Have you heard the phrase, ‘Closing the stable door after the horse has bolted’? If not, it means that there is no sense trying to prevent something after it has already happened. And this, in a nutshell, is why your business needs a BCP, or Business Continuity Plan.
In the moments following a cyber-attack, you don’t want to be trying to determine which of your company’s assets are, or were, most crucial and trying to figure out how to react to the attack. You want a solid strategy in place that will ensure that the damage is limited as much as possible. After all, each passing moment following an attack is crucial and if you don’t have a SabreVault type security system in place, having a BCP is especially important.
What Is a Business Continuity Plan?
The prevalence of hacking and cyber-threats in modern society means that you have to hope for the best but plan for the worst; like taking out insurance for your car even though you have a security alarm installed. So, in addition to bringing in the best IT security and consulting services you can find, you need a clear plan for dealing with any breaches in your business’s security.
This plan is your BCP, and it has to detail the procedures following any cyber-attack in great detail. This will allow your business to respond quickly and effectively, so as to minimize the potential damage of the attack.
It is also important to include steps for business continuity on a public front, such as disclosing the attack to the public and maintaining trust in your business.
How to Create a Business Continuity Plan
Before you get to work creating a list of procedures that should occur immediately after a security threat, it is important to take a step back and put yourself in the shoes of a hacker. This way, you’ll have a better idea of what cyber-criminals would most likely target in your business, and you will be better poised to protect those assets.
Begin by looking at your business with completely fresh eyes. Determine what you would identify as your business’s main objective if you were just discovering it. Based on this, what would you consider to be your business’s most valuable assets? And, how would you access those assets?
Asking, and honestly answering, these questions will help you formulate a profile that you can use to develop your BCP. But, don’t feel that you have to do this alone. In fact, the more insight that you can get from other members of your team, the better. Different perspectives will help you determine fresh angles from which to approach your profile and might uncover some weak points which you had not yet considered.
Once you have an idea of how your business may be targeted, you will also understand the potential impact of a cyber-attack. This is very important, as it allows you to start developing your plan.
With the impact of an attack in mind, determine the resources that you would need to recover from the attack, respond to it, and continue your business processes. With this data in hand, analyze the resources you currently have available. This might lead to a gap between your required resources and your available resources, but that’s all right; it means that you know what you now need.
The goal is, of course, to bring this gap down to zero, which will mean that you have everything that you require to start formulating a truly effective plan. But, if you simply can’t find the resources necessary to match your initial estimation, you might have to get creative.
A good way to do this is to ask colleagues and acquaintances in the industry for any advice. If they have gone through the stress of an attack, they may have formulated some creative defense and response strategies which could solve a lot of your problems. And, even if they don’t solve your resource issues, they might help you discover a few more areas in your business which may be targeted.
Developing Your BCP
Once you are aware of the potential impact of an attack, and the resources available to you to help promote continuity during the incident, you can start to develop the actual plan.
The goal of a business continuity plan is, as the name suggests, ensuring continuity in the face of a crisis. So, with this in mind, it is important to identify the main processes of your business that keep it on track. Once you have identified these functions, you will have a good idea of how you need to structure your plan in order to keep them as functional as possible during a security incident.
While you are doing this, it is also important to determine whether any other areas of the business affect these main functions. You don’t want a knock-on effect where one of these main functions is disabled as a result of a secondary function being attacked. So, if there are dependencies, identify them and work them into your plan.
Lastly, you need to make allowances for a break in business processes whether you’re running a consultancy, a law firm or a marketing digital marketing agency. Decide on the maximum period of downtime from which your business could recover, then build that into your plan. This will essentially be your maximum window for implementing your plan and returning operations.
Once you have decided on all of the above, you can create a play-by-play plan of strategic operations that will ensure business continuity. If you need a little help on this front, here are some free disaster recovery templates.
Put Your BCP into (Simulated) Action
Skipping the testing phase of anything is not advisable, and this is especially true of your BCP. So, before congratulating yourself on a plan well formed, run some tests to see how it fares.
This can start with a simple walk-through, asking the heads of all concerned departments to go step by step through their sections of the plan. This allows for feedback that will serve to identify any weaknesses in the plan which may not have been apparent.
Next, run the plan as a drill. This will mean creating a situation that simulates a cyber-attack and working through the plan in succession. Through this, you will see exactly how effective your plan is.
It is important that, during the testing phase, you run through as many scenarios as possible. Remember, cyber-criminals are rarely predictable and are constantly looking for new ways to gain entry to business’s systems.
Here is a simple guide to testing a business continuity plan.
Keep Your Business Continuity Plan Updated
After you run your tests, you may well end up with a list of issues which need to be addressed. This is good; it helps refine your plan. But, once those have been dealt with, it’s not a good idea to simply stick your plan in a drawer.
With cyber-criminals growing ever wilier, your plan could soon become obsolete. So, the best way to ensure that you are prepared to keep your business’s head above water in the event of a security issue is to constantly update your BCP.
This may sound like a lot of effort. But, in the unfortunate event of a hacking, you’ll be glad you took the time to do it right.