Manoharan Mudaliar

Cyber Security Consultant

How to Create an Effective Business Continuity Plan

Creating an effective business continuity plan

The COVID-19 pandemic has led to a complicated period of acceleration and innovation for businesses across the globe. Industries have come up with better technologies, while adapting to new channels of communication and work from home practices. All of this has been achieved in an astoundingly limited period of time.

However, with the troublesome work from home scenario, businesses have also had to grapple with the fear of cyber security exposure. Remote work is the new norm today, and employees are accessing and checking in to company portals from unmonitored network protocols and computer systems.

The need of the hour for businesses today is to come up with a business continuity plan. A business continuity plan can be defined as a well drafted plan of action that dictates the modus operandi businesses follow when they are faced with a major disruption. The plan outlines all instructions and procedures that should be followed by businesses during such disasters. It not only covers business continuity, but it also oversees business processes, human resources, assets and partners.

With the current COVID-19 pandemic in perspective, it is only necessary that businesses draft a plan that safeguards them from the risk of a cyber attack. Cyber attacks, including malwares, can put your internal data at risk. Additionally, the confidential consumer data you have can also be breached during such an attack.

A Look Into Cyber Attacks Today

Almost 96 percent of all businesses in the United Kingdom suffered a cyber attack during the last year. While cyber attacks previously targeted important financial data, hackers have realized the potential in the market for consumer data, including date of birth, password hashes, email addresses and usernames.

A recent scam involving Dubsmash, My Fitness Pal, My Heritage and ShareThis saw important consumer data from over 200 million user accounts stolen and put up for sale on the Dream Market dark web marketplace. This new revenue stream has brought in a group of eagle eyed hackers looking to attack and breach sensitive consumer data.

The average cost of a single data breach caused by a cyber attack hovers around $3.62 million on average. This is a staggering amount that most businesses today aren’t able to meet. This is exactly why almost 60 percent of small and budding companies run out of business within six months of falling into a cyber attack that leads to a data breach.

A business continuity plan does not take a lot to build, but it sure can be the difference between shutting down after a cyber attack and continuing to function properly.

Anatomy of a Business Continuity Plan

If your organization doesn’t have a business continuity plan in place already, then you have to start by assessing your core business processes, the areas inside your organization that are most vulnerable and the potential losses you will incur daily if these processes go down.

Once identified, you can proceed with developing your business continuity plan. This would entail the following general steps:

  1. Identify the scope of your plan
  2. Identify all key business areas that would shut down as a result of a cyber attack
  3. Identify all critical functions in your organization
  4. Identify how output and productivity are focused or dependent on certain functions and areas
  5. Determine the downtime that it will take for you to perform each critical function
  6. Create an actionable plan for maintaining operations in the face of disaster

You can maintain a checklist as a potential tip for covering everything you should. The checklist should include the location of your data backups, along with where the plan is available and who you can trust with overseeing key business processes when disaster strikes.

Once you are creating your business continuity plan, you would like to interview and talk to people and employees who have previously gone through similar experiences of data breaches and cyber attacks. Hear their ‘war stories’ and understand the mentality that helped them pull out of that mess. People usually like sharing tips and tricks on how they saved the day, so you won’t face much resistance here. The insights you get from experienced people will actually help you craft a plan.

Test Your Business Continuity Plan

Hope for the best, but be prepared for the worst. Once you have a business continuity plan on paper, it is necessary that you test and approve it, before relying on it to get you through cyber attacks. Testing a plan is the only way for you to know whether it will work or bust.

To make the testing process difficult and almost life-like, you have to create an artificial cyber attack with the sole purpose of breaking your business continuity plan. Do not go for an easy scenario where you come out high fiving each other when the plan actually isn’t ready for real life situations. Create a complicated attack that actually tests and strains every part of your plan.

Test how your task teams perform, and if you are in sync with the targets you have set in the actual plan. To make the situation even more life-like, you can promise recovery teams a bonus if they get through the situation in the desired time.

There are three basic ways for you to test and explicate your business continuity plan on an annual basis.

  1. Start with table top exercises that take place inside a conference room and involve team members poring over the plan and its possible limitations. Have the best talent in your firm come together on a quarterly basis to check for chinks in the armor.
  2. Secondly, you have the option of a structured walk-through, where every team member walks through their components of the plan. Identify different disasters or types of cyber crimes in mind and rehearse what each member would do in the face of the actual disaster. This will help you locate whatever weaknesses there are in the plan.
  3. Lastly, you can go through disaster simulation testing to design an environment that simulates an actual cyber attack. The purpose of a simulation is to find out whether you can actually carry out core business functions during the attack.

Try including new employees into the team every once in a while, so that their fresh eyes can detect any lapses of information that other members might overlook.

Organizations with a website can go for web penetration testing to identify any gaps within their website. You can opt for the following well established methodologies to pen test your website.

  • OSSTMM (Open Source Security Testing Methodology Manual)
  • OWASP (Open Web Application Security Project)
  • ISSAF (Information Systems Security Assessment Framework)
  • PTF (Penetration Testing Framework)
  • PCI DSS (Payment Card Industry Data Security Standard)

These methodologies will help you run penetration tests on your website and check its response.

Tips to Create an Effective Business Continuity Plan

You can create an effective business continuity plan with the following tips:

Establish Communication Lines

Your business continuity plan should establish communication lines within the organization. An employee who detects a cyber security issue on their remote system while working at home should know who to contact in the moment. News of an attack or any update should immediately get to the team in action without delays.

Back-ups

A continuity plan should ensure that the business has good, regular and clean back-ups of the entire IT state available on a daily basis. Running back-ups every month doesn’t work anymore, which is why you need to have preferably daily or weekly back-ups at worst. Ensure that your back-up is secured in a remote network, as there have been instances of ransom-ware attacks running into the back-up and shutting that down as well.

Prepare a Plan for Each Essential Service

If you have identified multiple essential services in your business, then you need to come up with a plan for all essential services separately. You should follow all that we have mentioned above to come up with a separate plan for each service or silo. Identify individuals tasked with looking after each service, so that there aren’t any last minute hiccups.

Keep the Virus From Spreading

One of your first plans of action after a cyber attack is to stop the virus from spreading. Disconnect the internet, change settings for the firewall, update credentials for affected systems and remove remote access altogether. The virus shouldn’t be allowed to spread, as that will ameliorate the damage.

Regardless of how prepared you are, a cyber security consultant can do wonders for your business continuity plan. If you are looking for someone to ramp up your business continuity plan, then you have come knocking down the right door.

I’m a certified information security manager with extensive experience in helping organizations from various industries devise cyber security protocols and measures to ward off sophisticated and invasive cyber threats.Creating an effective business continuity plan