What Does a Complete Business Continuity Plan Include?

JULY 9TH, 2020

By Venkat Reddy, Director, Software Engineering, Arcserve

If we had to pick a word to describe the business atmosphere over the past few years—and particularly the past few months—”uncertain” is an understated choice.  

Collectively, we’ve experienced devastating damage from wildfires, hurricanes, and flooding; weathered wild swings in the stock market; battled an increase in cyberattacks that get more severe and more expensive every year; and now we are navigating the economic fallout from a global pandemic. With all of this uncertainty surrounding business, it is important for organizations to develop a strategy to protect company assets and operations from potential disaster. A recent survey, Mercer’s Business Responses to the COVID-19 Outbreak, suggests that a staggering 51 percent of organizations around the world do not have a business continuity plan in the case of emergencies or disasters, such as the current outbreak of coronavirus. A business continuity plan (BCP) must be an integral part of this disaster preparedness strategy.

[Free eBook] Smart Strategies for Business Continuity: An IT Survival Guide. Download our free eBook to learn more >>

What Is a Business Continuity Plan, and Why Do You Need One?

A BCP is a blueprint that defines how your organization will prevent and recover from a disaster. Disasters come in many forms, including cyberattacks, system outages, natural disasters, fires, or other misfortunes. But no matter what the root cause, the goals of a BCP remain the same:

  • Maintain high availability
  • Meet SLAs to retain customers
  • Protect company data and resources
  • Minimize costs and revenue loss
  • Prevent legal and compliance implications
  • Keep the company running

To illustrate the devastating impact the lack of a BCP can have on operations, consider the 2018 SamSam ransomware attack on the City of Atlanta. The brute force attack brought government offices to a screeching halt for five days, and recovery cost the city more than $17 million. The attackers demanded about $50,000 in bitcoin (which they didn’t pay), and it cost Atlanta’s government $2.6 million on emergency contracts alone to piece their systems back together. Had there been a BCP in place, the City of Atlanta and its taxpayers could have avoided the expense and frustration of being caught unprepared for a disaster.

6 Must-Haves for an Effective Business Continuity Plan

Although every organization has its own unique business goals and infrastructure to protect, when it comes to deploying a BCP, several components need to be included in every plan.

Strategy and Advanced Planning

Don’t wait until there’s a hurricane off the coast to start working on your BCP. Start now and get input from all company stakeholders and employees to create a business impact analysis. This periodic analysis will predict the impact a disaster will have on the business and will identify potential loss scenarios. Many organizations run a mix of legacy, new, and cloud/virtual systems. Recovery looks different for all of these workloads, so it is important to assess multi-generational environment recovery needs to ensure you have the proper recovery tools for every environment. Not every system is mission-critical, so establish disaster recovery priorities that clearly define where to start the recovery effort to get essential business applications back online quickly.

Business Continuity Team

Your business continuity team is going to take the lead during a disaster. Assign a specific role to every team member, and then let all of your employees and stakeholders know who is in charge of what. It is important to establish communications protocols to keep everyone connected throughout the crisis. Publish emergency contact information for business continuity team members and identify alternative communication methods in case the company’s phone and email systems are down or facilities are closed. To ensure your business continuity team is ready for recovery, conduct regular training, testing, practice sessions, and mock drills throughout the year and make adjustments to the process and tools as needed.

Known and Potential Risks

Create a comprehensive list of risks—from highly likely to not very likely but still possible—based on your organization’s specific circumstances. For example, the human element is inherent in every company, so your list should include risks such as human error, clicking malicious links, and unsafe internet habits. If your business is located in a hurricane-prone area, a flood zone, or a region that experiences frequent wildfires, be sure to add those to the list. Cyberthreats are also a common risk, so document any past breaches or attacks and identify any known security vulnerabilities (e.g., the default password on all new company email accounts is password), and enforce strong password policies and recovery methods with up-to-date tooling

Plan to Minimize Impact on Operations

Meeting service level agreements (SLAs) is a top priority during a disaster. Your BCP should include specific details on how you intend to meet SLAs. Be sure to update the BCP regularly with any changes to the SLAs. In the event of a physical disaster, document the steps needed to replace or recover essential equipment and services, such as servers and email. Also, be ready to support secure remote workstations. As COVID-19 painfully illustrated, it is crucial to have an infrastructure in place for secure off-site access to company resources well in advance of needing them.

Secure Off-Site/Cloud Backup Storage

How you protect your backups is going to make all the difference in your recovery efforts. Off-site storage is a given, but cloud storage is the safest option. In the cloud, your backups will be accessible to anyone with the right authorization, regardless of location; they won’t be affected by physical threats; and they can be restored quickly during recovery. Also, be sure to restrict access to the backup files from the company network. Some types of cyberthreats, such as ransomware, can infiltrate the backups and delete or encrypt the files, rendering them useless.

A Simple, Practical, Step-by-Step Recovery Plan

Write your BCP in language anyone can understand and follow, not just IT. You never know who will still be around to implement disaster recovery, so make sure everyone in the organization understands what to do. Don’t forget to practice the plan regularly with the entire company before you have a real reason to use it. A comprehensive BCP is crucial to protecting your company’s assets, data, and bottom line. Enlisting the help of professionals with decades of experience with helping companies prevent and recover from disasters is the best way to ensure your BCP gets operations up and running quickly after a disaster or security event. To learn more about successfully overcoming data loss and downtime and why you need a predictable and sustainable BCP, download Arcserve’s free guide, Smart Strategies for Business Continuity.