Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

5/14/2020
10:00 AM
Joan Pepin
Joan Pepin
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Ensuring Business Continuity in Times of Crisis

Three basic but comprehensive steps can help you and your organization get through adversity

What if your business is impacted by a natural disaster or your offices are suddenly closed due to unforeseen circumstances, say, a global pandemic? What's next? Is your business built to weather these storms? While nobody likes to think about the worst case scenario, planning ahead and putting together a Business Continuity Plan (BCP) will ensure that your organization is prepared for anything. 

While my company has had a BCP in place for years, COVID-19 provoked us to ensure that we had an actionable, pandemic-specific plan readily accessible. After creating our initial BCP and adjusting it to apply to our current reality, we felt our experience could be beneficial to other organizations, so we're sharing our process. 

Start from Scratch
In computer science, if hardware or a network has been partially destroyed or rendered inoperative, there's a limited function necessary to keep it going – that process of how the machine or system shuts down is called "graceful degradation." So, in a pandemic where your people could be out due to illness or permanently gone, you can apply the same question to your business: How do you degrade gracefully?

Start by evaluating the most critical functions of your organization that are needed in order to remain in business. Think of it like this – what is the thing that is 100% necessary to your business operations, what is the last thing you can discard before your doors would need to shutter? Once you've settled on these critical functions, work backwards. What do you need in order to keep these functions, well, functioning? 

For our business, we determined that our most critical function was maintaining service for our existing customers. While adding new customers is important, it was not deemed the most critical in times of crisis, so we prepared for a scenario in which our current customers were our only priority. 

From there, we imagined a scenario in which our global workforce of over 660 people was cut to just 10% of our original staff (unsettling, I know). We determined a plan for how to continue to service our customers with a sudden, undeniable strain on our workforce. Ask yourself, what is the minimum number of employees your organization needs to guarantee you can maintain your critical functions? Identify that number and continue to work backwards. 

Bulletproof Your Critical Functions 
Whether you plan for a scenario where 10% of your employee base needs to be cut, or only 10% will remain, you'll need to assess whether the remaining employees can protect your critical functions. 

Take for example, when adjusting our BCP to address concerns related to the COVID-19 pandemic, we considered a scenario in which all of our Seattle-based employees were suddenly ill, leaving the remaining workforce unable to complete a critical function. To avoid this, we implemented what I like to call the "hard drive tolerance" approach to cross training. To be considered fault-tolerant, hard drives are designed to have their data backed up in five different places, resulting in five different copies. With this in mind, we made plans to ensure that five people, all located in different areas, each understood how to perform specific critical functions. If your organization is unable to rely on separate geographic locations, I recommend considering cross-training staff within different departments.

Update Your Plan Regularly 
As your company evolves, your BCP should evolve too. Once you've completed an initial BCP, your team should revisit the plan twice a year to make any necessary revisions and keep it up to date. An outdated BCP will only cause further complications and stress when your company needs to reference it. During times of crisis, I recommend updating your BCP on a more frequent basis, about once a month. 

Identifying your business critical functions and the steps and number of employees it will take to keep them operational will strengthen your organization during times of crisis and beyond. From personal experience, I can confirm that a business continuity and actionable pandemic plan will make your organization stronger. Your teams will gain a better, more comprehensive understanding of their function and their greater impact on the company, your management will learn clear and actionable communication skills during an emergency, and your employees will rest assured that your organization is prepared to weather any storm. 

While the hope is for a BCP to remain untouched (aside from the occasional updates), creating an actionable continuity plan will ease stress amidst disaster and help to ensure that your business can keep its doors open.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Cybersecurity Home School: Garfield Teaches Security."

As CSO, Joan is responsible for the holistic security and compliance of Auth0's platform, products, and corporate environment. She brings 20 years of experience to the role, with a career that has spanned a wide variety of industries, including healthcare, manufacturing, ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/28/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Can you smell me now?
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11844
PUBLISHED: 2020-05-29
There is an Incorrect Authorization vulnerability in Micro Focus Service Management Automation (SMA) product affecting version 2018.05 to 2020.02. The vulnerability could be exploited to provide unauthorized access to the Container Deployment Foundation.
CVE-2020-6937
PUBLISHED: 2020-05-29
A Denial of Service vulnerability in MuleSoft Mule CE/EE 3.8.x, 3.9.x, and 4.x released before April 7, 2020, could allow remote attackers to submit data which can lead to resource exhaustion.
CVE-2020-7648
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.72.2 are vulnerable to Arbitrary File Read. It allows arbitrary file reads for users who have access to Snyk's internal network by appending the URL with a fragment identifier and a whitelisted path e.g. `#package.json`
CVE-2020-7650
PUBLISHED: 2020-05-29
All versions of snyk-broker after 4.72.0 including and before 4.73.1 are vulnerable to Arbitrary File Read. It allows arbitrary file reads to users with access to Snyk's internal network of any files ending in the following extensions: yaml, yml or json.
CVE-2020-7654
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.73.1 are vulnerable to Information Exposure. It logs private keys if logging level is set to DEBUG.