When you think "business continuity," you should think about your data and networks as well as your employees, customers and property. Financial data, intellectual property and data on employees, customers and suppliers are critical to your business. When you craft your general business continuity plan, take steps to also develop a plan specific to your data and networks.
Four-step planning process for your business continuity plan
1. Threat assessment
Conduct a threat assessment. It can help identify the nature and likelihood of an event. According to Verizon’s annual Data Breach Investigations Report (DBIR), malware, phishing and misuse of credentials are major vulnerabilities.¹ Other events may involve unintentional actions such as an employee emailing a wrong file, sending it to the wrong person or misplacing a laptop or other electronic device that contains sensitive information.
Your plan should include ways to mitigate the impact of losses caused by these accidental or intentional acts or technological failures. It should also take into account weather-related or natural disasters, including tornados, hurricanes or earthquakes. Power outages and power grid failures also should be considered.
2. Business critical impact analysis
Conduct a business impact analysis. It will help you identify and prioritize the business functions that are most critical to keeping your operations running. This analysis can help ensure your business can be restored quickly. Here are a few reasons:
3. Prevention and mitigation strategies
Include a comprehensive backup strategy for critical data, hardware, software and firmware. Other non-critical functions can generally be restored and returned to normal operations over time without interrupting your business.
Be sure to specify in your plan who is responsible for creating backups, where the backups are stored, and who has access to the backups. All backups should be stored at a remote location that cannot be impacted by the same event. The area should be secure with restricted access. You also can use third parties to store your backups. When you set up a contract with a third party, specify the level of security required, and the time frame they have to deliver your backups. You should fully document these procedures, and keep them up to date.
Key backup considerations should include:
4. Testing, practice and continuous improvement
Routinely test your plan so you can evaluate its effectiveness. Key employees and third parties should be familiar with the backup and restoration processes. They should periodically conduct sample tests of the system backups to verify that the operating system, applications and data from the backup can be restored.