What is the difference between Business Continuity and Disaster Recovery?
Is having your company information backed up on the Cloud a Business Continuity Plan?
Unfortunately, the answer is “No”. I have encountered confusion around the differences and inter dependencies of Business Continuity and Disaster Recovery so this article aims to highlight the main points.
Being able to access your information is key to Business Continuity; however there is more to a Business Continuity Plan than availability of information.
Having a Business Continuity Plan means you have thought about the Products, Services and Activities your organization provides, put them in order of priority and identified options to continue working during an unexpected disruption.
You should have plans in place to cover:
- Loss of People
- Loss of Infrastructure
- Loss of Workspace
- Loss of Supply Chain
- Loss of Reputation
You should consider who would be the best people in your organization to respond to a crisis, record their details as the Response Team and give them the appropriate training and plans to succeed.
Being able to access your information is critical and if your information is only available on the Cloud with no other back up, this is a significant risk.
Accessing the Cloud relies on an internet connection – which may not always be available (one solar flare could disrupt telecommunications). Data on cloud services can be lost through a malicious attack, natural disaster, loss of encryption key or a data wipe by the service provider or you could be locked out of your systems due to a Ransomware attack.
To ensure your information is always available you should discuss your backup and Disaster Recovery System with ICT. The more frequently you back up your system the more expensive it becomes – would it matter if you lost a week of data? Do you need your systems to be replicated in real-time?
Check that the back-ups are tested regularly because you need to be confident they will work when you need them. If you don’t already have one in place, consider creating a manual system to fall back on while your back-ups are being restored (potentially onto new hardware).
Having robust Information Security Practices and Protocols protects your organization and selecting a responsible staff member or team to oversee this task will ensure it is taken seriously. Any new procedures should be developed in collaboration with the CISO (Chief Information Security Officer). One example would be to ensure users are only using Network Storage, in this case if their laptop is compromised for any reason there is no loss of data as it will still be available on the network.
Practice makes perfect – Exercise Business Continuity and Disaster Recovery
- Choose a realistic scenario for your industry and run a simulation exercise that involves loss of infrastructure (ICT in particular).
- Walk-through the entire process and run testing to ensure everybody is confident and understands their role, including identification of suspicious emails.
- Show staff what to do in particular scenarios, e.g. if they get a ransomware lock screen – unplug from the network and raise the alarm.
- Create a safe atmosphere where staff feel comfortable to report mistakes, such as opening a phishing email, so they act quickly and report the problem, rather than trying to hide it.
- Do these tests regularly and cover different areas of the business, include a Communications Plan where all interested parties are contacted – these may include:
- Chief Information Security Officer
- Information Security Response Team
- Insurance adjusters
- Local police, FBI or equivalent (depending on the type of incident – you may not want to draw media attention to your organization)
- Help Desk Director
- IT Management and managers of affected applications
- Senior Management
Have a look at this video for an insight into how an attack could occur:
This article has also been published by the Business Continuity Institute.