Business Continuity Plan
Business as Usual?
In times of sudden change, be it a natural disaster, electronic failures or global pandemics, having a business continuity plan is essential for an organisation determined to weather a storm. Being able to continue operations and trading can not only save a business, but also help strengthen it at a time when others are failing.
If however, you are less than prepared for a significant disruption and are now assessing the effect this will have on your organisation, it’s worth noting that around 46% of UK businesses are also not confident that their security plans are up to date and you're not the only one.
Covid-19/Coronavirus
At this time of Coronavirus outbreak, many businesses are now learning that a business continuity plan, when disruptions strike, can not only save individual businesses, but perhaps whole industries and sectors.
As the vulnerable are being told to self-isolate, the public to socially distance themselves and employees forced to work from home, businesses of all kinds are taking the hit. Although this is affecting businesses across the world and global economies are seeing major downturns, some solace can be taken in the learning opportunity that this crisis presents.
Not only can we learn a great deal about the way global health services deal with such a crisis, but businesses also have the chance to think more deeply and seriously, moving forward, about their business continuity planning.
What is a Business Continuity Plan?
Business continuity planning (BCP) is a process imagining potential events and scenarios that could cause disruption to an organisation’s operations, then finding solutions, preventative measures and functioning workarounds to allow those operations the protection to either continue uninterrupted, or be resumed as quickly as possible.
What Can be Done Now?
Despite the possibility that your business may not have been best prepared to enter this time of uncertainty, there is plenty that can be done now to help mitigate the risks presenting themselves.
Assess your current operations
Although it may seem daunting, continuing operations in lieu of a well-defined continuity plan requires a sober look at your current way of working. For example, if employees are unable to travel to work, do you have the hardware available to issue workers with laptops needed for remote working?
What are the channels that you currently use for communication and are they fit for purpose when your organisation is required to offer regular updates to policy, projects and ongoing practices? If not, then many providers are offering services on a discounted, or temporarily free basis to help fight the coronavirus disruption.
Find workable solutions
Obviously, easier said than done, but beyond assessing your current situation, finding solutions to meet your needs, doesn’t always need to be a matter of finding the perfect solution, rather finding a solution that can help minimise discontinuity in the short-term, whilst long-term answers are an ongoing effort.
Roles may need to change, responsibilities of certain individuals reduced or increased; there are many possible changes that can be made. What’s important is that the essentials of your organisation keep running as well as possible, given the situation.
Reduce unnecessary risks
As important as the running of your business may be, sometimes minimising the risk of future problems comes at a cost to the present. If superfluous operations add a burden to your overall continuity, be prepared to apply pragmatic tactics to minimising future risk.
This may mean simply accepting a reduced level of productivity, or this could mean changes to staff, but the ability of your organisation to operate after the crisis has passed needs to be taken into account and rationally considered.
The damage that a crisis can inflict on an ill-prepared business is not only in the loss of productivity, or financial impact, but also the harm it can cause to reputation.
Given that you and your organisation are far from the only people asking ‘what to do if you don’t have a business continuity plan?’, it’s also worth asking yourself; what can you offer to others at this uncertain time?
Although self-interest is an essential for any business, taking a moment to consider how you can contribute to improving the situation and help to protect others, strengthens reputation and mitigates further risk.
Building a Business Continuity Plan
A robust business continuity plan provides a playbook for any given scenario. A common method of creating such a plan is the Plan, Do, Check, Act framework. This framework is presented as a cycle and should therefore be repeated to ensure continuous improvement.
In the first stage, your organisation will recognise a potential business risk and plan a change with the creation of documentation and the rolling out of a business continuity plan.
Step 1: Plan
For example, the business recognises that in the event of an electronic lock failure at your office there is no contingency plan in place. To address this business risk, it organises an on-call security guard to man the doors in the event of this failure, as part of its business continuity plan.
In the case of the current Covid-19 outbreak, an organisation should ideally have a plan for the known risk of a wide-spread contagion that, among other things, prevents workforces from traveling to offices.
By planning out-of-office protocols and working-from-home solutions such as laptops, virtual privacy networks (VPNs), and communication policies such as situation updates, an organisation will understand what is necessary in this event.
Step 2: Do.
Your organisation needs to test the change in the real world through simulating that risk.
As per our example, an exercise would be carried out where your organisation simulates a lock failure and measures the response time of the security guard.
In planning for a viral outbreak, again an exercise where members of your team trial out-of-office solutions would be necessary for developing a robust business continuity plan and testing the efficacy of various elements, such as the strength of technological alternatives.
Step 3: Check.
It is important that your organisation then reviews its plan and audits whether it is being followed.
Whether that means, in the case of the physical security, checking that the organisation always has a security guard on call, or in the case of an outbreak, how well policy updates are being followed and how effectively alternative communication channels function.
Step 4: Act.
Your organisation should act based upon what they have learnt through its exercises and real incidents, amending their plan accordingly.
For instance, should your staff fail to contact the security guard during the exercise because they don’t know how to contact them, the plan would have to be changed such that contact information is placed in a prominent location.
Alternatively, should your team’s ability to continue work on a project be severely compromised by an outbreak, then a continuity plan must be updated as to allow maximum efficiency in the time of disruption.
Repeat. This cycle is repeated, improving the plan on an ongoing basis.
Moving Forward
With millions of people across the world working hard to find solutions and sustain operations at this difficult time, it’s also worth asking; how can we come out of this a stronger and more effective organisation?
It may be difficult to predict how exactly the next several months will look, and despite imperfect or incomplete business continuity planning entering into this crisis, the opportunity to adapt, grow and improve on business practices, including continuity and many other information security issues, is there to be taken advantage of.
Security Awareness for your Organisation
Enjoyed our blog? Learn more about how Hut Six can help improve you security awareness with training and simulated phishing. Start a free trial now, or book a meeting with one of our experts.
Featured
Phishers Exploiting COVID-19 Coronavirus
Phishing attacks are using the COVID-19 Coronavirus as a means of attracting unsuspecting individuals. Information Security blog from Hut Six Security.
SME Security is No Picnic
SME Security is No Picnic: problem in Chair not in Computer. Information security blog by information security awareness training provider Hut Six Security.
How Does the Data Protection Act Affect Businesses?
How Does the Data Protection Act Affect Businesses? Rights, Obligations and Important Concepts. Blog by Hut Six Security.
Google Warning Over Huawei Devices
Google Warning Over Huawei Devices: Huawei concerns continue. - blog by Information Security Awareness Training provider Hut Six Security
How Much Compensation for Breach of Data Protection Act?
How Much Compensation for Breach of Data Protection Act? Your Data Rights and Right to Compensation. Blog by Hut Six Security.
What is Phishing? In Computer Technology - It’s a Number 1 Threat
Phishing is a number one cyber threat, and awareness training is required to ensure all employees realise it's a business-critical matter.
What Does Phishing Mean in Computer Terms?
What does phishing mean in computer terms? The understanding of this term is at the core of Information Security awareness. Blog by Hut Six Security.
How to Keep Information Secure on a Computer - the Easy Way
Protecting data on your computer in 5 steps: Password Protection, VPNs, Anti-virus, Software Updates and Security Awareness.
How to Block Phishing Texts
Knowing How to Block Phishing Texts is vital to personal information security in the 21st century. Blog by Hut Six Security.
Information Security Attacks Threaten the UK Education Sector
How do Information Security Attacks threaten the UK Education Sector? Blog by information security awareness training provider Hut Six Security.