Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

5/14/2020
10:00 AM
Joan Pepin
Joan Pepin
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Ensuring Business Continuity in Times of Crisis

Three basic but comprehensive steps can help you and your organization get through adversity

What if your business is impacted by a natural disaster or your offices are suddenly closed due to unforeseen circumstances, say, a global pandemic? What's next? Is your business built to weather these storms? While nobody likes to think about the worst case scenario, planning ahead and putting together a Business Continuity Plan (BCP) will ensure that your organization is prepared for anything. 

While my company has had a BCP in place for years, COVID-19 provoked us to ensure that we had an actionable, pandemic-specific plan readily accessible. After creating our initial BCP and adjusting it to apply to our current reality, we felt our experience could be beneficial to other organizations, so we're sharing our process. 

Start from Scratch
In computer science, if hardware or a network has been partially destroyed or rendered inoperative, there's a limited function necessary to keep it going – that process of how the machine or system shuts down is called "graceful degradation." So, in a pandemic where your people could be out due to illness or permanently gone, you can apply the same question to your business: How do you degrade gracefully?

Start by evaluating the most critical functions of your organization that are needed in order to remain in business. Think of it like this – what is the thing that is 100% necessary to your business operations, what is the last thing you can discard before your doors would need to shutter? Once you've settled on these critical functions, work backwards. What do you need in order to keep these functions, well, functioning? 

For our business, we determined that our most critical function was maintaining service for our existing customers. While adding new customers is important, it was not deemed the most critical in times of crisis, so we prepared for a scenario in which our current customers were our only priority. 

From there, we imagined a scenario in which our global workforce of over 660 people was cut to just 10% of our original staff (unsettling, I know). We determined a plan for how to continue to service our customers with a sudden, undeniable strain on our workforce. Ask yourself, what is the minimum number of employees your organization needs to guarantee you can maintain your critical functions? Identify that number and continue to work backwards. 

Bulletproof Your Critical Functions 
Whether you plan for a scenario where 10% of your employee base needs to be cut, or only 10% will remain, you'll need to assess whether the remaining employees can protect your critical functions. 

Take for example, when adjusting our BCP to address concerns related to the COVID-19 pandemic, we considered a scenario in which all of our Seattle-based employees were suddenly ill, leaving the remaining workforce unable to complete a critical function. To avoid this, we implemented what I like to call the "hard drive tolerance" approach to cross training. To be considered fault-tolerant, hard drives are designed to have their data backed up in five different places, resulting in five different copies. With this in mind, we made plans to ensure that five people, all located in different areas, each understood how to perform specific critical functions. If your organization is unable to rely on separate geographic locations, I recommend considering cross-training staff within different departments.

Update Your Plan Regularly 
As your company evolves, your BCP should evolve too. Once you've completed an initial BCP, your team should revisit the plan twice a year to make any necessary revisions and keep it up to date. An outdated BCP will only cause further complications and stress when your company needs to reference it. During times of crisis, I recommend updating your BCP on a more frequent basis, about once a month. 

Identifying your business critical functions and the steps and number of employees it will take to keep them operational will strengthen your organization during times of crisis and beyond. From personal experience, I can confirm that a business continuity and actionable pandemic plan will make your organization stronger. Your teams will gain a better, more comprehensive understanding of their function and their greater impact on the company, your management will learn clear and actionable communication skills during an emergency, and your employees will rest assured that your organization is prepared to weather any storm. 

While the hope is for a BCP to remain untouched (aside from the occasional updates), creating an actionable continuity plan will ease stress amidst disaster and help to ensure that your business can keep its doors open.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Cybersecurity Home School: Garfield Teaches Security."

As CSO, Joan is responsible for the holistic security and compliance of Auth0's platform, products, and corporate environment. She brings 20 years of experience to the role, with a career that has spanned a wide variety of industries, including healthcare, manufacturing, ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-4719
PUBLISHED: 2020-09-24
The client API authentication mechanism in Pexip Infinity before 10 allows remote attackers to gain privileges via a crafted request.
CVE-2020-15604
PUBLISHED: 2020-09-24
An incomplete SSL server certification validation vulnerability in the Trend Micro Security 2019 (v15) consumer family of products could allow an attacker to combine this vulnerability with another attack to trick an affected client into downloading a malicious update instead of the expected one. CW...
CVE-2020-24560
PUBLISHED: 2020-09-24
An incomplete SSL server certification validation vulnerability in the Trend Micro Security 2019 (v15) consumer family of products could allow an attacker to combine this vulnerability with another attack to trick an affected client into downloading a malicious update instead of the expected one. CW...
CVE-2020-25596
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. x86 PV guest kernels can experience denial of service via SYSENTER. The SYSENTER instruction leaves various state sanitization activities to software. One of Xen's sanitization paths injects a #GP fault, and incorrectly delivers it twice to the guest. T...
CVE-2020-25597
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. There is mishandling of the constraint that once-valid event channels may not turn invalid. Logic in the handling of event channel operations in Xen assumes that an event channel, once valid, will not become invalid over the life time of a guest. Howeve...