insights

Fail to prepare, prepare to fail – Business continuity testing

February 27, 2020

Business Continuity and Disaster Recovery (BC/DR) affects every business, whether cloud based, hosted on-premise or a small business run from a room at home. Business Continuity is defined as:

“a holistic management process that is used to ensure that operations continue and that products and services are delivered at predefined levels, that brands and value-creating activities are protected, and that the reputations and interests of key stakeholders are safeguarded whenever disruptive incidents occur [1].”

Business Continuity threats cover everything from adverse weather to terrorist attacks. Disaster Recovery events include data loss due to human error, corrupted files and ransomware attacks [2].  Some examples include the bombing of the Arndale centre in Manchester (15 June 1996), where it has been well reported that 40% of the affected businesses failed to recover [3].  Another, more recent, example is the death of the Chief Executive of a cryptocurrency exchange. This left the business and its clients unable to gain access to around £145 million being held in a “cold storage” wallet that the CEO had the only password for [4].

BC/DR training and testing allows scenarios like these to be identified and rehearsed. Responses can be tested and refined to ensure that, should the worst happen, swift and decisive action will be taken to facilitate a smooth a recovery.

Those with specific responsibilities (Senior Management, Information Technology, Information Security, Human Resources, for example) should receive dedicated training to better prepare them for their role should an incident occur. This training should include, among other things, awareness of the likely threats, actions to be taken, crisis management, and communication. The rest of the company should receive more generic training on communications (call out lists, etc.) and evacuation responses (where to go, what to do when they arrive, etc.).

Training and testing need not be expensive; often internal resources can be used to conduct ‘tabletop’ exercises. These are scenario-based exercises that allow the responders to discuss what actions they would take to respond to the scenario with. It is also useful to test these assertions occasionally! Basic testing can even be as simple as conducting a test of the emergency call out procedure. Start with senior managers and ask them to cascade the training emergency message down the organisation and get someone at the end of the chain to report when they have received the notification. This can be timed to assess the effectiveness of the alerting mechanism; it is also useful for identifying issues such as incorrect contact details and changes to team structures, including new staff who may have been missed off the last published list.

A collaborative report [5] which surveyed members of the Chartered Management Institute [6] shows what the perceived business continuity threats were along with the number of managers who believe them to be relevant to their business (Fig. 1). However, when compared to the actual number of incidents (Fig. 2) reported by those same managers, we can see that only 2 of the perceived threats actually make it into the top 5 and they are not as frequent as they are thought to be. This should be kept in mind when businesses are planning their BC/DR responses and training. A thorough risk assessment will help to tailor the responses and testing scenarios to the business and make them more relevant. That doesn’t mean that an occasional, unlikely scenario, cannot be useful in developing skills by prompting your BC/DR response team to think ‘outside of the box’, but these need to be carefully managed and run.

6point6 uses a Cyber Security Maturity Assessment to, among other things, help businesses define and plan for Business Resilience events. Testing requires the organisation to have a business continuity strategy, including identifying risks, developing a plan, and preparing the organisation (equipment, communications plan, etc). Business continuity testing helps to cement these responses into business processes, ensuring staff know what to do when the worst happens and can act decisively to return the organisation to business as usual as quickly as possible.

In conclusion, BC/DR testing should form part of regular business operations, to ensure that businesses can effectively manage an incident or recover if the worst should happen. Staff at all levels should know their roles and how to respond to common incidents; training should also develop the team’s ability to adapt to ‘curve balls’. It is recommended that training start at a basic or foundation level, and as the skills and maturity of the team develops so can the difficulty of the scenarios. Scenarios could be made harder by having staff act as external stakeholders (media, clients, regulators, attackers, etc.) and feed ‘injects’ into the response and management teams.

Get in touch if you’d like to chat to us.

Reference List

[1]ISO 22301

[2] https://www.provintl.com/blog/4-reasons-your-organization-needs-a-business-continuity-plan-bcp

[3]https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/376381/Expecting_the_Unexpected_Reviewed.pdf

[4]https://www.independent.co.uk/life-style/gadgets-and-tech/news/bitcoin-exchange-quadrigacx-password-cryptocurrency-scam-a8763676.html

[5]https://www.managers.org.uk/~/media/Research%20Report%20Downloads/Weathering_the_storm_CMI_BCM2013_1.pdf

[6] 25,000 questionnaires were sent with 637 responses from general managers across UK organisations. The report highlights that these managers were not directly responsible for BCM.

Jim Wright
Cyber Assurance Manager