Cybersecurity and BCP – The Evolution of Business Continuity Planning

Years ago when I got involved in what was then called “Business Assurance Planning”, the top threats to sustain business operations were fire, power outage, and natural disasters like floods, bad weather, earthquake.  All of the contingency planning centered around finding another location work out of and making sure IT systems were backed up with copies stored off site.  Then Y2K brought awareness of the vulnerabilities of all the IT systems we rely upon, even in the absence of a natural disaster, and we started to think about how we would operate if our IT systems stopped functioning.

Today, we have mobile devices and cloud based systems and the number one threat these days are cyber-attacks; hacking, loss of data, data breaches, randsomware, loss of service…  Technology keeps evolving at an ever rapid pace and we have become even more reliant on electronic systems and services to keep our businesses alive.  This requires our Business Continuity Planning Strategy to also continue to evolve to keep up with the current times.  Just having a plan in place from a few years ago does not mean it is still appropriate for your business today.  Just a few years ago, it would have been acceptable to back up critical systems on CDs/DVDs/Tapes and store them off site in the event the system went down and you needed to access the information.   So you just loaded the CD/DVD/Tape into another computer and got what you needed. 
In today’s world, electronic systems perform many  tasks to support the critical functions for large and small businesses; such as customer service, ordering, accounting, payroll, inventory, taxes, shipping, communications, manufacturing, training, and the list goes on.
The questions to ask are – If these systems were to become unavailable, would you be able to continue to perform these functions some other way?  If not, how long could you wait until the interruption spelled serious trouble for your business?  What will it cost you (in terms of lost business, loss of sensitive data, loss of customer confidence) if a particular system was lost (for any reason)?  What would it cost you to put in a contingency plan to provide back up for this system?  These questions need to be asked on a regular basis, not just once, as the answers will change over time.
The answers to these questions will help drive the Business Continuity Planning effort to focus on key critical functions and come up with proactive plans to address the what-if scenarios so you will be prepared in the event of an outage. 
BCP planning for potential cyber-attacks involves close cooperation between the business owners and IT professionals or vendors in your organization.  It involves technical as well as procedural controls be put in place.  And it involves challenging these protections on a regular basis.  Tecnh8icla protections include such measures as firewalls, strong password requirements, encryption of data, etc.  Procedural controls include such measures as password aging (require frequent reset), limiting access of critical data to key individuals only, background checks of employees, policies on providing information, information protection policies (ex. Clean desk  - do not leave any paperwork on your desk when your leave your desk, Secure devices – company information cannot be transmitted over personal devices, Help Desk policy – individuals identify must be confirmed prior to resetting passwords or  providing any assistance to enable the individual to access the system, Internet policy – only allowed secure devices are allowed on the internet, Cell phone policy – no cell phones in areas where sensitive data / operations reside, etc.).  All of these control measures must be challenged on a regular basis as part of BCP testing and any vulnerabilities found must be remediated and the plan updated as needed to maintain a secure environment.