hours of practice behind them.

It’s exactly the same when it comes to business continuity. No one is fluking a business continuity exercise and if you are unlucky enough to have the detail of a security event made public then you better hope you practiced.

According to PwCs Global Crisis Survey 2022, a staggering 65% of respondents didn’t have a ‘crisis-agnostic’ plan in place whilst 40% of respondents 'had not yet conducted a full after action review’ and I can believe that. But BC plans take practice and since the COVID 19 pandemic they’re much more mainstream.

So why then are business failing to test their plans and some still don’t have a finalised plan in place?

It’s very easy to fall into the trap of thinking you’ve got a perfect BC plan. And yeah you might do, for a DDoS attack against the one critical system you have. But as the above stats state that’s not all we need to consider when it comes to BC plans. We need to think outside of cyber and we need review and practice.

There is certainly not a one size fits all policy for BC as each business is different, but there are several scenarios are applicable to all.

What should you plan for?

·         Loss of People – COVID 19 Pandemic is your example here.

·         Loss of IT Services – that DDoS attack on a critical system.

·         Loss of Sites – the traditional fire, flood and social engineering threats.

In these three scenarios a business can easily provide a continuity and remediation plan for the majority of its assets and the plan isn’t cemented to one particular type of event.

 

What can you do to create a solid plan?

·         Keep it simple.

·         Practice.

·         Evolve.

 

Keep it simple

Its important to remember that when a business continuity plan is called into action, people will be in a slight panic. So its important that the plan attached to these scenarios is simple; gets the right people together quickly, sets out easy to follow steps, and ultimately delivers continuity that leads back to business as usual.

Practice

Easier said than done right? Exactly! So you need to practice these business continuity scenarios and remediation plans. I’m not suggesting that you close the entire office every quarter and send an email to the whole company stating there’s been a ‘fire’ in the 4th floor kitchen. Good ways to test loss of sites and people are:

·         Simulating office closures by departments. Ask the IT department to work from home on a particular day and the Finance team the next.

·         Awareness training with people who wouldn’t primarily been involved in BC.

Evolve

Now, as your business grows and the number of important systems, people and sites grow too, your business continuity plan should evolve with them. A mature business will have a BC plan backed by a management system. This should have a detailed business impact analysis highlighting each departments critical functions, RTO (recovery time objective) and RPO (recovery point objective). Whoa, whoa, whoa, we were just talking about businesses that don’t have agnostic plans let alone critical function RTOs, why the jargon?

 

Remember a few paragraphs ago, when I said there isn’t a one size fits all and that every business is different? You may or may not need an RTO/RPO in your plan. The scale, functionality, inputs and outputs will be different, and therefore their BC plan will be too. Your continuity plan should be applicable to your business. There is little point in having one that isn’t fit for purpose, because it’s too complex or too simple. A large well established business should have a BC management system with critical function RTOs backing a mature BC plan. A SME will survive with a simple scenario based two-pager.

 

But the one thing that all business will have in common is that they need to test their business continuity plans and review how those tests went. No one is fluking a business continuity exercise and they certainly won’t fluke incident response when the plan is needed.

So be honest, when was the last time you tested yours?

 

Alec Warriner

CISO & Managing Consultant – GRC

 

Is this something you’re working on? Drop Alec a line to discuss your plans. hello@cyro.uk

Dylan Winn-Brown

Dylan Winn-Brown is a freelance web developer & Squarespace Expert based in the City of London. 

https://winn-brown.co.uk
Previous

How can SMEs get Board Level CISO Expertise? With a Virtual CISO
Next

We’ve reached peak cyber-tooling. It’s time to consolidate.