A business continuity and recovery plan was traditionally in place to get businesses and their systems up and running following natural disasters like a flood, fire, or an earthquake. Business continuity is about sustaining critical business functions, not only during a disaster or crisis but in the aftermath of the event as well. The way most organisations responded to the pandemic demonstrated in the most profound way the necessity of business continuity plans.
In an evolving threat landscape, business continuity planning needs to adapt quickly
Digital transformation trends and the increased dependence on highly interconnected technology for improving productivity, reducing operational costs, and supporting a hybrid workforce have created new risks and expanded the threat landscape of organisations. Criminals are capitalising on all opportunities. Software and hardware vulnerabilities and security oversights have become the most likely threat to business continuity, and adversaries are exploiting these vulnerabilities to launch disruptive cyber-attacks.
The hard truth is that ultimately security controls will fail. As adversaries are advancing their tactics and techniques, the potential threat and impact is increasing. For example, the Verizon 2022 Data Breach Investigations Report highlights that during 2021 ransomware attacks increased by 13%, which was as big as the last five years combined. The same report indicates that the four paths criminals use to seize our kingdom are compromised credentials, phishing attacks, exploiting vulnerabilities and malicious botnets. Last, but certainly not least, the human element is the key driver of data breaches. Verizon says that 82% of breaches involved the human element, although some security professionals argue that everything about cybersecurity relates to humans.
When security controls fail, the consequences are devastating. The IBM 2021 Cost of Data Breach report provides some key insights that demonstrate the impact of a data breach.
- Data breach costs in 2021 rose to $4.24 million, compared to $3.86 million in 2020, marking a 10% increase
- Data breaches that took longer than 200 days to identify and contain cost on average $4.87 million, compared to $3.61 million for breaches that took less than 200 days
- Ransomware attacks cost an average of $4.62 million, more expensive than the average data breach
- Lost business represented 38% of the overall average cost, including increased customer turnover, lost revenue due to system downtime and the increasing cost of acquiring new business due to diminished reputation
Business continuity and business security used to be two distinct and siloed processes. However, the evolving threat landscape is a sign that organisations must change their mindset and follow a holistic approach by merging cybersecurity with business continuity and recovery plans. As cyber-attacks continue to increase in number and sophistication, causing significant disruptions to business operations and damages to the corporate infrastructure, organisations must ensure that efforts to secure business are aligned with procedures to sustain and recover these operations in the event of a cyber-attack.
What is business continuity?
Business continuity planning is essentially a form of insurance. It gives organisations the comfort of knowing that, even if disaster strikes, the damage will not be overwhelming.
Traditionally, business continuity has focused on the idea that a few things might fail. However, the importance of business continuity became apparent during the pandemic, when business leaders realised how greatly they could be affected by unexpected disruptive incidents. And if remote working was an issue of adapting procedures and adopting technologies, organisations had also to combat an increasing number of cyber-attacks. Hundreds of businesses across the globe have suffered by ransomware attacks. Even if preventive measures, like multi-factor authentication and data encryption, can make the attackers’ life harder, the question is not “if” you will get breached, but “when.”
When everything else falls, it is business continuity and recovery planning that will save the day. Effective business continuity management enables organisations to update, control and deploy effective plans and tools while considering organisational contingencies and capabilities, as well as business needs. Ultimately, the objective of a business continuity and recovery plan is to restore data as fast as possible, minimising thus operations downtime and revenue loss.
Putting a business continuity plan together
Despite the importance of having a tested business continuity plan, “only 38 percent of business operation functions are covered by current disaster recovery plans,” admits Phil Goodwin, an enterprise infrastructure analyst at IDC.
Putting a business continuity plan together is about having a clear visibility into the criticality of your systems, services, functions, and data. Once you have prioritised your business processes, then you need to define acceptable Recovery Time Objective (RTO) and Recovery Point Objective (RPO) goals. According to Veeam, your plan should consider the following four tiers of criticality:
- Critical IT infrastructure, like servers, network or Active Directory, where your RPO is zero minutes. This infrastructure needs to be up and running before restoring mission critical functions.
- Mission critical functions, like client-facing services and revenue production apps, that are absolutely critical for the business to operate.
- Business critical functions, which although critical for the business, they can be unavailable for up to 24 hours without significant impact.
- Important apps, like admin functions and marketing sites. If they remain unavailable for a few days, the impact can be mitigated with alternate manual processes.
- The rest of the systems, like onsite training, which could afford a downtime of a week or more.
Once the plan is developed, then you should work your way through to maturing the business continuity. Hewlett Packard Enterprise has defined nine steps to maturity – observe, triage, align, adjust, design, stabilise, transform, and optimise. “In the end, the idea is to go from a point where companies are simply observing various problems and reacting to one where technology, people processes, operations, and corporate culture are all aligned and enhanced to quickly adjust to any emerging crisis,” notes Yogesh Hindjua, Chief technologist and practice lead HPE Pointnext Services.
Somerville offers a wide range of business continuity and recovery solutions that can help you become better equipped and prepared in the unfortunate event of a cyber incident. Download our whitepaper to learn how you can achieve business continuity and resilience in face of increasing threats.