5-Step Vulnerability Analysis for Business Continuity Planning
Too many organizations fail to plan for data breaches or cyberattacks. But given the increasing frequency of these events, every company should treat them as essential considerations when developing disaster recovery and business continuity plans.
Looking at the fallout from last year's major data breaches, the businesses that fared best were those with comprehensive recovery strategies, allowing them to retrieve lost data while continuing operations.
The key to effective crisis management, then, is planning. Companies with prudent continuity policies are going to recoup faster than those without. Not only does this planning provide an opportunity to address immediate concerns, it creates a foundation to build upon as the threat landscape changes.
Here are five ways to ensure that your business's continuity plans are up to par:
Start by conducting an inventory of your digital assets. In today's computing environment, data can be stored around the globe on multiple systems and devices. Digital assets are far reaching, incorporating physical and virtual devices such as servers, computers, notebooks, mobile devices, and tablets. They also include commonly overlooked assets such as websites and SaaS-based services like Salesforce, Office 365, etc. Understanding the breadth of your digital assets, and the location of your data, are the single biggest factors in surviving a disaster or cyberattack. A thorough inventory of these assets will also help you identify points of risk and exposure. Cloud-based tools can assist with the inventory and management of endpoints and securing data.
Review vendors' service level agreements. Don’t assume service vendors have you covered. Review the service-level agreements (SLA) for each vendor with a focus on three key areas:
- Data Backup and Recovery: How does the SaaS vendor backup and recover in the event of a disaster? You'd be surprised that most vendors don't backup client-side data.
- Ensure that your vendors and cloud providers have a strong security and data protection policy. These policies should be clear and easy to read, while meeting or exceeding your requirements. Companies like Microsoft post and update their policies regularly. Smaller cloud providers may not be able to provide this information, instead relying on second party certification in lieu of their own.
- Transparency: Vendor and cloud providers should be transparent in all forms of communication, whether that is notifying you of updates, changes in SLA, or security-related events. No news is not always good news, when it comes to protecting your digital assets and data. You don't want to find out about a data breach on the news.
Crisis Management. Take the time to review and test your recovery and cyberattack plans. Most companies focus on disaster recovery after a hardware failure, or data center outage. Although important, cyber-related events - which are more common - require a systematic approach and are not always IT related. In the event of a data breach, could you answer the following:
- Who do you notify, and when? What are the legal requirements in your state, and globally?
- Who is responsible for company communications, as breaches can have considerable effects on a business's public image?
- What actions, and in what order, need to be taken on a technical front? Do you need to preserve logs or data for a forensic analyst?
Data Classification. Data classification is part of an overall security strategy. Traditional thinking classified data into two main categories: secure and non-secure, with stronger controls over the former. Data classification only works in those companies with select staff to vigilantly manage and monitor. A better approach is to treat all data as secure, or confidential, and increase overall security measures. Here are a few ways to do this:
- Encrypt all data. There is no reason not to - encryption is quick, effective, and provides safeguards against usage in the event of a data threat.
- Subscribe to the least-privileged model. Only provide data access to those individuals or departments who require it.
- Only collect the required amount of data. Often companies will collect more data than they need or can adequately secure.
Training. Training is key, regardless of the technical controls and processes in place. Even if it's not required under statute, there is no substitution for ongoing security awareness training. Both end-users and IT staff will benefit from greater awareness of cyber security and recovery processes.
TIP: Looking for creative ways to engage employees in cybersecurity best practices? Check out these 5 easy ways to engage employees in cybersecurity training.
The most successful businesses understand that planning and longevity go hand in hand. Effective crisis management and business continuity are not just important, they are essential to the modern workplace. For assistance developing, or implementing, tailored and proactive plans, contact an iCorps expert.