Posted in:

KEYS TO CONTINUITY

Understanding revolutionary shifts in Business Continuity Planning is key to an understanding of the changing nature of enterprise cyber risk. By James Hayes.

As a process, business continuity planning concerns the creation of systems of prevention and recovery to manage likely threats to an organisation. Such systems can be designed to deal expediently with a wide range of threat types other than cyber; but increasingly, Business Continuity plans are put in place primarily with the cyber exigencies in mind. As well as prevention and defence, the aim of a Business Continuity plan is to enable ongoing operations before and during commencement of Disaster Recovery.

The terms ‘Business Continuity’ and ‘Disaster Recovery’ are sometimes synonymised, but in fact, they apply to two distinctively different processes. Business Continuity has a wider scope, and refers to the procedural actions that an organisation’s chief officers take during a disastrous disruption to normal operations, and ensure that routine operations will continue even as that disaster unfolds. Disaster Recovery, meanwhile, should be deemed a subset of the Business Continuity plan. It involves the restoration of critical ICT support systems, and getting them back to normal running a fast as possible. Although different, both types of plan should be harmonised and, to an extent, integrated.

Business Continuity plans should scope any event that could negatively impact operations, such as cyber attack, supply chain attacks, loss of or damage to critical infrastructure, natural disasters (floods, storms), and other emergencies, like fire. As such, a Business Continuity plan is itself a subset of enterprise risk management; however, there are theorists who are inclined to see both the Business Continuity and Disaster Recovery processes themselves as further subsets of an overarching Cyber Resilience Strategy.

Most generally, many larger organisations, especially commercial entities, would now have a Business Continuity Officer (or even team dedicated to the role) in place, although that may not necessarily entail c-suite-level power; but small-to-medium enterprises (SMEs) will not usually have a dedicated staff member who is assigned to Business Continuity responsibilities.

Into the 2020s, it seems inevitable that as senior executives now acquire greater responsibility for governance of cyber, they will also be drawn into c-suite level discussions with specific regard to Business Continuity planning. Their input is, in any event, essential when it comes to the

determination of Business Continuity parameters, such as Maximum Tolerable Period of Disruption (MTPD) – that’s to say, how long could an organisation survive without its crucial IT systems. These are issues that information technologists are usually not best placed to give answer to.

That said, traditionally, the term ‘Business Continuity’ is now somewhat of a tech buzzword that has acquired much deeper relevance as more organisations undertake a process of Digital Transformation.

A shift to cloud-based platforms is key to such transformations. The move away from on-premises IT infrastructure – where an organisation owns its IT assets in facilities they own or lease – makes them prone to on-premises physical harm, such as flood or fire; but rather than feel more confident about the safety of their applications and data, it could be argued that they have swapped one set of vulnerabilities for another. For come senior executives, involvement in Business Continuity Planning will provide important insights into the way their organisations’ IT requirement is provisioned and managed.

Sponsored by Zerto, a white paper from market analyst IDC (The State of IT Resilience) points out that many senior executives have never dealt with the intricacies of data availability and continuity until they are faced with a Digital Transformation initiative that changes the way business-critical applications and data are accessed. With the move to public cloud services, additional external and internal parties beyond the incumbent IT department are added to the governance mix. With that, a greater amount of application ownership and management is offloaded from IT onto the business owners and the services provider. Responsibility for the availability and continuity of the data and application is also spread among the additional parties.

The complexity of this task ‘requires a rethinking of what it means for an organisation to protect and recover business-critical data’, IDC says, in a climate where ‘transactions, intellectual property, and the nature of business are increasingly digital’. It also extends the range of stakeholder interests that a Business Continuity plan must cover – inclusive of those stakeholders who belong to the board or to the c-suite team.

INCIDENT COMMUNICATION AND SPEED OF RESPONSE

Speed of response to a disruptive or offensive incident has emerged as a critical aspect of Business Continuity plans. Very often with a cyber attack, for instance, the faster an organisation responds, the more limited the deleterious impacts on business operations will be. This calls for a communication plan to be central to the overall recovery scheme. Organisations need to determine who bears responsibility for communicating information about a cyber-attack, and how it will be delivered.

The Business Continuity Institute’s latest Cyber Resilience Report 2019 (produced with the support of Sungard AS) indicates that 66% of respondents found out about their most recent cyber security incident from the IT department; an additional 43% were informed via virus notification software, also likely to be managed by the IT department. Thus, as the report’s data highlights, technology experts play a central role within an organisation, although they also have a clear responsibility in the communication of possible breach incidents to other teams in a timely and effective way.

The Business Continuity Institute acknowledges that this communication responsibility is challenging, as shown by previous industry research, which reveals how most IT leaders do not believe they communicate to the rest of their organisations in a ‘highly effective’ manner. More challenged are organisations where c-suite’s insistence is that news of incidents must be approved

by nominated senior executives before it can be forwarded to the ‘rank-and-file’ workforce. Small delays of minutes could mean the difference between a multi-strike phishing attack being successful and it being contained as soon as its initial victims have realised what is happened and alerted colleagues in IT. Co-workers who have been away from their desk will also inadvertently taking the phishing bait, and the attack gets further.

The Business Continuity Institute’s Cyber Resilience Report found an improvement in response time: 38% of organisations surveyed reckon they can respond to a cyber security incident ‘within one hour’, compared to 33% in 2018. However, 14% still take more than four hours to respond, similar to 2018’s 16%. These response periods differ in accordance with the nature of cyber threat involved. With malware, for example, fast reaction is key to reducing the ‘dwell time’, which begins at the moment of infection until the point at which the malware is halted.

The Business Continuity Institute suggests that a Business Impact Analysis can help detect the Maximum Tolerable Period of Disruption (MTPD) or Maximum Acceptable Outage (MAO) caused by a cyber attack. The Business Continuity Officer/team can then use these metrics to set the ideal time of recovery or Recovery Time Objective.

As noted, organisational responsibility for Business Continuity Planning has traditionally fallen to the IT function; but a gradual shift is underway. Databarracks’ annual Data Health Check survey – which questioned more than 400 IT decision-makers – found that c-suite-level executives now oversee Business Continuity plans at 25% of organisations in the UK – that’s up from 21% in 2015. Meanwhile, it is the IT leaders who oversee Business Continuity plans in 42% of organisations – down from 27% in 2015. Seventeen per cent of those polled report that ‘IT managers’ are in charge of the process – that’s a figure down from 22% in 2015.

‘Business Continuity [has now become] a consideration for leaders across the entire [organisation], and not just the IT department,’ the Data Health Check concludes. ‘It is fine for [the IT directorate] to be involved, certainly; but the overall direction should come from management in the wider business. This is the best way to ensure that Business Continuity plans are effectively implemented and embedded throughout the [organisation].’

The report also adds that ‘more c-suite executives and other business leaders are taking control… CEO involvement is fairly strong at 25%, but only 10% said that the CFO is involved… It is important that a wide range of people – including IT leaders – are involved in Business Continuity plans – but we’re still not seeing enough buy-in from the c-suite. The pace of change remains slow.’ It is worth bearing in mind that, as Databarracks’ Data Health Check 2019 notes, larger companies generally have a dedicated Business Continuity manager (or even team); but SMEs will not normally have a dedicated member of staff who handles Business Continuity issues.