Business Continuity Management (BCM) and Cyber Resilience
“Why are they fundamental?”
One out of five companies has reported a ransomware attack in 2022 (+38% in 2022) among which two-third have paid the attackers. Hoping to retrieve their data, which strongly contributes to the recent ransomware pandemic.
Paying the ransom contributes to generate a vicious circle as it encourages criminals to continue their work, giving them more financial means. This financial windfall gives more possibilities to criminals who increase the scope of their attacks to make them more sophisticated, more devastating and more frequent.
To learn more about the fascinating world of ransomwares, check out the article Les rançongiciels: une arme en constante evolution we wrote earlier this month.
Regardless of the level of preparedness, a company (whatever its size) should regularly evaluate its incident response capabilities. This is even more topical in today’s high risk context. Not to mention, ransomware is not the only threat that may challenge resilience. An unforeseen event that disrupts business processes can always occur, being a natural disaster, power outage, fire, IT failure or cyberattack.
In this regard, the best resilience strategy is Business Continuity Management (BCM). Having a solid BCM in place is essential for any company since it provides the adequate solutions to continue to operate during and after a disaster or disruption. It also minimises the downtime and financial losses.
Business Continuity Management
The BCM lifecycle is usually divided into four steps:
The analysis phase aims at identifying and prioritising critical business functions, identifying their potential risks, establishing a crisis management unit and drafting a Business Impact Analysis (BIA) by determining financial and operational impacts on the organisation for each disruption scenario. To fully serve its purpose, the BIA must also identify the businesses’ resources and their dependencies which have to be taken into account when prioritising their recovery order. The BIA introduces two new crucial concepts:
- Recovery Point Objective (RPO)
When a disaster occurs, it is very likely that some data will be lost. To avoid that, businesses should store copies of their data in isolated locations. This way, if one copy is compromised because of a disaster, the data still exists somewhere else. This practice is known as backups and a business can choose how often they want to save a new copy of their data. The more frequent the backups, the more recent the backup version and so the smallest amount of data to lose.
For instance, a business might decide it cannot lose more than one hour of financial data, but it can lose up to one week of marketing data. This amount of data lost before the disaster occurred is what is called the RPO.
- Recovery Time Objective (RTO)
Unlike the RPO which looks back from the disaster, the RTO looks forward. A disaster often disrupts the availability of stored data and of processing facilities in a way that can be very significant (e.g. a backup datacenter can take hours to take over).
Businesses should define how long they can afford to lose access to each type of data and each process.
For instance, a bank might require no more than a few minutes of downtime on their system that authorizes payments, but allow their customer data to be unavailable for a few hours. This maximum amount of time of unavailability is called the RTO.
Note that the shorter the RPO and RTO, the more expensive it becomes to operate. Therefore, businesses have to carefully define them for each of their data and process, and look for the best tradeoffs between cost and risk.
2. Plan Development
Drafting a Business Continuity Plan (BCP) will enable outlining the procedures and resources that an organisation will use to continue critical processes in the event of a disaster or disruption.
The Disaster Recovery Plan (DRP) is a sub-part of the BCP, it is initiated when a disaster occurs and the BCP is activated. It explains how to support critical business processes on a second functioning infrastructure. Then how to recover from the disaster and have all of the processes running again as in the initial state (which is the very definition of resilience).
4. Test phase
It is probably the most arduous stage to complete. It involves the crisis management unit, as well as IT teams for the testing of the BCP and the DRP through tabletop and simulation exercises.
Effective communication is also crucial for BCM. This includes having clear, concise communication channels in place for both internal and external stakeholders. As BCM is an ongoing process (not just a one-time effort), it is important to regularly review and update the plan to ensure it remains effective and relevant.
Overall, BCM is an essential part of any company’s operations. By proactively planning and preparing for potential disruptions, businesses can minimise the impact of disasters and keep their operations running smoothly.
Antoine Bricogne, François Gilet, Allan Lallemand and Anisa Skenderovic
- The Hiscox Cyber Readiness Report 2022 | Hiscox UK
- What is Recovery Point Objective (RPO) | Imperva