Today’s businesses are operating in an extremely dangerous environment filled with multiple types of cyberthreats. Sophisticated threat actors are constantly evolving and refining their techniques while attempting to subvert organizations’ cybersecurity defenses. Despite the best efforts of cybersecurity professionals, some cyberattacks succeed and can cause extensive damage to an IT environment.

In addition to the dangers posed by cyberattacks, a company’s IT infrastructure can be adversely impacted by natural events, human error, or societal issues beyond its control. Companies need to have a plan in place to address these situations and ensure that business-critical IT systems are operational and available. A business continuity plan (BCP) can be invaluable in an emergency.

What is a Business Continuity Plan?

A business continuity plan outlines how a business operates during an emergency or disaster. It identifies the critical business systems and functions that need to be quickly restored, how they will be restored, and who is responsible for the process when needed. A BCP is a living document that should always reflect the current environment and business objectives.

Why Does a Company Need A Business Continuity Plan?

Most companies rely heavily on their IT systems to perform business-critical functions. They need a BCP to be prepared for any type of disaster including:

  • Cyberattacks which deliver ransomware or other types of malware;
  • Human error which may inadvertently cause unexpected outages or data loss;
  • Extreme weather events that seem to be occurring with increasing frequency;
  • Fires, floods, earthquakes, and other types of natural disasters;
  • Civil unrest or nation-state attacks that affect the power delivery grid.

When any of these events occur, a BCP may be the only thing that allows a company to survive.

How to Develop a Business Continuity Plan

A viable BCP is developed methodically, tested thoroughly, and updated regularly. The following phases are considered to be best practices when creating a BCP.

Information gathering and analysis

The first phase of BCP development consists of gathering the necessary information regarding the impact of an outage on business operations. A business impact analysis (BIA) should be performed to evaluate the effects of an interruption on business-critical systems and operations.

A key takeaway from the BIA is the ability to prioritize the systems that need to be recovered for the business to operate successfully. Not all infrastructure components may be needed in an emergency. For example, test and development systems, though important to the long-term health of the business, are not critical to restoring operations and addressing customer concerns.

A risk assessment (RA) should also be conducted to identify threats to the business and develop procedures to minimize their effects. For example, the risk of a ransomware attack on a critical database requires a targeted recovery whereas a widespread power outage demands more comprehensive measures.

Determine recovery strategies

Once the systems that need to be recovered are identified, recovery strategies need to be put in place. During this phase, it may be determined that the current backup and recovery solutions are not sufficient to enact the recovery in a reasonable time frame. This is the time to modify procedures and implement new solutions that better address the recovery needs of the BCP.

Along with the recovery strategies, this phase should identify the person or team responsible for the recovery. There should be primary and secondary resources identified so that recovery can proceed if a key individual is unavailable for some reason.

Develop the plan

In this phase, the BCP begins to take shape. Each system that will be recovered should have a defined recovery time objective (RTO) and recovery point objective (RPO). These objectives need to be aligned with business requirements so, at worst, a minimal amount of data needs to be replicated. The RTO and RPO may dictate changes to backup and recovery procedures that currently will not be able to meet the objectives.

Procedures must be developed for each team involved in the recovery that spells out their role and a timeline for their activities. The procedures need to be incorporated into an overall schedule of events that will be performed when the plan is enacted. The plans should gain the approval of department heads, application owners, and upper management.

Test the plan

Testing is an essential component of a BCP. All aspects of the plan should be tested before it is needed to recover from an actual disaster. Testing will identify gaps in the plan or procedures that need to be modified to reach the defined RTOs and RPOs. Without adequate testing, a company is risking failure to maintain business operations in an emergency.

Partial testing of specific systems or applications should be conducted throughout the year to allow teams to refine the recovery procedures. Tests also need to be performed when new items are added to the BCP. If possible, the complete plan should be tested annually to determine its viability in case of an emergency. This type of testing is often done at an alternate site to mimic plan execution under real conditions.

Update and maintain the plan

The BCP should include lessons learned from previous testing. Perhaps the RTOs and RPOs were too aggressive and need to be modified. During the test, it may become evident that the order in which systems are recovered needs to be updated to address previously unconsidered prerequisites. These types of changes should be noted and implemented based on post-test reviews and meetings.

The BCP also needs to be regularly updated to reflect changes in the environment and the personnel responsible for executing the plan. Ideally, the effects on the BCP should be incorporated into change management procedures to ensure the plan contains any new information about recovery scope or processes.

Get Help Creating a Viable Business Continuity Plan

VAST IT Services offers its customers support in developing and implementing a business continuity plan that protects their IT systems and valuable data resources. VAST’s experts will meet with your company to gain an understanding of your operations and the impact on the business of the risks you face. We work with you to develop a BCP that ensures your business does not fail due to an emergency or disaster.

Contact VAST to see how we can help you develop a BCP that protects your business from the variety of threats it faces. Whether it’s engaging our Disaster Recovery as a Service offering or updating your backup and recovery solution, VAST has your back.