Business continuity. The two words we strive to uphold, manage, and withstand through any crisis. But surprisingly, not every business has a Business Continuity Plan (BCP) or even a Business Continuity Management (BCM) system in place. Risk has become obsolete to them – like a mosquito, they just deal with them as and when they appear rather than putting measures in place to evade being bitten before they even have time to hatch!
Disruption to business production can hit any company. Regardless of size, location, industry or revenue, disruption is like Gorilla Glue, it seeps into the smallest of crevice and expands tenfold (and can come in all sorts of shapes and sizes). From natural disasters to pandemics, man-made attacks to service outages, system failures to cyber-attacks, the risk of threat is endless and always prominent.
In fact, technological advancements have increased the risk tenfold, challenging companies like never before. In just a 7 month period last year, the world saw 5.90 billion data breaches (a monthly average of 1.46 billion), and over 2,359,114,047 breached records. And thanks to COVID-19, March alone, saw 832,486,418 breached records.
As the number of connected devices continues to grow explosively; from 18 billion in 2016 to an estimated 75 billion in 2025, and the market size for artificial intelligence (AI) is expected to grow at 50 to 60 percent a year, the risk of disruption also increases. As it stands, businesses are now projected to be attacked by ransomware every 14 seconds and every 11 seconds by 2021.
Disruption in action
COVID-19 has created a new wave in ransomware attacks, hitting firms at their most vulnerable, and using the pandemic as a hook for victims. As companies scramble to adapt to the new way of working, there has been a surge in employees using personal, unmanaged devices to access confidential resources, bypassing security measures and leaving companies at risk of data loss and breaches.
In March, Tesco believed a database of stolen usernames and passwords from other platforms had been tried out on its websites resulting in the re-issuing new cards to over 600,000 Clubcard account holders. Two days later, Boots also suspended payments using loyalty cards after a cyber attack on its customer database. Both companies advised customers to use a two-factor authentication on their accounts, making password surfing harder to access for the attacker.
Hammersmith Medicines Research (HMR) was also hit in the same month, by Maze Ransomware Group, who threated to publish personal details of thousand of former patients if they didn’t pay a ransom. The company which carries out tests to develop Ebola vaccines and Alzheimer’s drugs declined to pay the ransom. Despite it being a severe attack (and on a Saturday), HMR’s IT staff were able to halt and restore their computer systems by the end of the same day and with no downtime.
What is business continuity management (BCM) and BCM system and how to protect against disruption?
This is where a good Business Continuity Plan (BCP) and Business Continuity Management (BCM) System comes into play. They are the all singing and dancing repellents to the threats you face every day. You name the risk, a great BCM will more than likely have you covered, and a proactive BCP will show you how to respond and recover from that risk.
But what are they and why do they work hand in hand? A Business Continuity Management (BCM) system is a type of risk management designed to address the threat of disruptions to business activities or processes, and yep you’ve guessed it, a Business Continuity Plan is your action plan of how you will respond and recover from these potential threats as effectively as possible.
It is your mosquito repellent cream and fly swatter all in one!
Both the BCM and BCP enable you to prepare for business continuity rather than firefight through any emergency. It gives you the opportunity to put precautions in place against short-term and long-term risks, minimise potential harm to the business (and all audiences including staff), and evolve defence measures against new threats.
BCM turned inside out
As intelligent platforms, innovative software and multifunctioning components grow, so do cyber attackers’ skills. Disruption to businesses isn’t just the, out-of-the-box surrounding risks, but accounts for risks that can affect any part of your business, which is why a BCM system is fundamental to the longevity of a business. Without business continuity, a natural or man-made disruption can result in production standstill, loss of revenue, damaged reputation, legal and health and safety liabilities, asset breaches and so forth - the list is exhaustive.
Business Continuity Management enables you to outline, prepare and define the risks assessing how much you can afford to lose if disruption resulted in shutdown, the impact on all parties (customers, suppliers, stakeholders etc), media interactivity and transparency, and how to balance the risks against all of the above.
A BCM can be as extensive or as consolidated as you have time for but be warned, the more work that goes behind the planning the better you are prepared for any up and coming threats against the business.
A standard BCM includes the following components:
Business continuity plan (BCP) – this is an evolving written document that outlines the risk, response and recovery steps of a potential threat which needs to be frequently reviewed and updated.
Business Impact Analysis (BIA) – Crucial to the preparation of a BCP, BIA predicts the effects disruption of a business function or process can have on a company and gathers information to develop recovery tactics.
Risk assessment – this gives you the opportunity to identify likely disasters and assess the damage they could cause within the business.
Disaster response and recovery – generally, these are a set of instructions as to handle the risks from a technical point of view – outlining detailed procedures which need to be actioned as and when a disaster occurs. Effectively it is your disaster instruction manual.
Technology – This includes any platform utilised before, during or after a disaster. It enables you to identify, monitor and maintain data backup and recovery solutions, storage, cyber protection, and user permissions to name a few - finding the best tech solutions for business continuity.
Recovery teams & communication – A great BCM system is one that is managed by an effective, collaborative, and communicative team. Your dedicated recovery team will have overall management of planning and carrying out disaster recovery procedures and are involved within every step of the BCM process. They are also responsible for communicating measures with the team, activating the BCP and identifying ongoing or new risks.
Testing & measurement – BCM systems and BCPs are not static. They must consistently evolve with a company to ensure that new threats have been countered for, reaction times are immediate, systems work, team responsive times are immediate etc. It enables companies to test every aspect of a disastrous situation from beginning to end, identifying any flaws or steps that need changing, and preparing for future risks that may not have even been considered the first time round. Testing and measurement are one of the most crucial aspects of any business continuity management system.
Test, test, and test again
Business continuity management can help you balance your risks – assessing the overall impact to revenue, production, reputation, and all audiences - enabling you to prepare for the worst-case scenario.
There are many ways to test and measure the effectiveness of your BCMs, but we have outlined the top three for ease of reference:
Paper-based exercises – Periodically, bring together key workers from each department and read through the plan collectively, questioning every aspect of the process, gathering input from all departments and then enacting ‘what if’ scenarios that demonstrates the plan in action.
Communication spirals – on (at least) a six-monthly basis, test your communication structure with an immediate message that circulates to all management within the recovery team who then has to cascade among their teams – this will help identify any communication flaws, who has left, who needs to be quicker on the mark etc. Bad communication means a flawed BCM.
Fall out – conduct a full rehearsal of your worst-case scenario. An expensive way to test your BCM but also a highly effective way to identify the strengths and weaknesses of every measure you have in place.
The long and short of any new process or procedure is test, test, and test again. Its an investment you don’t want to skimp on. Your business depends on it!
Business Continuity, Risk Management & Disaster Recovery – know the differences
Although, similar in many respects, business continuity, risk management, and disaster recovery are three different disciplines.
Risk management identifies potential risks, analyses the impact of that risk, and takes precautionary steps to reduce that risk.
Business continuity is about how to continue working through a disruption within all aspects of the company; determining minimum requirements to continue operations and outlining the steps to proceed against any disaster.
Disaster recovery is about resolving the disruption, focusing on the technical side of the process identifying critical systems required, and data loss allowances the company can afford to lose.
All three methods work alongside each other, complementing every aspect of disaster prevention, preparation, and recovery – the optimal solution against overall disruption.
What is the standard and why is it important?
The Industry standard
Contingency planning and disaster recovery became accredited to technology-led responses to natural disasters and terrorism during the 80s and 90s. As this evolved to become more of a business-led process, preparing for any form of disruption, a benchmark of good practice in BCM was created.
ISO 22301 is the international management system standard for BCM. It provides a framework that specifies the requirements for a management system to protect, reduce, and ensure that a business recovers from disruptive incidents.
Meeting BCM standards enables companies of any size or type to demonstrate to legislators, regulators, customers, and prospective customers, that they are adhering to good practice in BCM - it tells your audience that you are effectively protecting every aspect of the business!
It is basically the must-abide-to instructions you don’t want to ignore!
Adhering to industry standards is not just good for trust and transparency with all audiences but ensures that best practice is me through every aspect of your business.
There are various programs* offered but fundamentally, certification program requirements and eligibility standards are applied fairly, impartially, and consistently to all businesses.
Working in a similar capacity, most programs start by comparing your current BCM in place against ISO 22301 best practice standards, and identifying areas that you need to resolve/fix/improve on. Once you have improved your BCM to meet ISO 22301 standards, then you will receive a certificate which is valid for three years.
*Costs for these course vary so please do check the terms and conditions of each program.
Are you prepared?
Business continuity is effectively, the lifeline of your business. It helps you prepare for the unknown, the lurking mosquitos that make you itch, the gremlins in the digital world and all the business disasters you can think of (well most of them anyway).
No company is immune to an attack of some sort, but you can be prepared!
With over 15 years in the industry, 200,000 attacks prevented, and managing over 5000 petabytes across the globe, to say Acronis are passionate about disaster prevention would be an understatement.
From disaster recovery to cyber backup, cloud storage to physical and virtual workload protection, Acronis can do it all. No frills, no hidden costs, no endless add-ons – easy-to-implement protection that works alongside your BCM systems.