Why You Need a Business Continuity Plan and What Should Be In It
The recent high-profile ransomware attacks that beset the Colonial Pipeline company and JBS Foods should be a wake-up call for businesses of all sizes and industries. Emergency response planning must include protocols to address a full range of potential cybersecurity incidents and dedicated resources to secure IT infrastructure. Businesses should not use tight budgets and competing priorities as an excuse because cyberattacks are now a fact of life. Indeed, they continue to rise. 2020 saw a 69 percent increase in the number of reported attacks compared to the prior year. With each successful attack, criminals grow more confident and learn how to deploy even more sophisticated offensives for subsequent criminal efforts. And when businesses are attacked, they often go out of business.
One reason why cyberattacks are often catastrophic? When a company no longer can access its key systems and data, it can no longer service existing customers, attract new ones, and earn profits. While IT personnel scramble to respond, employees and production facilities sit idle, incurring expenses, and competitors begin to draw the idle business’ customers away. Many businesses don’t have the financial resources to withstand prolonged downtime, incur crippling debt, or be forced into bankruptcy immediately. Further, business leaders may feel compelled to pay ransom demands to regain control of their systems. Some attacks result in the theft of client financial information, which also may result in expensive litigation. This combination of costs can devastate small and midsize businesses, especially if they can’t resume their operations quickly.
A recent survey of businesses found that only 62 percent had business continuity (BC) plans, with 5 percent noting their BC plans covered a single day and 48 percent having plans that would cover between two and three weeks. Clearly, many businesses are unprepared or underprepared for a serious cyberattack or even another incident that could cause serious downtime.
If your business lacks a BC plan, you’re not sure what’s in it, or you have a feeling it’s insufficient, here’s what should be in yours.
Contingency plans for probable scenarios
Your BC plan should be in writing and contain detailed plans for how you may handle a range of emergency scenarios, whether natural or artificial. Think through what kinds of crises could negatively impact your operations by reviewing your internal records, as well as news coverage of disasters that have affected other local businesses. Minimally, you should include response scenarios for:
- Active shooter threats
- Bomb threats
- Cyberattacks
- Earthquakes
- Fire
- Flooding
- Hazardous substances
- Insider data theft
- IT system malfunctions
- Medical emergencies
- Snowstorms and other severe weather
Your plan should detail step-by-step what actions you’ll take and in what order to both remain operational throughout the crisis and resume normal operations as quickly as possible.
Prioritizing your action steps is critical to minimizing your downtime. If managers and employees don’t know what the recovery priorities are, they’re liable to make their own assumptions and begin work that may or may not aid in a speedy recovery. Consider a wholesaler whose IT systems have been compromised by malware but that has several shipments already loaded on vehicles ready to go. The wholesaler’s executive team may strategically prioritize retaining customers and increasing cash flow in a crisis. In this scenario, the wholesaler needs the IT department to prioritize restoring the distribution management system (DMS) to help get the fleet moving. But if IT is unaware of these strategic priorities, they may begin an automated backup recovery process in which DMS restoration is at the end of the queue.
Just as important is making sure your plan includes clearly defined roles and responsibilities for each team member. You don’t want employees not knowing who to go to to make decisions, or worse yet, making power plays when everything is in flux. By appointing managers and key personnel to take the lead on various aspects of your BC plan, you’ll minimize confusion and reduce your downtime.
Operational continuity plans and testing
You must also have a solid plan for backing up your data and recovering it quickly. Preferably, you’ll have data backups offsite as well as a separate set of backups with a cloud provider (or two). Backups should be performed as frequently as feasible: if not daily, then at least weekly. Every bit of data you can’t recover during a crisis is potentially a lost sale, customer, or growth opportunity, so ensuring frequent backups is vital.
You also must regularly test your backups to ensure that your data and systems are, in fact, being backed up correctly. You may not always receive an error notification if there’s an issue. A simple settings misconfiguration could result in you failing to preserve key data, so have your IT department and a knowledgeable end-user or two look at your backups to ensure their accuracy.
Backups mean little if you can’t restore your data and systems from them quickly. Include regular recovery tests where you simulate real crises and test how quickly and effectively you can restore your data and systems. Discovering flaws in your backups during such tests is far better than discovering them amid a crisis.
Businesses must also develop plans to shift to remote operations where feasible. While hopefully another pandemic is not on the immediate horizon, a fire, flood, or another emergency could displace your staff temporarily. Ensuring that employees have access to your network and necessary tools at home while keeping your network security intact is an important part of any BC plan.
Employee and customer safety protocols
How you’ll keep employees and customers safe should be at the top of your priority list. Working with your management team and potentially outside experts, you’ll want to develop plans aligned with all applicable laws and regulations and safety best practices within your operational constraints. Employees are the lifeblood of your business and the center of your BC plan. Your plan should include how you’ll ensure employee safety at the outset of a crisis, as well as how they’ll be kept safe if the emergency endures for some time. Customer safety must also be a top priority. If you put customer safety at risk, you may lose sales and put yourself at risk of expensive litigation and regulatory action.
Your BC plan should utilize your operational resources and strengths. But as you plan, you’ll likely become aware of significant weaknesses that may compromise your ability to navigate a crisis. For example, you may not have a cloud backup solution or your existing cybersecurity protocols may fall well below industry best practices. If you need support developing a comprehensive BC plan, remediating IT weaknesses you’ve identified or both, Rea & Associates can help. We’ve equipped businesses of all sizes throughout Northeastern Ohio with comprehensive and tailored BC plans and IT solutions that prepare them to address the next crisis. Contact us today, and let’s work together to put in place the plan and resources you need.