Cybersecurity Considerations for Your Business Continuity Planning
With every passing year, cybersecurity becomes more of a concern for business continuity planning initiatives. Participants in the 2016 Business Continuity Institute Horizon Scan ranked cyberattack as their No. 1 threat, with data breach a close second. Over the last few years, these two categories have climbed the ranks in terms of most significant threats—an indication of how rapidly cybersecurity has become a key concern of business continuity professionals across the globe.
There is no doubt that businesses of all kinds must include cybersecurity concerns in their business continuity plans, right along with more traditional threats, such as severe weather or supply-chain disruptions. However, cybersecurity requires a special degree of attention, because a cyberattack or data breach can have such wide-reaching effects throughout an entire organization, as well as among its partners and customers.
As you work to incorporate cybersecurity concerns into your business continuity planning, be sure to consider these important points:
Cybersecurity and business continuity are codependent
In today’s hyperconnected world, cybersecurity concerns and business continuity are inseparable. As we see every year, cyberattacks and data breaches can significantly disrupt an organization—or even put it out of business—due to lost data, compromised personal or financial information, unplanned downtime, and other challenges. A single cybersecurity incident can result in lost productivity, decreased revenue, and a damaged reputation.
There’s no denying that cybersecurity and business continuity must be two sides of the same coin. Once considered two separate entities altogether, they should now, ideally, work together to minimize costs, protect data, and streamline a timely and effective response to any attacks or data breaches.
Business continuity staff need to be IT-minded
As the business continuity manager, you have an opportunity to educate your team, and the business continuity management steering committee, on the important role that cybersecurity plays in business continuity efforts overall. Many organizations have to fight the assumption that IT security is “owned by” the IT department. In reality, the entire business has a stake in protecting its digital data and systems.
Consider holding a brief workshop on the importance of IT security. Educate your team, and the business continuity management steering committee, on the key facets of IT and how they impact the entire organization. Give them an overview on the IT security techniques and systems used, as well as the core challenges associated with safeguarding network-enabled technologies—including increasingly sophisticated hacking strategies and good, old-fashioned human error. Explain how difficult it can be to fully recover IT networks and systems and ensure proper operation, all of which are vital to ensuring business continuity.
Business continuity planning must account for IT-dependent applications
Consider your most recent business impact analysis. Does it account for all IT-dependent applications, such as the organization’s website, social media accounts, and shared and restricted network drives—and all the valuable information stored within? Does it fully identify all critical IT processes, data, and locations that support the organization’s revenue, customer information, trade secrets, and other keys to success?
To ensure continuity of IT-related systems, be sure to incorporate secure work-arounds or redundancy into your business continuity planning, allowing stakeholders to gain access in the event of a system or network failure. And remember to thoroughly test all backup systems.
Crisis communication should be integrated
Finally, consider whether or not your organization is prepared to quickly and effectively respond to and communicate with external stakeholders during a cybersecurity incident. If a breach occurs, you will need to issue statements and updates to customers, partners, the media, and other interested parties.
It’s no longer enough to meet baseline technical requirements for post-incident response and communications with regulators and consumers. You should also work to “get out ahead of” any incidents by communicating the appropriate information to all involved parties. Consider integrating the organization’s official, mandated response with communication through other outlets, such as social media. This will help keep your messaging consistent and ensure that the company’s reputation is being managed well.