Think of resilience as the ability of an organization to remain operational, despite the impact of a disruptive...
Employees may be working at home or an alternate location, and systems may be operating from another site, as opposed to running locally. The key is for the organization to maintain operations -- even in a degraded state -- in the aftermath of an incident.
The ability to achieve resilience is dependent on several factors. In this article, we'll examine five elements of a business resilience plan that may be overlooked or ignored and how to address them.
You may have a few uninterruptible power supplies in place, which may be sufficient. But if you're a tenant in an office building, does the building have emergency power you can use? How many feeds enter the building from the local power company? Are they from the same substation or different systems? Does the building have lightning protection? Is the building properly grounded?
If you have your own emergency power system, such as a diesel or natural gas generator, how often is it tested? How much reserve fuel is available? Who are your alternate fuel suppliers?
With the variety of data backup options available, such as cloud-based managed systems, there's no excuse for not having critical systems and data protected as part of your business resilience plan. One of the key expenses involves the frequency of data backups.
If, for example, you need to have data available that is completely up to date (i.e., a recovery point objective of less than 10 minutes), you may need to make a sizable investment in data replication or mirroring, or perhaps a combination of an on-site RAID arrangement and a data backup appliance that links to an external data repository. Plenty of options are available; the choice is based on the amount of data to be protected, how quickly it's needed in an emergency and the level of security needed.
Whether your organization has less than 10 employees or hundreds of them, it's important to have a succession plan in place so you'll know who can step in and perform certain tasks if the primary person isn't available. A succession plan is more than who backs up the CEO. It can be extended to all employees, because everyone is needed to ensure the company's success. A skills inventory is useful so employees with overlapping skills can be identified and even cross-trained if needed. This ensures you will have people available to maintain business operations, even if some employees are absent. Coordinate this activity with your HR department, if you have one.
Your investment in technology is a critical part of your organization's success, so make sure those assets are protected. If you have a brick-and-mortar data center, make sure it is secure, with limited physical access, and includes backup power systems, backup servers and redundant communications and networking elements.
Making the transition to an all-managed systems environment, with cloud-based technology, can certainly increase your resilience. Retaining some local technology assets and having remote access to critical systems can also work well. Just be sure that both on-premises and remote access infrastructures are properly protected. The advent of technology virtualization makes it much easier to locate critical systems and data remotely. The key for your business resilience plan then is to ensure that your systems and data are secure and protected from unauthorized access.
Failure to address cyberthreats sufficiently is often a recipe for disaster. Technology products for protecting network perimeters, as well as internal data, are numerous. The growth of ransomware presents yet another challenge to organizations, similar to denial-of-service attacks, viruses, phishing and other breaches. Techniques and technologies for preventing such occurrences include firewalls, secure gateways, intrusion detection and intrusion prevention systems, defense in depth and data encryption.
The challenge for your business resilience plan is to not only invest in preventive measures, but also detection procedures to identify and analyze anomalies, and to take proactive actions, such as regularly updating firewall rules. By paying close attention to cybersecurity activities, many potentially disruptive events can be effectively prevented or minimized.
If it's financially and operationally possible for your business resilience plan, err on the side of overengineering the resiliency of critical systems and networks, ensuring that employees and their skills are protected, and having more security than you think you need.