In today’s modern enterprise, IT is central to everything they do. If anything should happen to the organisation’s IT, business will grind to a halt, and every single member of the organisation will face an impatient wait for it to be up and running again. In order to avoid this kind of situation, organisations should invest in their IT business continuity plan.
What are the IT risks to business continuity?
Organisations have adopted more and more technology in recent years in order to improve their services. The number of SaaS applications in use has multiplied, and today’s hybrid working patterns have created an environment where even team interactions rely on IT to make them happen.
Therefore, if the organisation’s IT is suddenly out of commission, organisations find themselves faced with some of the following situations (and likely others too):
An inability to work at all
An outage in a critical service may mean that support teams can’t provide services to customers or DevOps and technical teams can’t maintain technology services.
Non-front line employees may also not be able to do their work either. Developers will not be able to continue to create products, sales and marketing teams will be unable to reach out to potential new customers, and employee support services won’t be able to function.
In short, the business will grind to a halt. And how long this situation remains, and the impact it will have will be a function of the IT business continuity plans in place.
Response teams can’t communicate
In today’s environment there is a tendency to take IT for granted. But what if the response relies on an IT system that is taken off line? In that situation, response teams can’t communicate or coordinate their response, and it will take even longer to get back up and running.
The organisation becomes even more susceptible to cyber attack
In the aftermath of an incident, organisations are vulnerable, leaving a perfect time for cyber attack. As IT systems come back on line, they may have faults or some cyber protections may not be in place, leaving them exposed to cyber criminals. The longer this continues, the greater the risk to the organisation.
What is an IT business continuity plan?
An IT business continuity plan sets out what an organisation needs to have in place before, and the actions they need to take during an unexpected IT interruption, in order to minimise disruption. IT interruptions can be caused by a cyber attack, physical attack or natural
disaster, supplier outage, and more. The IT business continuity plan will address each of these causes and their potential impacts.
Why is an IT business continuity plan important?
Minimise the impact of an incident that affects IT
IT business continuity plans enable organisations to take proactive approaches to potential interruptions, putting in protections to ensure that an interruption is avoided in the first place, and plans for minimising damage if the interruption does occur.
Act as reassurance to customers
An effective business continuity plan that considers the impact of potential events and puts in place steps to reduce the likelihood and impact of these events, can demonstrate to customers that the organisation takes IT risks seriously.
Meet regulatory requirements
Regulations such as the EU-GDPR or specific regulations for sensitive industries often require organisations to have considered, tested incident response and business continuity plans in place.
Components of an IT business continuity plan
The IT business continuity plan is a vital document in the event of any incident. It is therefore important to ensure that all members of a response team have access to it at all times. After all, the last thing an organisation wants is for the IT business continuity plan to be held on the IT that is not available.
An effective IT business continuity plan will consider the following:
Carry out a business impact assessment
A business impact assessment will enable the organisation to identify:
● Critical business processes – what are their most critical operations, and therefore must experience minimal disruption?
● Core IT assets – Are there any legacy servers running a critical service? Which systems need to be back online as quickly as possible?
● Core suppliers – Which systems are provided by a third party, and what would be the impact of an IT failure in their systems?
Identify preparatory activities
Identify the activities that the organisation can take to prevent an event, reduce the likelihood of an event, or reduce the impact of an event. For example:
● Building IT resilience through use of the cloud, and buying tenancy in two or more availability zones.
● Implementing a backup strategy that uses industry best practices, and that can be quickly and easily restored to a system.
● Creating a cybersecurity strategy that protects the organisation from attack, or enables it to identify and manage attacks quickly and efficiently.
Prioritise systems for recovery activity
Create a plan that sets out which systems should be restored as quickly as possible, and the order in which systems should be recovered. This plan should be based on the business impact assessment described above.
Create an incident response process
Identify the activities that must be carried out in an incident response. The incident response plan may include:
● The process for recovery, the actions that teams must take.
● The composition, roles, and responsibilities of the response team.
● Any pre-prepared communications materials for employees, the public, or media.
● Emergency contact numbers for emergency services, regulators, or other authorities.
Test the IT business continuity plan
Effective plans are plans where everyone knows what they are doing. It’s worth taking time to regularly test that the plan works, that all the details are in the right order, and that the response team are clear on their roles.
Plan for follow up activity
Every incident is a learning opportunity to improve the process next time around. Build a review and follow up process into the IT business continuity plan.