How to create a business continuity plan
Having a plan can mean the difference between recovery and disaster
No one likes to think about the worst thing that could happen to their organisations. But the more complex our IT architectures become - particularly with varying cloud or hybrid platforms - the more essential it is to have a business continuity plan in place in case of downtime.
In the past two years, 95% of enterprises have had to deal with at least one data centre outage, according to Gravic Inc. These disruptions sideline entire data centres, not just single systems. A study from the Ponemon Institute into data breaches in 2018 has shown that the averate total cost of a data breach last year was $3.86 million, with the most costly component being lost business cost. Even a small disruption to business will cost money, so having a plan in place can mitigate revenue losses.
A business continuity plan is more than just making sure critical IT and services are available if disruption occurs, or being able to restore functions quickly. A good plan should aim to keep the complete ecosystem of critical business functions operational in the event of a serious incident.
Why have a business continuity plan?
There are a wide range of reasons why an organisation should have a business continuity plan put in place
Firstly, it is a communication tool. Having a plan in place means that everyone will know what to do in an emergency. In a disaster, if someone doesn't know what role they need to play, the risks aren't going to be mitigated.
Secondly, it means that your organisation is proactive. When disaster strikes people will know what to do instead of trying to figure out things as they go along. This also helps manage any negative impact on the company's reputation; it may be difficult to avoid data breaches entirely, but demonstrating preparedness will make clients more understanding.
Thirdly, having a plan means that you have a good chance of recovering from disaster. When you protect mission-critical parts of a business, there is a good chance of survival and staff morale will be higher for it.
Not only does having a plan increase your chances of recovering from an incident, but it also reduces the likelihood of you having another one. Businesses that don't have a business continuity plan are 32.3% likely to have a data breach at some point over the next two years, but this falls to 23.4% for businesses with a plan, according to the Ponemon Institute.
Finally, a business continuity plan can reduce the time it takes to identify and contain the data breach incident, especially if staff have a structured plan to follow. It significantly minimises disruption if teams are aware what steps they need to take to keep the business up and running.
What's in a business continuity plan?
A plan should provide a roadmap for employees so they know what to do when things go bad. Such a plan should include the following.
Threat analysis natural disasters, such as a flood can destroy IT infrastructure, while a cybersecurity hack can put your network offline but not affect personnel. Bombs could kill people and destroy equipment. It's important to cover what to do for all major possible threats.
Who's responsible when disaster strikes, an organisation should have a list of personnel to contact and what they role in a continuity plan will be. An organisation should also keep contact details of external services, such as police, fire, etc.
Plan a backup it is important to have a backup of important data offsite away from where an organisation is based. There should also be consideration given to backup power supplies. In addition to uninterruptible power supplies, one should also consider what to do if the power will be out for a considerable amount of time.
Alternative comms and operational sites if you have no telephones or internet, you need to plan how you will keep in contact with customers, employees and others. A plan should also cover how and where to set up operations in an alternative location.
Increasingly, organisations are putting in place formal disaster recovery (DR) processes as part of their business continuity plans.
A global study into DR processes in 2018 showed that 39% of companies had an automated DR process in place, up from just 16% in 2017. Using automated processes like this to get your business up and running in the event of a breach is a good way to make significant cost savings.
Managing a business continuity plan
Managing a business continuity plan means keeping it up to date, changing details to ensure they are correct. It is also important to review the impact of new processes, systems and technology on a regular basis and add these to the original plan.
Those responsible for the plan should also make sure that all employees that could be affected by a disruption to the business have read and understood the plan, what their role in the implementation is and how the plan will be executed. Even non-essential personnel should be informed about such things as building evacuation measures, as well as emergency locations.
In the event of a breach, the business continuity plan should be reviewed and adapted if necessary to further minimise disruption in the future.
The IT Pro guide to Windows 10 migration
Everything you need to know for a successful transitionDownload now
Managing security risk and compliance in a challenging landscape
How key technology partners grow with your organisationDownload now
Software-defined storage for dummies
Control storage costs, eliminate storage bottlenecks and solve storage management challengesDownload now
6 best practices for escaping ransomware
A complete guide to tackling ransomware attacksDownload now