Business continuity plans are not just important; they are a business imperative. That is the big takeaway from the recent ransomware attack that temporarily shut down a major U.S. fuel artery.
Against the advice of security experts and the federal government, Colonial Pipeline caved to DarkSide’s demands and paid the ransom. However, the decryption key was so deficient that Colonial Pipeline was able to restore from their backups faster than they could get online again using the key.
Obviously, a lot of mistakes were made in this scenario, but without a business continuity plan in place, Colonial Pipeline would have fared much worse. A comprehensive, well-tested business continuity and disaster recovery strategy is key to getting operations up and running after a cyberattack or other unplanned outage. Without a plan in place, your organization is at the mercy of hackers and in danger of permanently losing valuable data, customers, and revenue.
Many businesses that thought they had their business continuity in hand found critical strategy gaps when COVID-19 added unanticipated pressure and stress to their infrastructure. For example, many IT teams weren’t prepared for the sudden shift to a remote work environment, and they were even less prepared to pivot to 100 percent virtual operations.
Other organizations found that some of their “critical” systems weren’t actually critical, but other “non-critical” systems really were. The problem with this discovery is that time and resources were invested in protecting what turned out to be non-essential functions, while some business-critical systems weren’t included in the plan and couldn’t be brought back online quickly.
Although some gaps in a business continuity plan are simple oversights, there are several specific factors that can alter the effectiveness of your plan, such as:
Any of these scenarios can significantly affect your ability to restore operations during a crisis, so it is essential to review the efficacy of your business continuity plan and adjust as needed.
To ensure your business continuity plan is ready for action, schedule regular plan reviews to check and double check that all processes are in place, all critical systems and their dependencies are accounted for, and all crisis response team members know their role in the response and recovery effort.
Before you dive into a business continuity plan review, implement a few best practices to gather all the information you need about preparedness with the least amount of impact to productivity and daily operations.
Be considerate of other employees’ commitments when scheduling the plan review. A time that is convenient for IT might fall in the middle of another department’s end-of-quarter crunch time.
Let employees know what you will be assessing during the review so they know what to expect and they can plan and prepare accordingly.
Effective business continuity plans have set objectives. Be sure to share these objectives with employees and stakeholders so everyone knows what success looks like.
Post-COVID-19 business continuity objectives may look a lot different from pre-pandemic objectives. Adjusting (and publicizing) changes to the plan objectives prior to beginning the review will better align the results with the current landscape.
As mentioned above, sometimes the systems you think are essential really aren’t, and vice versa. But there are a few systems and processes that are always critical to continuity and should be included in every review, including:
The pandemic caused sweeping changes to the way most businesses function. Your first post-pandemic business continuity plan review must document these changes, including:
The business continuity plan is intended to get critical operations up and running during and immediately after a crisis, but the disaster recovery effort picks up the rest of the pieces and gets IT systems and infrastructure functioning. Any changes made to the business continuity plan should be reflected as appropriate in the disaster recovery plan.
When the business continuity plan review is complete, immediately analyze the results, compile the findings, and update the plan as needed. Present the new plan to the appropriate stakeholders as soon as it is ready, so the continuity team is prepared to handle a crisis.
Running a complete end-to-end plan review once a month is neither practical nor necessary. Following these generally accepted guidelines for testing frequency will help ensure your business continuity plan stays up-to-date and is ready to deploy as soon as the need arises:
The past year and a half have been a wild ride for businesses as they learned to navigate scenarios unimaginable prior to 2020. Even organizations that were proactive with their business continuity strategy were caught off guard by gaps uncovered during the pandemic.
Armed with a new perspective, it’s important for IT teams to review and revise their business continuity and disaster recovery plans to accommodate our new business reality. In addition, they must schedule regular, ongoing reviews to ensure you always have a current, complete continuity plan ready.
Download Smart Strategies for Business Continuity: An IT Survival Guide to learn more ways to overcome downtime and secure critical data.