Cybersecurity Blog | Compuquip Cybersecurity

4 Elements of a Hurricane Prep Business Continuity Plan

Written by Lenny Simon | July 19, 2018

In a recent post, we discussed the need for businesses to set up a disaster recovery (DR) plan for hurricane season. A solid DR plan can help a business to avoid losing data if the worst should happen to their primary data center during a hurricane.

However, there’s more to ensuring the continued viability of your business than just preventing the loss of data. Business continuity (BC) plans go beyond simply protecting data to ensure that your business can remain operational even after your primary data storage and production environment is obliterated by a natural disaster. The question is: How can you create a hurricane-proof BC plan?

The first step is knowing what components your business needs. A comprehensive, hurricane-ready business continuity plan is going to require the following:

1) An Analysis of Your Business’ Most Critical Functions and Their Dependencies

In a DR plan, you need to know what your most important data is and prepare a backup of that data. In a BC plan, you need to conduct an analysis of all of your business’ core functions and identify any processes that are time-sensitive or absolutely vital to the continued function of the business so you can prepare redundant systems to carry out those processes.

This analysis should be able to separate “critical” from “non-critical” processes based on criteria that you establish for your business. It’s hard to generalize about what would be vital to a specific business, but some examples of “critical” processes could include things like:

  • Internal business communication channels (email, third-party communication apps, etc.)
  • Transactional systems
  • Bill pay processes
  • Security event notification systems

In one TechTarget article on the subject of business continuity planning, it is recommended that you ask the following questions when preparing to create a BC plan:

  • How would the department function if desktops, laptops, servers, email and internet access were unavailable?
  • What single points of failure exist? What risk controls or risk management systems are currently in place?
  • What are the critical outsourced relationships and dependencies?
  • During a disruption, what workarounds are there for key business processes?
  • What is the minimum number of staff needed and what functions would they need to carry out?
  • What are the key skills, knowledge or expertise needed to recover?
  • What critical security or operational controls are needed if systems are down?

Asking yourself these questions can help when you’re trying to establish what your minimum requirements are for keeping your business going. When prioritizing which assets to include in the BC plan, consider this additional question: How much will "X" process being down cost me for each day that it’s down?

Consider shopping these questions around to various people within your organization to get a broader perspective on what is mission-critical—this can help prevent gaps in your BC plan later.

2) A Disaster Recovery Solution

Odds are that your processes are going to need specific tech and data resources to function at peak efficiency—so setting up a disaster recovery solution to preserve/restore these resources is a must.

The basic steps of DR solution setup include:

  1. Auditing your IT resources and data.
  2. Identifying mission-critical data.
  3. Establishing a data backup solution that is geographically-remote from your business’ primary data center (such as a cloud-based data backup service).
  4. Testing the backup solution to verify recovery time objectives (RTOs), recovery point objectives (RPOs), and solution stability.

There are other specific elements of a DR solution that you may wish to implement based on your business’ needs and resources, such as platform-as-a-service (PaaS) solutions that can take over for your business’ primary production environment should it goes down.

3) Recovery Teams

If a disaster occurs, who is responsible for enacting/overseeing your business continuity plan? A lack of management for your BC plan could lead to a failure to implement it when the time comes.

This is one reason why Ready.gov recommends that businesses “Organize a business continuity team” and “Conduct training for the business continuity team.” This way, there is someone in your organization who can assume responsibility for enacting your BC plan and is prepared to ensure its smooth implementation.

4) Testing, Testing, and More Testing

With any emergency plan, testing is vital to ensure things will work when you need them to. Without any kind of testing, it can be impossible to identify weaknesses in your BC plan and, when a disaster really happens, those weaknesses could ruin everything.

In fact, this is why Lorraine O’Donnell, global head of business continuity at Experian, says in a CIO article that you should “try to break it” when it comes to testing your BC plan. She further states “Don’t go for an easy scenario; always make it credible but challenging. This is the only way to improve.” The goal of these tests should be to identify potential weaknesses, such as single points of failure, so you can find ways to overcome those weaknesses.

The CIO article points out three general levels of BC plan testing. These three tests are, in order of least to most intensive:

  • Tabletop exercises;
  • Structured walkthroughs; and
  • Disaster simulations.

Tabletop exercises simply have the team get together and review the plan with an eye towards any glaring weaknesses in the plan—such as single points of failure. Structured walkthroughs take things a bit further by having people “walk through” their responsibilities/tasks in detail.

Disaster simulations take things to the penultimate level by recreating the actual conditions of a disaster and having all of the components of the plan enacted to see everything in motion. Because of the complexity and expense of a full BC plan deployment, CIO recommends performing this test annually.

Following each test, be sure to review your findings and make adjustments to the plan as needed to remediate any weaknesses that you may have discovered.

Need help finding the right business continuity and disaster recovery solutions to meet your needs, or formulating your BC plan? Contact the experts at Compuquip Cybersecurity. We have years of experience helping organizations of all sizes find the perfect solutions to fulfill their cybersecurity needs to ensure continuity in the face of disaster—whether natural or manmade.