Business Continuity Plan: what it is and why you need one
Imagine, in the pleasant pre-pandemic world, that you — as the director of a small company set up in a simple rented office — are notified by the building manager at 5am of a serious leak in the building's water pipes. Because of this problem, the landlord announces that your staff may not be able to work there until the problem is solved.
Even worse: imagine that the leakage was so bad that it flooded your floor, the water damaging your computers, printers, and other work devices. In both cases, if you were not prepared for this, you would find your company unable to operate normally, either due to "Workplace Unavailability" or "IT Infrastructure Unavailability".
Imagining this scenario is the easiest way to understand what a Business Continuity Plan is and why it is necessary. It is a strategy, presented and documented on paper, that establishes guidelines, standards, and processes to be adopted in the event of a disaster or if an incident is identified that affects the normal operation of your business.
What about information security?
Before we proceed, it is important to remember that Availability is one of the three main pillars of Information Security (along with Confidentiality and Integrity). This means that the information needed for your core business - that is, the primary activity of your company - must always be available to those responsible for accessing, operating, or processing this information.
And that is exactly why the Business Continuity Plan must exist and be strongly linked to any Information Security Policy. Over the last few months, there have been a several of cases of entire companies being paralyzed by ransomware attacks; malicious code that " hijacks" corporate devices, locks up their content and only releases it after a cash ransom is paid.
If you think this only happens to small companies, it is worth remembering that multinationals in various industries - from automotive factories to electric power generation and distribution groups – have suffered from this problem in 2020. Even the Brazilian Supreme Court of Justice (STJ) was forced to cancel all court hearings for an entire week while it restored the backups if the servers that were affected by RansomEXX.
Of course, the pandemic has also created headaches in this regard, with executives scrambling to figure out how to securely provide access to employees working remotely. And ransomware is not the only type of malware that can cause workflow disruptions: any incident that leads to the loss of information can slow down your operations, and affect the "Integrity" pillar.
It is better to be safe than sorry
These are the reasons why you need a Business Continuity Plan that has specific procedures with regard to risk analyses (what can happen with your information assets?), an impact analysis (how can a potential loss or inaccessibility of these assets impact your operations?), and strategic planning (what attitudes and actions should be taken?).
The goal here is to minimize the moral or financial damage that hours, days, or weeks of an operation being affected by a security incident can create for your company, overcoming crises in the most agile way possible and ensuring that your staff can continue to deliver the minimum necessary for your company to remain active.
This includes the use of backups, the adoption of redundancy for critical systems, and even investigative procedures of incidents in order to identify why they happened (and how we can prevent them from happening again in the future). It is not easy to think of the worst-case scenarios you may face, but it is better to be safe than sorry – however, if prevention did not work, you need to know in advance which remedy to use.
Article translated from: Plano de Continuidade de Negócios: o que é e por que você precisa de um — Perallis Security