Business Continuity Planning and Cyber-resilience
The COVID-19 crisis is hopefully a once in a hundred years event. As we are asked to self-isolate and reduce face to face interactions, many organisations are dusting off and implementing their business continuity plans. Business Continuity Plans, if written, are rarely reviewed, never mind tested and implemented. However, while we all had some time to foresee the immediate organisational impacts of this crisis, when it came, most organisations found they had to react quickly and that their plans were not fit for purpose. Furthermore, although most initial reactions assumed that this would be a short-term problem, emerging expert analysis has indicated that we may be “social-distancing” for many months and/or that the advice on interaction may cycle through periods of relative freedom of movement and instructions to distance. In consequence, business continuity planning will require a long overdue revival to respond effectively to this crisis.
Common challenges in existing business continuity plans
Most business continuity plans are focused on IT system failures and/or disaster recovery. In response, and to ensure cyber-resilience, most organisations have tasked their IT professionals with building in redundancy and fallback positions for key systems. In addition, it is often left to the ICT team to identify such essential systems. However, this crisis is different as it requires a re-configuration of working equipment, systems and relationships that introduce new vulnerabilities. Business continuity requires a fully useable ICT system, access to the necessary data and access for the right people. Without the right people, our organisations cannot operate effectively, even if ICT systems are up and running.
Consequently, staff availability will be a key feature of this crisis. For those organisations capable of maintaining operations remotely, many will have sent staff to work from home. Where high-speed connectivity is available, this can work well. However, there are reports of increasing pressures on existing systems as most of our interactions become digital but, so far, the infrastructure is coping. However, not all locations have sufficient access to vital connectivity. In addition, as the number of individuals exposed to the virus increases, a smaller number of staff will likely be unavailable even when facilities exist. Finally, other issues may cause staff to be unavailable. Challenges with childcare and the cascading effects on critical infrastructure (e.g., transportation systems, internet connectivity, etc.) are all likely to reduce organisational capability during the crisis.
Finally, the hardware in which organisations have invested might also pose continuity challenges. Given the speed at which this emergency has come upon us, most organisations have not had time to evaluate, procure and configure essential portable equipment, such as laptops or broadband dongles, for all their staff. Those working off-site are likely using their own devices and may be making do with different versions of software or using online versions. As these domestic devices are not managed by the organisation and are being used for a variety of other purposes, security and other issues will need to be considered and addressed to the extent possible under the circumstances.
In combination the Confidentiality, Integrity and Availability of data, information and systems carry a different risk profile in this situation, which some individuals and organisations may seek to exploit opportunistically.
To respond more effectively to this crisis and to prepare for the potential need to take a more long-term view of the response requirements, we have identified the following steps that can be taken now to minimise the issues that are likely to arise.
Senior managers and decision-makers need to prioritise the functions/clients/services onto which resources will be focused if they become scarce. Make this clear internally so everyone is working off the same script.
Support your staff:
Both the organisation and its staff will need to re-orient their processes to a new “business as usual” framework. Senior managers need to be flexible and support staff to evaluate what they can realistically achieve given their individual domestic situation(s). Provide support for flexible working and address the concerns of your staff in a timely manner. This may require a re-thinking of some key policies and procedures.
Standardise what you can:
Structure the new working environment and create new mechanisms for regular updates and reporting. Bring as much order the situation as possible to limit variance and therefore unnecessary stress. Consider moving to cloud-based platforms where possible and introduce clear guidelines for VOIP services and anti-virus protection. Rolling out corporate subscriptions are best to ensure staff are using the same tools and have the same protections. Collect information on machines staff are using and prioritise procurement or replacement of outdated machines / software such as those using old versions of windows or systems that can no longer be patched.
Communicate with clients:
Put in place communication channels for clients (and service providers) to contact your organisation. Give them clear information about the situation and how you are managing it. Use social media to share information about your continuity plan and ensure static technologies (e.g., phone systems) have mechanisms for communicating alternate channels or call forwarding.
Monitor the situation:
Productivity levels will change in the short term before bouncing back. Help employees to manage stress and to plan for the new “Business as Usual”. New procedures may have to be introduced, suppliers may have to be changed, clients and partners may also have challenges delaying their interactions with you. Continue to gather data and collect information so that you can make informed decisions.
Document what you are doing:
Keep a record of what is happening. If something goes wrong, your records can demonstrate best efforts are being made to manage the situation. This is valuable mitigation if you are exposed to penalties. This is especially important in terms of processing personal data as you need to demonstrate you met your obligations as best you could. Identifying where single points of failure are occurring, be these technological or people will be very valuable learning after the emergency.
Do not forget compliance:
Even in this emergency, our obligations in areas such as health and safety, data protection, etc. still exist. Ensure you have as many of the necessary controls in place as you can, but most importantly, ensure reporting mechanisms still operate. For data protection, you will likely be reporting breaches as the risk of human error and technology issues increase. Nevertheless, the 72hr reporting window remains the same.
Prepare for the worst:
If the worst happens and your organisation cannot continue, create a plan to:
- Prepare any documentation to facilitate staff who will need to interact with social welfare.
- Secure the personal and financial data you process. Know what you have , where it is and how to access it. Ensure key assets are made secure.
- Always prioritise the health and safety of individuals.
After the event
This pandemic will pass. However, the commercial environment may experience irreversible changes, some of which will be positive (e.g., flexibility) and most of which will require new policies and procedures. When evaluating and reflecting on operational changes, have a post-crisis session to record lessons learnt. Strong organisations will invest resources to identify benefits and opportunities from what has been endured. This may include:
- Evaluating what worked and what did not, and if possible, why.
- Identifying single points of failure that occurred. This can be in infrastructure or staff. Some people may have been the only expert in their area and were overwhelmed or unavailable leading to major issues. How can this be addressed going forward?
- Reviewing internal and external communications processes
- Evaluating whether the ICT infrastructure, equipment and policies were adequate for the situation and other potential disruptions.
- Reviewing outstanding compliance issues, work to close cases and satisfy the regulators where further information has been requested.
- Identifying any champions who went beyond what was expected or processes that went unexpectedly well. Acknowledging and building on these will benefit the organisation in the long run.
When confronted with a crisis, no plan, no matter how well-conceived and/or tested, will fully prepare your organisation. Business continuity and cyber resilience rely on infrastructure, processes and people. The goal is to maintain confidentiality, integrity and availability of key data and systems so that they can be accessed at the right time by the right people. Addressing these challenges as organising principles will assist your key managers and your staff to respond to short-term shocks and adjust to medium-term changes. Update your infrastructure, policies and procedures, including Business Continuity Plans, regularly to respond to foreseeable events and ensure flexibility when something unexpected happens. Test these key procedures regularly to ensure fitness for purpose.
If you need advice on constructing, evaluating or updating your business continuity plan, our experts are here to assist with assessing the cyber- and data protection risks your organisation may face. Contact our Data Protection and Cyber-Risk service for more information.
Alan Moore, Senior Data Protection Advisor at Trilateral Research
Rachel Finn, Senior Practice Manager & Head of Irish Operations