The UK Companies Act 2006 gave statutory status to what, for many company directors in regulated businesses, had been part and parcel of regulatory compliance and due diligence for years: that the Board must ensure that business continuity and disaster recovery plans are developed and tested mitigating all risks facing the organisation.
In fact we know that many businesses, such as ourselves, who provide services to those in the regulated sectors have always needed to demonstrate best practice to work with these companies. This means understanding the risks to both their clients’ and their own business, and implementing robust business continuity plans.
The list of risks that most organisations need to militate against is long and varied, including everything from IT and telecoms outages, adverse weather, fire, and acts of terrorism to cyber attacks and data breaches. As IT service providers our area of expertise is business technology; this can be adversely affected by all of the risks listed here, and more besides.
If your business is highly regulated, like in the financial services sector or legal professions, your IT requirement presents some unique challenges. Cyber security and data compliance are a priority for any organisation, but when your business activities are centred on sensitive and personal information they are imperative. The consequences of non-compliance or data breaches are even more significant, with hefty fines being handed out by the regulators and serious implications for your organisation’s reputation.
Having worked with regulated businesses, particularly in the financial services industry, we understand the key challenges they face when it comes to IT. There is a critical need to be ‘always up’; providing clients with access to their accounts, enabling consultants to manage documents anytime / anywhere, and maintaining communications across different networks. However, this has to be balanced with security and data protection.
Factor in unforeseen events such as flooding, power outages or even changes to the law or regulations, and there are even more reasons to put robust measures in place to protect business critical systems, data and reputation.
Cyber attack is a prime example of this: one of the biggest threats to business continuity and costs UK businesses on average £4.1 million per year [HP Enterprise Security & Ponemon Institute Report, October 2015].
Business continuity: Awareness, training and communication
Business owners and CEOs need to first focus on their business continuity in order to better understand the risks their organisations face, and the potential impact of these on their business and IT
This is often the first step for getting buy-in for a business continuity plan from the Board, members of whom may not fully understand the risks or the consequences of these threats. Specific risks can then be addressed with a risk assessment, for example the risk of a server catching fire, measures put in place to minimise risks associated with business critical activities, and IT failover systems implemented.
The aim of any business continuity plan is to allow senior executives and employees get on with the IT and other activities calmly; knowing exactly what steps need to be taken to get systems and networks back up and running as smoothly as possible. At the same time business critical data and systems need to be protected, and all reasonable steps taken to prevent a potential data breach from escalating.
In our experience with the support of the Board it is much easier to implement measures to protect the business, such as cyber security policies, and successfully execute a business continuity plan should disaster strike.
The following steps can then be applied across the organisation, with key individuals taking responsibility for raising awareness, training and communicating business continuity strategies.
Using the risk of ‘cyber attack’, here is how we recommend that this be implemented.
3 steps for effective IT business continuity planning
Data breaches may be caused by malicious or criminal attack, system glitch or human error, and can often be prevented by raising awareness of cyber security issues. Do your employees understand what an email phishing attack involves, and what about ‘soft exits’, such as leaving sensitive documents open in public places, for example the local Starbucks? While cyber security policies may help your business be compliant, it is also vital that staff are aware of the risks, the potential impact on business, and the possible adverse consequences to their work and livelihoods. Circulating cyber security policies is not enough, instead a more hands on approach to awareness and education is needed.
When staff actually understand what the fallout of a data breach or cyber attack involves, where it might come from and what it could look like; they are in a much stronger position to prevent it from happening in the first place, but also to put into action business continuity plans quickly and effectively.
Those employees who have key business continuity responsibilities, for example your network manager, should ideally be involved in developing the business continuity plan. Not only will their expertise be invaluable for implementing a successful plan, but it will also help them embed it into their working practice and communicate it to other members of staff.
As well as offering training in prevention, such as cyber security workshops, everyone within an organisation needs to know what to do if the worse happens. Just as fire drills are designed to ensure that employees leave the premises calmly and safely, your IT business continuity plans should also be tested and key staff rehearsed and trained. This will include ensuring that failover services are regularly tested, and that IT staff can recover data and get business critical systems running quickly, for example by using cloud continuity.
Business continuity training should also form an integral part of the induction process when new employees join, and this training should be repeated at regular intervals to ensure that anyone with IT responsibilities is fully updated. Cyber security threats are continually evolving and therefore business continuity plans need to respond accordingly.
With so many variables in terms of risks and threats, as well as potentially diverse IT assets, it is essential that communication is consistent and easy to understand. In the event of identifying a cyber attack, panicking is not going to help; therefore clear and concise communications will support the training and testing already in place.
Communication also includes how the organisation will communicate with key stakeholders in the event of a data breach. Business continuity plans are not just about getting IT systems back up, but also about reassuring customers and limiting damage to a business’ reputation.
To meet regulatory compliance standards organisations must look for ways to reduce risks and prevent data breaches such as web filtering, monitoring and other cyber security protection. However, the points above are key factors for demonstrating due diligence and complying with business continuity statutory requirements. Furthermore, raising awareness, training and communication are extremely cost effective measures to protect your business and your customers’ data.
By Bruce Penson, Managing Director of Pro Drive IT