In the wake of several high-profile ransomware attacks against critical infrastructure sectors, the U.S. Department of Justice (DOJ) announced that it would begin investigating ransomware attacks with the same level of scrutiny with which it investigates terrorism.Although this escalation may at first seem extreme, in reality, ransomware is quickly becoming IT security teams’ biggest cybersecurity concern.
The onset of the COVID-19 crisis ushered in a new era of ransomware. Attacks became more frequent, more targeted, and more difficult to defend against.
In response, IT teams are taking a hard look at their business continuity plans and updating them to address new and previously unnoticed vulnerabilities the pandemic uncovered.
Hackers and ransomware aren’t the only reasons an up-to-date business continuity plan is essential. Unplanned network disruptions and outages can be caused by natural disasters, technology failures, global health crises, and even human error.
The middle of a crisis is the wrong time to start thinking about how to keep the business running, which is why every organization—from two-person startups to Amazon—needs to proactively plan for both business continuity and disaster recovery.
A business continuity plan is all the processes, policies, and procedures that allow an organization to manage risk, minimize disruption to business-critical services, and restore operations quickly during and after a disaster.
The primary objective of a business continuity plan is to “keep the lights on” so critical business operations can continue to run during a disaster.
A disaster recovery plan is a step-by-step guide for getting your IT systems back up and running quickly after a crisis has passed to minimize downtime and prevent data loss.
The primary objectives of a disaster recovery plan are to proactively protect data with backups, re-enable systems and technology after a crisis, and restore any affected data.
Both business continuity and disaster recovery plans are essential to supporting an organization’s resilience, with business continuity more focused on business objectives and disaster recovery focusing on the technology infrastructure.
A robust business continuity plan will detail all of the processes and policies needed to minimize the impact of a disaster on operations.
Every plan will be tailored to each organization’s specific objectives and requirements, but there are a few key components every plan should include:
Regularly scheduled tests and reviews of your business continuity plan are critical to ensure the plan will work when and how it needs to in a crisis.
Use the review as an opportunity to:
Not every part of the plan needs to be reviewed each time, but establishing and adhering to a review schedule will keep your business continuity plan current and ready to be deployed.
As important as it is to conduct regular business continuity plan reviews, there are times when impromptu reviews are appropriate.
For example, it is a best practice to spontaneously test how prepared employees are to carry out the plan in the event of a real crisis.
Any time there is a major disruptive event, the business continuity team should run through the plan. Some types of events that warrant an unscheduled business continuity plan review include:
Reviewing and updating the business continuity plan after these types of events will help IT and the business continuity team:
Without a business continuity plan in place, organizations risk losing data, revenue, and customers. Scheduling regular reviews of the plan—and spontaneously testing it as needed—will help ensure all critical systems can be quickly brought back online after an unplanned disruption.
Download Smart Strategies for Business Continuity to learn more ways to protect your business operations and your data from cyberthreats and other types of disasters.