The show must go on: How to prepare a business continuity plan

You never know when disaster might strike

Always expect the unexpected: You never know when disaster might strike and you need to have a plan to keep your business operating.

That includes, but isn't limited to, keeping your data and computer networks going. You need a business continuity plan — and if you already have one, you need to periodically review and test it.

A BC plan should be able to deal with both major and minor business disruptions. Major disruptions you need to mitigate include:

• Natural disasters:

Your risk of experiencing certain types of natural disasters will vary according to the location of your business and computer networks. But wherever you are, there's almost certainly some risk. Consider what you know about your location, and make a list of how Mother Nature may interfere.

Flooding is a risk if you're near or below sea level, and close to a body of water such as rivers, lakes, or seashores. Earthquakes are a risk if you're near a fault line. Snow, tornados, storms and droughts can all impact on your business' ability to function.

Most municipalities in countries around the world have public employees whose work is dedicated to planning for natural disasters that may affect your area. Consult your local government for advice about how your business can prepare for such events, they'll likely gladly offer you help in that area. If your town or city has a sizable fire department, they may be able to advise your business as well.

Make sure your business undertakes basic disaster preparedness exercises, such as regular fire drills.

• Crime and terrorism:

Your risk of being subject to other violent or property crimes is generally much greater than your risk of being subject to terrorism. Either way, you need to prepare for all such events in your business continuity plan.

A medium-sized or larger business may need security guards. Make sure physical security is accounted for in your penetration testing and IT security policy. One easily overlooked factor is panic. In a life-or-death emergency, it can put lives at risk. Make sure that there are people in your organisation who are designated to take a leadership role in such an event. They should be trained to instruct their fellow employees to remain calm in the event of violent crime or terrorism. Panicking people are known to behave in counter-productive ways, such as blocking entrances with large crowds, thus delaying a safe escape for people, and usually injuring others.

That's what happened when I was in the Toronto Eaton Centre during the shooting incident in June 2012. Thousands of people panicked, and there were a lot more injuries from dangerous crowd behavior than from bullets. Your local police department can help your organization with how your business continuity plan deals with crime and terrorism.

Minor events are more likely to engage your business continuity plan, and a lot more frequently. One example could be network failure or an electrical outage. Does your business require backup power in case of such an event?

Business Continuity Planning

First, a thorough risk assessment must be performed. Risk assessment is never “one-size-fits-all,” because your risks will be unique to your business, even compared to the risks your immediate competitors have. How likely is each risk? What are the consequences of a particular type of incident? And then, each risk mitigation tactic should be analysed according to a cost-benefit analysis. It's nice to have lots of backup data storage, but do you need 20 backups for each disk?

Secondly, consider how incidents may affect customers, clients, and stakeholders. Review any Service Level Agreements you may have.

Consider this advice from Security Researcher Steve Higdon:

Conduct a business impact analysis to prioritize your systems, data, and capabilities. Don't forget to include supply chain risks. For any risks that are cheaper to insure than try to mitigate (as long as you aren't ignoring regulatory compliance), accept them and pass the buck to your insurance company. Decide on system and data backup methodologies, and test them! Research and coordinate a cold, warm, or hot site, in case of disaster. Test your entire plan regularly and ensure that everyone responsible for roles in the process are trained. Cross your fingers.

My fiancé Sean Rooney is a former Information Security Scientist for Alcatel, Sears Canada, and the Royal Canadian Mounted Police. He helped Alcatel recover from 9/11, as they had an office in the World Trade Center. Here's what he has to say:

Have hot sites for critical business functions a minimum of 25 kilometres away from each other. Have evacuation and relocation plans. Liaise with regional emergency preparedness agencies. Make all critical functions double or triple redundant, which may include personnel.

A hot site is an alternative workplace location where your business can be resumed immediately. A cold site is an alternative workplace location that may need some configuration before business can be resumed there. Whether or not you need hot sites or cold sites is based on the size and nature of your business.

The larger and more crucial your functions are, the more likely you are to need alternative sites. Hot sites are a lot more expensive to maintain, because electricity, equipment, and caretaking needs to run there at all times. Cold sites are often backups for hot sites in large organisations, usually government related ones. Alternatively, you may have a cold site only, because your business can't justify the expense of a hot site.

ISO 22301

Complying with the ISO 22301:2012 standard can offer some reassurance about your business continuity plan. It encompasses a variety of areas within business continuity. It assures that your business minimises incident-related downtime, and resumes normal operations as soon as possible.

It also assures that your business takes a proactive approach to avoiding incidents, has effective crisis management, identifies current and future threats, and that you can demonstrate resilience to customers, clients, stakeholders, and insurance.

It's always best to be prepared. You can never be completely certain as to what may happen to your business in the future.

Kim Crawley is a security researcher for the InfoSec Institute, an IT security training company.