The Show Must Go On: Business Continuity

Always expect the unexpected. You never know when disaster might strike, or even comparatively minor inconveniences. You need to have a plan to keep your business operating, regardless of what may happen. That includes, but isn’t limited to, keeping your data and computer networks going. You need a business continuity plan. If you don’t have one, make one! If you do have one, review it and test it.

Here are some major events that you may need to mitigate:

  • Natural disasters- Your risk of certain types of natural disasters will vary according to the geographic location of your business and computer networks. But wherever you are, there’s always some risk of some types of natural disasters. Consider what you know about your location, and make a list of how Mother Nature may interfere. Flooding is a risk if you’re near or below sea level, and close to a body of water such as rivers, lakes, or seashores. Earthquakes are a risk if you’re near a fault line. Snow storms and blizzards are a risk if you live in an area that gets snowy in the winter. Tornados and wind storms can be a risk if your business is in the plains. Hurricanes are a risk if you’re near the sea or an open bay. Drought can be a risk if your climate can go a couple of months without precipitation. Your business can take tap water for granted until you have to go without it. Most municipalities, towns, and cities in countries around the world have public employees whose work is dedicated to planning for natural disasters that may affect your area. Consult your local government for advice about how your business can prepare for such events, they’ll likely gladly offer you help in that area. If your town or city has a sizable fire department, they may be able to advise your business as well. On that note, it’d probably be prudent to have a fire drill once or twice per year. The drills should be a surprise to your workers. It’s unlikely that they’d panic once they figure out that it’s a drill. Make sure that they take it seriously, as if it was an actual fire. Your local fire department csn also help you plan effective fire drills for your workplace.
  • Crime and terrorism- Frankly, your risk of being subject to other violent or property crimes is much greater than your risk of being subject to terrorism, unless you work in intelligence or something of that nature. Either way, you need to prepare for all such events in your business continuity plan. A medium-sized or larger business may need human security guards. Make sure physical security is accounted for in your penetration testing and IT security policy. One easily overlooked factor is panic. In a life-or-death emergency, it can put lives at risk. Make sure that there are people in your organization who are designated to take a leadership role in such an event. They should be trained to instruct their fellow employees to remain calm in the event of violent crime or terrorism. Panicking people are known to behave in counter-productive ways, such as blocking entrances with large crowds, thus delaying a safe escape for people, and usually injuring others. That’s what happened when I was in the Toronto Eaton Centre during the shooting incident in June 2012. Thousands of people panicked, and there were a lot more injuries from dangerous crowd behavior than from bullets. Your local police department can help your organization with how your business continuity plan deals with crime and terrorism.

Want more articles like this? I need to buy groceries. Support a female tech writer via Patreon!

Minor events are more likely to engage your business continuity plan, and a lot more frequently. Some of the types of events you may encounter are:

  • Network failure- Your networks can experience a large failure for a number of different reasons. Some of the most destructive malware can cause a major network failure, especially if it targets BIOS and other firmware. Electrical outages are another frequent cause. Does your business require backup power in case of such an event? Sometimes, environmental factors can be a cause, such as if your data center is flooded. That of course is an event that’s linked to natural disasters.
  • Reputational damage- Damage to your organization’s reputation is a greater risk now than it ever was, now that internet access has been common for well over a decade. The best way to prevent damage to your reputation is to avoid incidents in the first place. If your business has customers and clients, they should be served well and fairly. You should obey every applicable law and regulation, which is something a surprisingly number of business leaders fail to do. Don’t be like them. Income inequality is now a greater problem than it ever has been since the Great Depression. Are your workers at the bottom of your hierarchy paid enough to live with dignity, a living wage? If your workers aren’t paid enough to escape poverty, it’s pretty much impossible to prevent that from becoming a problem that does immense damage to your reputation. Offshoring should also be avoided as much as possible, not just because of reputational risk, but also because your data and proprietary functions will be more secure and better managed by domestic staff. In the case of information security incidents, a well prepared Computer Security Incident Response Team is crucial. And as you make sure that your business behaves with integrity to strengthen your reputation, a good legal department and PR department will help with incidents that may not be avoidable. What will you do if bad news about your organization “goes viral” on the internet? Consider that in your business continuity plan.

Business Continuity Planning

First, a thorough risk assessment must be done. Risk assessment is never “one-size-fits-all,” because your risks will be unique to your business, even to the risks your immediate competitors have in your industry. Who likely is each risk? What are the consequences of each risk when they result in an incident? And then, each risk mitigation tactic should be analyzed according to a cost-benefit analysis. It’s nice to have lots of backup data storage, but do you need twenty backups for each disk? Perhaps having five for each will be enough. Armed guards may be excellent protection from violence, but is your risk great enough for the expense and responsibility?

Secondly, consider how incidents may affect customers, clients, and stakeholders. Review any Service Level Agreements you may have.

Consider this advice from Security Researcher Steve Higdon:

“Conduct a business impact analysis to prioritize your systems, data, and capabilities. Don’t forget to include supply chain risks. For any risks that are cheaper to insure than try to mitigate (as long as you aren’t ignoring regulatory compliance), accept them and pass the buck to your insurance company. Decide on system and data backup methodologies, and test them! Research and coordinate a cold, warm, or hot site, in case of disaster. Test your entire plan regularly and ensure that everyone responsible for roles in the process are trained. Cross your fingers.”

My fiance Sean Rooney is a former Information Security Scientist for Alcatel, Sears Canada, and the Royal Canadian Mounted Police. He helped Alcatel recover from 9/11, as they had an office in the World Trade Center. Here’s what he has to say:

“Have hot sites for critical business functions a minimum of 25 kilometers away from each other. Have evacuation and relocation plans. Liason with regional emergency preparedness agencies. Make all critical functions double or triple redundant, which may include personnel.”

As you may know, a hot site is an alternative workplace location, where your business can be resumed immediately. A cold site is an alternative workplace location that may need some configuration before business can be resumed there. Whether or not you need hot sites or cold sites is based on the size and nature of your business. The larger and more crucial your functions are, the more likely you are to need alternative sites. Hot sites are a lot more expensive to maintain, because electricity, equipment, and caretaking needs to run there at all times. Cold sites are often backups for hot sites in really large organizations, usually government related ones. Alternatively, you may have a cold site only, because your business can’t justify the expense of a hot site.

ISO 22301

Complying with the ISO 22301:2012 can assure that your business continuity plan is excellent. The standard encompasses a variety of areas within business continuity. It assures that your business minimizes incident related downtime, and resumes normal operations as soon as possible. It also assures that your business takes a proactive approach to avoiding incidents, has effective crisis management, identifies current and future threats, and that you can demonstrate resilience to customers, clients, stakesholders, and insurance.

It’s always best to be prepared. You can never be completely certain as to what may happen to your business in the future. Today’s threats are different from historical threats.

Want more articles like this? I need to buy groceries. Support a female tech writer via Patreon!