Business continuity plans are not just important; they are a business imperative. That is the big takeaway from the recent ransomware attack that temporarily shut down a major U.S. fuel artery.
Against the advice of security experts and the federal government, Colonial Pipeline caved to DarkSide’s demands and paid the ransom. However, the decryption key was so deficient that Colonial Pipeline was able to restore from their backups faster than they could get online again using the key.
Why Business Continuity Matters
Obviously, a lot of mistakes were made in this scenario, but without a business continuity plan in place, Colonial Pipeline would have fared much worse. A comprehensive, well-tested business continuity and disaster recovery strategy is key to getting operations up and running after a cyberattack or other unplanned outage. Without a plan in place, your organization is at the mercy of hackers and in danger of permanently losing valuable data, customers, and revenue.
The Lessons of COVID-19
Many businesses that thought they had their business continuity in hand found critical strategy gaps when COVID-19 added unanticipated pressure and stress to their infrastructure. For example, many IT teams weren’t prepared for the sudden shift to a remote work environment, and they were even less prepared to pivot to 100 percent virtual operations.
Other organizations found that some of their “critical” systems weren’t actually critical, but other “non-critical” systems really were. The problem with this discovery is that time and resources were invested in protecting what turned out to be non-essential functions, while some business-critical systems weren’t included in the plan and couldn’t be brought back online quickly.
Factors in Recovery Plan Effectiveness
Although some gaps in a business continuity plan are simple oversights, there are several specific factors that can alter the effectiveness of your plan, such as:
- Technology upgrades may impact critical system recovery
- Staff changes may affect the response team
- New company policies can change processes
- New and evolving threats
Any of these scenarios can significantly affect your ability to restore operations during a crisis, so it is essential to review the efficacy of your business continuity plan and adjust as needed.
8 Tips to Get the Most Out of Your Business Continuity Plan Review
To ensure your business continuity plan is ready for action, schedule regular plan reviews to check and double check that all processes are in place, all critical systems and their dependencies are accounted for, and all crisis response team members know their role in the response and recovery effort.
Before you dive into a business continuity plan review, implement a few best practices to gather all the information you need about preparedness with the least amount of impact to productivity and daily operations.
1. Minimize disruption to normal workflow.
Be considerate of other employees’ commitments when scheduling the plan review. A time that is convenient for IT might fall in the middle of another department’s end-of-quarter crunch time.
2. Set expectations in advance.
Let employees know what you will be assessing during the review so they know what to expect and they can plan and prepare accordingly.
3. Establish review objectives upfront.
Effective business continuity plans have set objectives. Be sure to share these objectives with employees and stakeholders so everyone knows what success looks like.
4. Reevaluate objectives as needed.
Post-COVID-19 business continuity objectives may look a lot different from pre-pandemic objectives. Adjusting (and publicizing) changes to the plan objectives prior to beginning the review will better align the results with the current landscape.
5. Gauge preparedness of key continuity systems and processes.
As mentioned above, sometimes the systems you think are essential really aren’t, and vice versa. But there are a few systems and processes that are always critical to continuity and should be included in every review, including:
- Contact lists
- Communication channels
- Supply chain
- Essential personnel
- Data backup and restoration
6. Document any changes to equipment, resources, and policies.
The pandemic caused sweeping changes to the way most businesses function. Your first post-pandemic business continuity plan review must document these changes, including:
- New equipment to support remote workers
- Resources such as SaaS solutions
- Changes to security and device usage policies
7. Review the disaster recovery plan to ensure it still fits with updated business continuity strategy.
The business continuity plan is intended to get critical operations up and running during and immediately after a crisis, but the disaster recovery effort picks up the rest of the pieces and gets IT systems and infrastructure functioning. Any changes made to the business continuity plan should be reflected as appropriate in the disaster recovery plan.
8. Present the new plan to leadership and stakeholders to ensure it’s available immediately.
When the business continuity plan review is complete, immediately analyze the results, compile the findings, and update the plan as needed. Present the new plan to the appropriate stakeholders as soon as it is ready, so the continuity team is prepared to handle a crisis.
How Often Does a Business Continuity Plan Need to Be Reviewed?
Running a complete end-to-end plan review once a month is neither practical nor necessary. Following these generally accepted guidelines for testing frequency will help ensure your business continuity plan stays up-to-date and is ready to deploy as soon as the need arises:
- Checklist test: Twice a year
- Emergency drill: Once a year
- Tabletop review: Every other year
- Comprehensive review: Every other year
- Recovery simulation test: Every 2-3 years
- Unscheduled reviews: As needed; events that warrant an unscheduled review include major system outages, security events, technology changes, and staffing changes
The New Era of Business Continuity
The past year and a half have been a wild ride for businesses as they learned to navigate scenarios unimaginable prior to 2020. Even organizations that were proactive with their business continuity strategy were caught off guard by gaps uncovered during the pandemic.
Armed with a new perspective, it’s important for IT teams to review and revise their business continuity and disaster recovery plans to accommodate our new business reality. In addition, they must schedule regular, ongoing reviews to ensure you always have a current, complete continuity plan ready.Download Smart Strategies for Business Continuity: An IT Survival Guide to learn more ways to overcome downtime and secure critical data.