Most people can relate to the personal crisis of a frozen computer or crashed hard drive. More often than not, this is the moment when you ask yourself: “did I back up my data?” Of course, by the time you’re staring at a blue screen, it’s too late for that. All you can do is hope that something is recoverable, and plan ahead for next time. When you’re a business, the stakes get much higher. That’s why your organization needs to have a plan in place for business continuity and disaster recovery (BC/DR or BCDR).
Business continuity is the plan you should have in place for operating your business when computers and vital technology are not available, whether due to a simple malfunction or a malignant attack such as malware or ransomware – a particularly popular form of attack as of late. As recently as this past summer (2019), one such incident hit an association of about a dozen healthcare providers.
The ransomware attack began, as is common, with a phishing campaign that worked to get credentials from someone inside the network. Once inside, the attacker worked undetected to access and encrypt critical database servers. A month after the initial compromise, a popup informed the businesses that they could get their database unencrypted by making a cryptocurrency payment. It’s a typical attack format that has been devastating companies.
What happened next showcases the importance of having a plan in place for BCDR. Some of the health care providers in this group transitioned directly to their business continuity plan. They were less efficient without their computers, but still open for business while their disaster recovery team worked to recover the data, remove the malware, implement additional defenses, and reach optimal operation. For other businesses in the network, it was a calamity. They didn’t have a plan for business continuity and were in crisis mode as they struggled to keep their doors open for patients.
The difference was starkly clear between those that were prepared and those that were not prepared. And it is possible to be prepared for this eventuality. There are two steps that must be taken. The first step is to create physical backups and verify that they work. You should also have an offline, air-gapped version so that attackers cannot virtually connect through the network to attack the backups. This is something you need to talk to your IT and security team about as soon as possible.
The second step belongs to the business leadership. This one cannot be delegated to the IT team. It requires thinking about how employees will work without vital technology. It means answering who, what when, where and how. Is there a secondary location from which you can operate? Are there tasks which are normally automated that will need to be manually performed? Who is capable of doing which tasks? There are many detailed questions that need to be asked, but the general objective should be about how to continue to serve your customers and keep your business alive while your IT systems are down and in recovery. This will mean different things for different industries. In healthcare for example, the patients aren’t going to stop coming. And in the case of a non-cyber crisis, like a flood or an earthquake, patients will likely come in higher numbers. Banks might need to figure out non-electronic means of dispensing cash. Even during a prolonged regional emergency, life – and commerce – goes on. But will your business?
Once you have a business continuity plan in place, you can start to think about disaster recovery. This requires a tiered approach, as explained in the Tiers of Recovery blog. But remember that the first tier of recovery is preparation. As you go about preparing for the eventuality of a crisis, you should do so with one overriding consideration: people come first. Make sure your employees can do their jobs and make the disruption to customers minimal.