Planning for a disaster shouldn’t be a foreign concept to most people. Many people put away funds for an emergency, buy insurance to repair or replace damaged property or help pay for medical bills, and even create wills to address what should happen to their estate in the event of their death. Companies buy insurance covering everything from their physical property to their liability over given advise. Preparing for disaster is not a new concept.
Cybersecurity takes things a step further. Because its focus is on increasing durability against threats just as much as it is on preventing them, cybersecurity principals prescribe additional preparations that address specifically how an organization will continue to survive and recover in the event that a catastrophic event occurs. Insurance will surely pay for loss, allowing you to fund replacement assets and rebuilding costs, but without a plan that addresses business operations during the rebuilding process, the organization may not survive long enough to ever fully recover. Not considering non-technical threats such as fire, flood, and theft, 60% of small businesses are forced to shut down permanently within six months following a cyber-attack, according to an article by the Denver Post.
Business Continuity Planning
In a nut-shell, a business continuity plan, or BCP, is a document that describes how an organization will maintain critical business functions during the time that lies between a major incident and full recovery. It is a living document that should continually be tested and updated to meet the actual needs and priorities of your organization.
Critrix, a cybersecurity product vendor, states that a BCP should have the following seven essential elements:
- A clearly defined team consisting of members from every department and location you operate that are responsible for planning, testing, and managing incident response and operational continuity following an incident.
- A detailed Plan that addresses how the business will respond to various types of likely major incidents, such as fire, flood, tornado, hurricane, sabotage, and etcetera. This plan should identify key elements to business, such as business partners, vendors, and supply chains that the organization will need to reach out to in order to continue critical functions. It should also explain how critical functions are supposed to continue to operate in the event of loss. This might include things like alternate work locations where the organization could temporarily continue operations while recovery ensues.
- Effective testing ensures that the plan is up-to-date and actually works. At a minimum, the BCP should be tested annually.
- Crisis communications capabilities, such as a combination of email, telephone, text notifications, and website bulletins that communicate situational changes and important information. Draft messages that can easily be tailored for various situations and easily distributed to all interested parties in the event of an emergency.
- Employee safety can be addressed by contacting local emergency response organizations such as the American Red Cross, local police, and fire department. These organizations and others can provide emergency response training and help to you to tailor your emergency response plans to your unique industry and location.
- Remote access to critical business resources can assist your organization in fulfilling business needs. It can allow your employees to continue to perform certain parts of their jobs remotely (maybe from their own home) ensuring that your customers requests can still be filled.
- Maintaining IT resources is critical in any major incident. These are the resources that today’s businesses depend on not only for person-to-person communications, but also in managing inventories, filling orders, managing finances, and performing just about every other function of modern business. It your IT resources fail to function, your ability to function as a business could grind to a screeching halt. To prevent long-term loss of IT, organizations should plan for backup infrastructure, either in the cloud or at an alternate site that their primary IT infrastructure can fail over to if needed. Critical IT resources, such as network connectivity, file and data storage, core applications, and telecommunications should all be addressed.
Incident Response Planning
Incident response comes into play any time there is an incident. Even if it doesn’t rise to the level of a disaster, even a small malware infestation classifies as an incident and warrants proper response. While part of disaster planning, this plan can often be activated and utilized without activating business continuity or disaster recovery procedures.
An incident response plan, or IRP, should define who the incident response team is, their reporting channels, and specifics about how they are to go about responding to various types of likely incidents. It should address key issues to gathering evidence of an incident, such as whether forensic processes are to be followed and by whom. The purpose of this plan is to be able to identify when an incident has happened, to gather as much information about incidents when they happen, and to limit the impacts they may have on your organization. For more details on incident response, ComputerWeekly’s think tank put together a fantastic series on the subject.
Disaster Recovery Planning
A disaster recovery plan, commonly referred to as a DRP, is simply a plan as to how your organization will fully restore itself to its normal operating state following an incident. This document serves to compliment the BCP and is often activated concurrently with it. Think of the DRP as the plan for how you will spend your insurance money to get your company back to the status quo.
Disaster recovery should address your core business functions, of course, but also focuses heavily on your IT. This document should include specifications for required equipment and services, system configuration standards, data restoration procedures, and validation procedures to ensure everything functions properly after being restored. A DRP should also include vendor contact information and procedures for restoring essential services like power, water, internet, and telephones. Like other disaster plans, it should be tested and evaluated at least annually to ensure it is practical and will sufficiently fulfill its purpose if needed.