Business Continuity: You Need More Than a Plan
A comprehensive business continuity program involves not only a solid plan, but also the resources and the staff to execute on that plan.
You need to make sure your business is already prepared for anything. Stop for a moment and look around. IT isn’t just the computer on your desk, the laptop in your bag or the mobile device in your pocket.
The truth is, IT is controlling who is and isn’t entering your building, both virtually and physically. It’s controlling how and where your customers are handled, it’s driving your production line and it even plays a part in how your office coffee is produced.
It has been some time since IT has been confined to the back office, staffed with geeks all speaking their own language (although there may still be a bit of that). IT keeps you open for business, but if you’re not careful it can also close you down for good.
The Best Defense
Every company must exercise due diligence and take care of the company’s assets and the future ability to generate returns for investors and shareholders. This is increasingly embedded in legislation, regulation, standards and best practice guidelines. There may be differences in terminology between different sectors of industry and different countries, but suffice it to say that you need a rock-solid plan for business continuity. In order to fully exercise due diligence and care, you need to plan for the day you can’t.
Get a copy of your plan (if you have one), dust it off and actually read it. In most cases, a typical business continuity plan will cover such eventualities as damage caused by fire, theft or even flooding. If you’re based in an international capital, it may even include a section on external threats like terrorist attacks, political unrest and other disaster eventualities.
You probably also have a plan for overcoming a major power-failure event, how to supplement your staff in the event of widespread illness and quite possibly a crisis-management plan for how to react if your product fails in the market. What does it say about enduring a cyber attack? Chances are it doesn’t.
Most companies, even in this day and age, don’t account for cyber attacks. Whether a single office or a large international conglomerate, you’re reliant on computer systems to function. If you were attacked tomorrow, the reality is that attack would shut you down. The procedures for getting back up and running as quickly and efficiently as possible will involve the IT department. So sit up, take note and plan for the inevitable.
An attacker may be interested in stealing your corporate data or misdirecting funds, but more often than not, they’re simply interested in spreading havoc and panic. Through a Denial of Service (DoS) attack or malware injection, cyber attackers can quickly shut a business down. Recent high-profile victims include Wikileaks, Facebook and Twitter. However, it’s often more than just the victim that suffers. PayPal, VISA and MasterCard can attest to having fallen victim by association.
Any company is a potential target. It’s not just anonymous cyber terrorists waiting to pounce. A disgruntled employee could wreak just as much havoc on your systems, if not more so. Even if your IT system just fails, you have to be ready to bring it back up as seamlessly as possible.
Being closed for business, however temporarily, will cost the organization money. For an online retailer it’s even more obvious. If customers aren’t able to make purchases, there’s the immediate loss of revenue.
For a large manufacturing company, if its IT infrastructure fails and production has to shut down for 24 hours, the costs soon soar into the millions. The expenses aren’t limited to the immediate problem of restoring services or production. There’s lost time, ruined stock, ongoing costs of rebuilding confidence in the customer base (and potentially even the shareholders), plus lingering effects such as an increase in insurance premiums.
The 2010 AT&T Business Continuity Study reported that:
- Three-quarters (77 percent) of organizations indicate that employee use of mobile devices plays a major/minor role in the business continuity plan.
- Half (50 percent) of the companies have virtualized their computing infrastructure, with fewer than four out of 10 (38 percent) having implemented a business continuity plan for the virtual infrastructure.
- The majority (84 percent) of the companies surveyed have e-mail or text messaging capabilities to reach employees outside of work.
- Three-fourths (73 percent) have systems in place that enable most employees to work from home or remote locations.
On the surface, all of these resources offer a lifeline to an organization in the event of a general infrastructure failure. However, on a daily basis they can also throw open the doors to the outside world and place the company at extreme risk of disruption due to attack.
Audit and Validate
The IT team has many responsibilities, but there’s always the primary objective of delivering the best possible service. However, this doesn’t always promote the best security posture. Budgets are usually the biggest issue. The CEO must understand the need for enhanced security and ensure their IT team can deliver.
When the corporation has spent millions on network defense, it must ensure those investments are working to the optimum effectiveness. Regular audit and validation leads to enhanced security. This practice costs very little and is an essential process.
With constant vulnerability testing and security enhancement through configuration improvements, you and your IT and security teams can define and implement improved procedures. This constant review and revise process can even avoid additional capital expenditure in the form of unnecessary security devices or processes.
Ensuring your defenses are in optimal working order is not just the responsibility of your CIO, CSO or whoever leads your IT team. It goes all the way to the top. Full-strength and full-scale business continuity is one of the functions of the CEO and the board of directors, as part of their legal responsibility and charge by shareholders. It’s a major component of good corporate governance.
You wouldn’t build your office on the sand. Why allow your IT infrastructure to have insecure foundations? Ignoring your network defenses is tantamount to corporate suicide.
Ray Bryant is the CEO of Idappcom. His IT career started in the very early days at Control Data Corp. He has worked with Ciba Geigy and SSA Global Technologies. He also served as chairman and managing director of SLA Management Services. Since then, he has worked with Idappcom, which resulted in the acquisition of the Traffic IQ product range in 2009.