A Simple Business Continuity Framework Can Save Your Company
Why is it that the NotPetya ransomware attack left pharmaceutical giant Merck crippled for days, while companies like GlaxoSmithKline and Pfizer didn’t even blink? How did Russia’s central bank restore their operations so quickly, while other companies remained stuck for a week? Is it pure luck? Nope. More likely, the companies that responded fastest—or remained impenetrable to the attack—relied on a solid business continuity framework that safeguarded their computer systems and minimized downtime.
After a widespread cyberattack like NotPetya or WannaCry—both of which spread across networks like a worm—it’s interesting to see which companies are affected and how they respond. Often, it’s most telling when you look at the businesses that weren’t infected, or those that were attacked but didn’t suffer any impact on their operations.
In this post, we’ll look at the critical foundations of continuity planning that likely kept these organizations immune.
What is a business continuity framework?
Your business continuity framework is as critical as the physical framework that keeps your office building standing. The materials may be different from the building across the street, but they serve the same purpose. The foundation supports the load of the building. Support beams keep it standing. Roofing and siding protect against rain, snow and wind. Smart engineering ensures that the businesses inside the building can continue running, regardless of the weather conditions outside.
Your continuity structure is not so different. It is the foundation of your operational continuity, ensuring that your IT infrastructure and computing resources keep the business running, especially after a disaster. The individual components of your framework may look different from another company’s, but the underlying objectives are the same:
- Protect against the risks of disaster (Prevention)
- Restore operations after a disaster (Response)
When a company like FedEx reports that one of its delivery units has been “significantly affected” by the NotPetya ransomware attack (to the point that it needs to halt stock trading), it reveals that there were weaknesses in the company’s continuity framework.
Specifically in the case of NotPetya, this likely meant that not all of the company’s Windows machines were properly patched (a weakness in prevention). Also, since operations were disrupted, the attack revealed that there was not an adequate data backup system that would have allowed the company to restore systems more rapidly (a weakness in response).
Outlining your framework
So, what does a good business continuity framework consist of? Let’s break it down by the two objectives we’ve already identified: prevention and response.
Both categories encompass crucial components that ultimately help a business to avoid and/or survive a disaster. Think of these components like the support beams of your physical building mentioned above. Yours may be made of iron. Next door, they may be made of wood. But they each do their job to support the overall structure (prevention). And frankly, neither is completely immune to fire, earthquakes and other disasters, which is why you still need to have emergency exit plans (response).
Now, let’s translate this into terms that apply to your information systems.
9 pillars of prevention & response
Without the proper preventative measures, you’ll never be able to adequately respond to a disaster. Prevention dictates your response.
And while specific protocols and technologies will naturally differ between companies, most businesses should have a business continuity framework that is supported by these fundamental pillars:
- Business continuity plan (BCP)
- Your BCP is the blueprint for your business continuity framework.
- It should be a comprehensive written document that outlines all of the components listed below, as they pertain to the specifics of your company.
- Having a written document ensures that everyone is on the same page about the company’s continuity strategies, risks and recovery procedures.
- Disaster recovery team
- When the proverbial sh*t hits the fan, you need a dedicated team to activate the recovery procedures as outlined in the BCP.
- Your disaster recovery team is tasked with writing your BCP, identifying solutions for known risks and managing the recovery process when disaster strikes.
- Members of this team should be personnel from across your organization who are quick on their feet and can quickly assume a managerial role, if needed.
- Risk assessment
- You can’t properly prepare for a disaster if you don’t know what the disaster will look like. A thorough risk assessment is crucial for identifying the company’s vulnerabilities.
- A risk assessment should consider the likelihood of every possible scenario that would disrupt operations.
- Examples could include fire, flooding, hurricane/tornado, cyberattack, malware, terrorist attack, earthquake, utility outages, road closures and so on.
- Impact analysis
- Each known risk should have a corresponding business impact.
- An impact analysis helps you prioritize your risk abatement by determining which disasters will cause the biggest disruption in operations.
- Consider the impact of downtime costs, loss of revenue, idle workers, recovery expenses, brand image and so on.
- Continuity technologies and solutions
- Once you’ve identified threats to your information systems, it’s time to implement the technologies that will ensure continuity.
- Typically the most crucial solutions will be data backup systems, anti-malware/virus/ransomware software, redundant IT infrastructure, redundant communication/utility lines and so on.
- Although you’ve probably already implemented several of these solutions, it’s important to periodically reassess your technologies to ensure they still meet your continuity objectives. Business continuity technologies have come a long way over the last several years. Make sure your systems are up to date.
- Communication plans
- A lot happens in the moments following a critical disaster. Your recovery teams need to know whom to contact, both internally and externally.
- Your BCP should include specific instructions for contacting key personnel, along with their emergency contact information.
- Consider how all other personnel will receive communication updates. Will they be contacted via a calling tree? Will there be a mass email? Is there an emergency call number for them to dial for information? All of this should be spelled out in your emergency communication strategy.
- Backup sites
- Not all businesses can afford to maintain a backup office location, but that doesn’t mean they can’t plan ahead for finding one after a critical event or enabling personnel to work from home.
- If you do have a backup site for critical operations, make sure the location is equipped with everything your personnel need to get to work immediately (computers, equipment, furniture, etc.) – or identify ways that these resources will be quickly obtained.
- If you don’t have a backup site, speak to a real estate professional who has the means of helping you secure one immediately in an emergency. After a disaster, you don’t want to be stuck searching for office space across the city!
- Recovery procedures
- Your continuity framework should be supported by clear directions for post-disaster recovery.
- Don’t assume that all personnel (or even your recovery teams) will remember what to do.
- Your BCP should outline the specific action steps that follow each type of situation, including even the most obvious directions, like calling 9-1-1 if there’s a fire.
- RTO & RPO
- Every disaster planning strategy should include two important continuity objectives: a recovery time objective (RTO) and recovery point objective (RPO).
- Your RTO is the amount of acceptable time for recovery after a critical event; your RPO is the amount of acceptable data loss, measured in time (i.e. a backup recovery point from 4 hours ago).
- Both your RTO and RPO should be determined in part by your business impact analysis, mentioned above.
- Identifying these objectives is important for determining how quickly your recovery teams and technologies must respond in order for the business to avoid a major disruption.
If your company is new to continuity planning, you may have several questions on how to make this framework a reality. Here are some tips to lead you in right direction.
- Where do we start?
Start with a business continuity plan. Even if you haven’t designated your recovery team yet, you can begin by identifying your core objectives, risks and technology needs in a BCP. Check out this basic template for a starting point.
- Who is responsible for continuity planning?
When it comes to BCDR, the discussion tends to originate in IT, but it shouldn’t end there. Good continuity planning requires the coordination of personnel from multiple departments.
- Should we hire a consultant?
Maybe—especially if your teams lack experience in continuity planning. An experienced consultant can help your company navigate the process, perform your risk assessments and impact analyses, and even help write your BCP. Read this before you hire a consultant
- How do we know our planning will be effective?
Test it. Throughout the year, you should be doing mock recoveries and system tests to ensure you can depend on them in a real-world scenario. This is especially important for your technology components. If you’re hoping to run all your business-critical apps in virtualized cloud environments after a major on-site outage, you better make sure it works first!
Learn more about your continuity options
Request more information about dependable data backup and disaster recovery solutions that keep your business running after disaster strikes. Speak to the business continuity experts at Invenio IT. Learn more at www.invenioIT.com, call (646) 395-1170 or email us at [email protected].