A Business Continuity Plan can significantly decrease the impact of a disruption or disaster to a business. If you already have one, great, check it off against our list here and be sure to review your plan at least annually, or if there is a significant change to your business. If you do not have one, hopefully this list will give you a good template to start from.
- Have a plan. First and foremost you need one before a disaster strikes. It should cover the risks of disruption to:
- Your supply chain – What if a key supplier is no longer available or has their own business continuity issue?
- Key technologies – What are the key technologies you use? What happens if it is not available?
- Staff – public transport strikes, bad weather. Do they know how to work from outside the office?
- Access to office – Can the business still operate if your office space is not available?
- Create a recovery team with contact information. These should be people who know the business processes and systems.
- Clearly document the responsibilities of each of the recovery team.
- Copy of BCP should be held by team members in a secure location (both printed and digital)
- Rehearse the plan. Schedule time for team members to review and agree the steps and their responsibilities. Let staff work from home occasionally to adjust to home working.
- Create a list of contact names and numbers for key clients and suppliers.
- Establish a secondary location for staff to work from, if necessary.
- Make sure ALL your data is being backed-up offsite
- Train employees on the plan. They should know things like what to do, where to go, how updates will be communicated
- Review the plan at least annually or if there is a significant change to the business. Update any information if necessary then re-print/re-publish.
If you would like to learn more about business continuity, a comprehensive information security program or discuss if your business should be looking beyond cyber security, feel free to reach out to us through one of the following methods:
Confidentiality, Integrity and Availability – A Deep Dive…
Information is becoming an increasingly valuable commodity, and for a business, it presents not only value but a responsibility too. You may have all the necessary guards in place to protect your data, however not all information is digital. Trade secrets, good old printed paper and various other physical threats like USB keys all provide unique challenges to implementing thorough protection throughout a business.
Threats can have varying levels of effects, but breaches can provide good reason for termination, and lost revenue may not be the only result. Legal action, compensation and ongoing loss of reputation, and even a lot of expensive PR to get a business on track again, may all be required.
With Scandinavian firm Norsk Hydro announcing in a BBC interview that they spent £45 million restoring their business after a ransomware attack took out tens of thousands of computers throughout the company’s 170 sites, there is proof in the logic of investing in information security, no matter your industry.
With all information security decisions, you can boil them down to three key themes: Confidentiality, integrity and availability.
This helps secure a business’s most valuable information; trade secrets, customer data, analytics, etc. from prying eyes in order to protect a business’s future success.
Keeping vital information secret is important because once a secret has been outed, it becomes very hard to close Pandora’s Box. Even if the leak is found and deleted, the nature of the internet means that there is a very high likelihood that any leaks will be copied and distributed so quickly and frequently, that the information will never be fully removed.
Simply put, the easiest way to provide information confidentiality is ensuring only people who should have access to certain data, have access. However, this simple sentence can take a lot of complicated principles to enact.
Grouping information into classes of severity (if leaked) and planning steps accordingly, like using permissions to decide who has what levels of access, can help mitigate the risks attached. However, permissions are only as secure as the person holding them. Provide special training for those in the know on information security best practices. This could include password design, social engineering (phishing) prevention or implementing solutions like biometrics and air gapped computers (not connected to the internet) or even keeping hard copies locked away so there is no chance of digital access.
If files must be accessed digitally, which is the case for most, encryption is widely used to prevent hackers from plucking the data as it travels through internet cables from A-B. Encryption comes at the cost of increasing the size of the data but, depending on the exact standard of
encryption, can take the fastest computers hundreds of years to crack.
This refers to ensuring the authenticity of information; that information is not altered and is from the assumed source. There are two specific sub-categories: System and data integrity.
Data integrity means taking steps to ensure your data can’t be altered by a third party. One simple example of ‘Data Integrity Risk Mitigation‘ that you are probably using without realising is that every time Microsoft Office asks you if you want to ‘Enable Editing’ in a document, it is preventing you from making what could possibly be unintended alterations.
This can be a hard thing to keep on track of, especially when working with suppliers and partners. With the constant toing-and-froing of files between associates, an accidental edit could mean a change to a spreadsheet or document that changes a price or date of delivery that could have significant consequences to both parties.
Human error would usually fall under data integrity, as the slip of a finger can cause mistypes or the deletion of important data, and while you can put every measure in place remember, “Pobody’s nerfect.”
At times, an employee may not be at fault, but the way they interact with their system may be the root cause. Preventing this could include regular maintenance, using file permissions (so only approved employees have access to the data) or using hashes to verify the integrity of the information. Hashes can give users a quick ‘summary’ of the information contained using a combination of letters and numbers unique to that document. This can then be compared with other versions of the document and if the hashes are identical, you know the documents are too.
Maintaining systems and keeping them protected so that neither employees nor hackers can manipulate the data is vital to protecting the integrity of your information. The NHS’s WannaCry attack several years ago was the result of missing security updates that may have prevented the attack in the first place.
Our third tenet deals with the availability of your information, or how your staff gain access to the data. Challenges present themselves via ‘Acts of God’ like flooding or forest fires, and other disasters to failed or stolen hard drives.
Disaster Recovery Plans, or DRPs, are essential for the continual success of a business that suffers outages from hackers, the environment and anything in between.
Creating redundancies in your system will help prevent small scale issues like a blown server. These redundancies are usually some form of back-up, but depending on the size and scope of the business, these can require very different systems.
The established solution for SOHO businesses is keeping all data copied on to a hard drive and placed somewhere secure, so that in the case of a computer failing, the data on it can be replaced quickly.
For larger offices, RAID servers are a common solution to duplicate your information over one or several drives. Depending on configuration, RAID systems have the ability to build in their own redundancy by copying data to several RAID drives in case one fails.
Even larger businesses tend to opt for Failover Cluster solutions that geographically separate servers, so that a business can switch in case of scheduled downtime, an extended power cut or even a DDoS attack.
These would in no way replace any cyber security tools like firewalls or DDoS prevention services, as they all work in tandem to create a secure network that limits the chance of unwanted access, while ensuring all data is still available if the main repository is corrupted.
We use the Information Security Risk Assessment as the basis of all information security planning. This document should be updated regularly and include all of your information assets, both digital and physical, and from there you can start planning how to mitigate the risks associated with each asset. You can download a free Information Security Risk Assessment Pack here.
Just because a particular threat is mentioned under one of the headings above, does not mean it wouldn’t be applicable to the others. Cyber security tools are just as vital to protecting integrity as well as the availability and confidentiality of the information, and your information security tools will be the same. Rather than wasting time deciding which of the three principles a particular risk should be allocated to, focus on what can be done to most prevent the risk in question.
If you’d like more info on how to assess your own security – try here – or contact us to find out more about how On Line Computing can help guide you through securing your business.
Whether you’re just getting started or you have information security processes truly embedded, find out where you are in the journey and how you can move forward with our free Information Security Infographic. Click the image below to view and download.
Get a free Information Security Risk Self-Assessment
Business risk can have severe consequences if not properly managed. Every business has its own set of assets and risks, and an Information Security Risk Self-Assessment form should be completed to identify the business assets and the risks to them.
We can give you a free Information Security Risk Self-Assessment template – just get in touch with us here.
Every organisation has already invested in security, installing basic cyber tools like anti-virus and patching vulnerable operating systems. Hopefully. But this is just the beginning of your journey. A journey to bring maturity to your security.
A truly effective security program involves identifying and locating all of your information assets and putting controls in place to protect them all. A risk register and gaining recognised accreditations further demonstrates to everyone that you are taking it seriously.
Why are you on this journey?
The journey to maturity is often driven by external factors. Your customers require it before they will buy your products or services, legislation mandates it, you have been the victim of a cyber-attack or you are aware of the increased risk present today.
The journey ahead of you
As mentioned earlier, it should start with identifying and locating all of your information assets. Remember that not all information is stored digitally. Once you have identified your assets, you can now consider all of the risks. You can then align the tools that are already deployed. Cyber Essentials is an external accreditation and a first step to proving that you are serious, even if it is self-certified.
The journey can then continue as you broaden the impact of your Information Asset Risk Register, introducing new cyber tools, staff awareness training and enhanced organisational policies to govern the businesses approach to security. Cyber Essentials Plus demonstrates further commitment as you have invited an external body to audit the controls that you have in place.
ISO 27001, an internationally recognised information security certification, shows that your security governance is fully embedded in the business. At this stage the management system, policies and controls are fully ingrained, aligned to the business objectives and subjected to rigorous external audit. Your approach is fully matured and shows staff, customers and suppliers that you are serious.
At On Line Computing information security is at the very core of the services that we provide to our customers. We have given advice and guidance to hundreds of organisations, helping them to improve their information security and achieve recognisable accreditations. Whether you’re just beginning your journey or you’re ready to take on the next stage we are here to support you. Check out our case study about how we helped a global consultancy firm achieve their ISO 27001 accreditation.
Growing businesses will at some point consider the possibility of recruiting an internal IT person or team. There are a number of drivers; the growing cost of technology and associated services, the increasing demands of the users, the criticality of the infrastructure and applications and the need for trusted guidance on future technology investments. These drivers are very broad in range and many assume that one person will manage all of them.
This assumption could not be further from reality. When it comes to recruiting an internal IT resource, it’s important to consider the competing expectations from within the business.
The executive will expect:
- Advice to the board on strategic direction for the IT department
- Management and support of complex infrastructure and multiple suppliers
- Accountability for technology performance and security
- 24/7 support of senior users
The various business departments will expect:
- Line of business application support and advice
- Accountability for performance that impacts their department
The users will expect:
- User assurance – general advice and support for user level issues, password changes etc
- Management of printers and peripherals
- Crawling under desks and plugging in cables
The suppliers will expect:
- A skilled buyer
- Decision making
The budget for the resource is often based on efficiencies measured against the existing cost of support and/or the anticipated cost for increased service levels. This in turn determines the level at which the business recruits and leads to a dichotomy. A tech only qualified deal with low level problems will not be happy advising the board. Conversely a strategic head will not be happy crawling under desks. The compromise is to pick the middle ground; an IT manager who can manage the technology and keep most people happy, most of the time. Loved for being at the beck and call of the executive 247 but loathed for not producing the strategic IT plan. Ultimately their brief is too wide to perform successfully.
There is good justification for an internal IT resource in medium and larger businesses; when you cross the 50 user mark it can prove very cost effective. However, before you take the plunge you need to consider, in some detail, a plan to get it right and avoid those frustrations.
Things to think about:
- Set out the expectations of all stakeholders/departments
- Place them into groups that you feel could be reasonably dealt with by one person’s skill set
- Budget and recruit accordingly
- Plan on how you will fill the expectation gaps
There are few things more frustrating than a team member who fails to deliver as expected. You have a great person but they are just not doing what you want them to do. If those expectations are unreasonable then eventually that person will be dismissed for something that was not their fault. Think carefully and test all the assumptions that have taken you to the point of hiring. Then plan to get the right person on the bus and have the right seat available for them.
To discuss this topic in more detail, please get in touch.