If I had a £1 for every time I’ve been told “it won’t happen to us”! However, history and experience tells us that disasters and serious breaches do happen and if adequate preparations have not been undertaken, history also tells us that there is a significant risk that the organisation will not recover, and will go out of business.
So how can we prepare, hope for the best, but plan for the worst.
Let’s start with the myths:
- Only large organisations need to consider Business Continuity Planning and Disaster Recovery Planning (BCP/DRP);
- We are only a small company, we won’t be targeted by ransomware.
Well I’m sorry, I’m here to tell you that both the above statements are incorrect!
But don’t panic, cross your fingers and hope it won’t happen, or put it on the too difficult to do pile!
You can do something to reduce the risk.
However, if you are still not convinced that your business is at serious risk and you have nothing to worry about, then please consider, what would you do if your customer database was subject to a ransomware attack, or your office containing your servers containing the database burnt down and you could not access your information to identify who owed you what?
Could you still collect the monies owed to you, could your business survive?
Unfortunately, both events are more common then you may think, as for ransomware attacks, we have seen a steady increase during these challenging times, when organisations relying on more homeworking.
So, every organisation needs to consider BCP/DRP arrangements to ensure that their business is resilient.
Depending on the size, complexity and nature of your organisation, BCP/DRP can be quite complex. So don’t put it onto the too difficult to do pile, cross your fingers, and hope that it won’t happen to us, here are just 6 things any organisation can do to reduce their risk and it’s a mix of People, Process and Technology:
- Understand your information systems which are essential to run your business, including: Recovery Time Objectives (RTO), Recovery Point Objectives (RPO), Service Delivery Objective (SDO) and Maximum Tolerable Outage (MTO). In other words undertake a Business Impact Assessment (BIA), basically this means you need to fully understand:
- Identify your critical information, how you collect it, process it, store it and share it.
- Understand the business risks to this information and the DR scenarios you are preparing for hardware failure, fire, flood, power or Internet failure or recovery from ransomware. Be specific, as some threats may require a unique response
- Determine which systems you need to recover and in what time frame (RTO).
- Ascertain inwhat prior point in time do these systems need to be recovered to (RPO).
- In a recovery situation, it is unlikely that you will be able to operate your usual quality of service, to what is the minimum quality of service tolerable for the business (SDO).
- You will not be able to operate for a long period of time at these reduce levels of service, so how long can you manage, before it will start having a serious impact on your business (Maximum Tolerable Outage).
- Design your Business Continuity and Disaster Recovery Plans, taking into account of the above.
- Identify threats and vulnerabilities to these systems and implement appropriate counter measures to reduce the risk that these will cause your business harm.
- Ensure you looking after the basic Hygiene Factors, such as patch management and implementation of two factor authentication (2FA) and that you are not just relying on user-ids and passwords to protect your business assets.
- Ongoing user awareness & training, make sure that your people know what they should, what they shouldn’t and why. If they understand the why, they are more likely to adhere to your policy and procedures.
- If the worst should happen, can you confident that you can recover from the right place and in the timeframe required by your business requirements. Do you maintain adequate Backups and have access to alternative processing arrangements?
- Last, but by no means least, undertake periodic assurance reviews to provide confidence that all the above is working as intended. Undertake, “what would we do, if this happened …..” walkthrough’s. Test, Test and Test again.
Plan for the worst, Hope for the Best
Identify you risks, improve your protection, save your business
About our author
Mike is a director of PRISM RA, and has a wide range of experience gained through roles both within mainstream IT and over for over 30 years in consultancy, including over 20 years with KPMG. During his time with KPMG, Mike held a number of senior roles, including: leading the Midlands Governance & Compliance practice; leading the Midlands Information Security team; and the UK service line lead for IT external audit. With Prism RA, Mike’s focus is on cyber & technology governance, risk, compliance and security, assisting organisations to realise the business benefits from their use of technology and helping to effectively protect their business from the potential impact of the ever increasing cyber threat. In addition, Mike is a Non-Executive Director of CyberQ Group, an innovative and award winning cyber security services provider.
Mike also plays a leadership role with ISACA, both at the Local and International levels. He has served on the Board of the local Central UK Chapter since its formation in 1993, his current role is Past President. Mike’s International roles include: a term as an ISACA International Board Director, Finance Committee, GDPR Working Group and currently he is a member of the Information & Technology Risk Advisory Group.
Mike is also leading ISACA’s activities with the Cyber Security Alliance, a group of the UK’s cyber security related bodies. The Alliance’s work includes establishing the UK’s Cyber Security Council, on behalf of the UK’s Government