The element of surprise is often part of an attacker's strategy; therefore, it is not uncommon for a disastrous attack to occur without any warning. For example, it is difficult to predict ransomware or an APT attack. Most incidents are unique, and the organizations must have the proper plans to recover quickly, minimizing downtime. Without a contingency plan, surviving from sudden incidents can take longer and cost the organization more money because of the loss of reputation and productivity.
Since the start of the COVID-19 pandemic, businesses have found it is critical to creating a Business Continuity Plan (BCP) if they don't already have one. Otherwise, they must review and update the existing ones to respond effectively to sudden incidents, especially the ones raised during the ongoing pandemic.
A BCP describes how a business will continue operating during an unscheduled disruption in service. The BCP will list the different procedures and provide instructions on what should be done when a disaster takes place, such as a flood, an earthquake, or in the case of a cyberattack (e.g., ransomware).
BCP covers all work aspects that affect an organization's work, such as business processes and functions, human resources, third-party providers, and business partners. Many people confuse the BCP and the Disaster Recovery Plan (DRP). There is a clear distinction between the two. For instance, DRP is considered a sub-component of BCP and deals directly with restoring IT infrastructure and other related services after a crisis. In contrast, BCP looks at the comprehensive picture and restores the entire enterprise after a crisis.
This article will discuss developing a general BCP to respond to sudden incidents during the ongoing COVID-19 pandemic, focusing on the aspects of technical and compliance regulations.
General elements of a BCP during the COVID-19 pandemic
Before expanding on the main elements of a BCP, consider the following three points:
- Defining the types of disasters applicable to an organization's work area; for example, earthquake, fire, flood, power or Internet outage, general lockdown, and cyberattacks, such as ransomware or APT attacks.
- Consider in-house resources to help create the BCP. Examples of such resources include Incident response plans, policies, procedures, existing business continuity plans.
- List all possible business assets that may be affected during the incident or pandemic.
Having this info in hand will help to develop a general BCP.
Having reliable communications is the most crucial element in a BCP. The pandemic has forced most companies to shift their workforce to adopt the work-from-home model. A BCP should address the type of communication during the pandemic and the person/s responsible for managing these communications. The following areas should be defined:
- What are your organization's communication needs? For example, do you need to communicate with external partners and third-party providers, do you need to communicate with customers? Is there a need for internal communications between the different departments?
- Define communications methods: Are you going to communicate via phone, fax, email, or group chat. Are you going to use video conferencing services, like Zoom, to make remote meetings?
- Identify the person or team members responsible for delivering and supporting organization communications.
This section includes remote access, applications, and backup requirements.
Remote access: Since the pandemic has forced most organizations to access their resources remotely, consider these questions: How will employees connect remotely? Via remote desktop connection, VPN, or another service provided by using a third-party provider?
Also, consider who is allowed to connect remotely and to which resources. Is the remote connection secure? Is the handling of remote data done securely?
Applications: Identify the primary services and applications needed to continue the normal work operations. If transitioning to work-from-home, are employees still able to use this program or service remotely?
Backup: What are our business backup requirements? Are we going to store the backup offsite or onsite? Are we doing regular backup testing to test the efficiency of our backup solution?
Third: Compliance Requirements
Compliance standards impose strict restrictions on remote access, authentication, and authorization mechanisms. Hence, an organization should understand its compliance requirements and align them into its BCP, especially if remote access is implemented as a part of the BCP procedures.
Fourth: Policies & Procedures
Policies are developed according to the organization's current technologies and work processes. A BCP needs to document the various procedures necessary for remote connection, endpoint device configurations, and password policy. Organizations should make sure that all employees understand these policies and know how to implement them properly.
A BCP should remain current to reflect the work environment changes, procedures, and technologies used.
Business continuity is a top priority for any organization, whether it is a small company or a big enterprise. Remaining operational means sustaining a customer base and staying competitive in an ever-challenging world. A business's ability to restore its IT functions plays an important role in responding to sudden incidents; however, what about the rest of the functions? A BCP is an organization's response to remain operational as a whole during an unexpected crisis.