Six Steps to Creating an Effective Business Continuity Plan

You take all the recommended cybersecurity precautions. You back up. Your staff is trained on processes. You have firewalls in place, passwords that are hard to decipher, and the most recent security patches in place. Yet, you still worry. You’re not alone. According to a recent survey, businesses ranked cyberattacks as their #1 threat, with data breach a close second. But if you are victimized by a cybersecurity incident, what do you do now? If you have a business continuity plan in place, the answer to that question is easy: follow the business continuity plan.

A business continuity plan is not the same as a disaster recovery plan, although they have a lot of similarities. As CIO magazine explains, a BC plan is about “maintaining business functions or quickly resuming them in the event of a major disruption,” while DR “focuses mainly on restoring an IT infrastructure and operations after a crisis.” In other words, DR is specific to IT, while a business continuity plan is concerned with the continuity of the entire organization (we discussed the six things you needed to include in your disaster recovery plan in an earlier article).

When you create your business continuity plan, make sure you take into account these six criteria:

  1. Conduct a business impact analysis

As Ready.gov reports, your business continuity plan should start with a complete analysis of the consequences of a business disruption and can include:

  • Lost sales and income, or delayed sales or income
  • Increased expenses (e.g., overtime labor, outsourcing, expediting costs, etc.)
  • Regulatory fines
  • Contractual penalties or loss of contractual bonuses
  • Customer dissatisfaction or defection
  • Delay of new business plans

Your Business Impact Analysis should also detail various risk scenarios and prioritize the order of events for restoration.

  1. Get everyone involved

If you are making the assumption that IT security is solely the responsibility of the IT department, think again. Your entire organization should be working together to protect its data and systems. Consider holding a brief workshop on IT security, create a business continuity management committee with members within and outside the IT department, and consider the impact and recovery on each member of your staff.

One crucial area of involvement is with your leadership team. As reported by Disaster Recovery Journal, it’s important for executives to support a culture of collaboration and to be transparent. “If executives support a culture of transparency, people will be more willing to reveal and troubleshoot problem areas in your organization’s processes. Down the road, this could help the organization mitigate a major vulnerability.”

  1. Establish work-arounds

Ready.gov paints this scenario: “Telephones are ringing and customer service staff is busy talking with customers and keying orders into the computer system. The electronic order entry system checks available inventory, processes payments and routes orders to the distribution center for fulfillment. Suddenly the order entry system goes down. What should the customer service staff do now?”

Developing manual workarounds eliminates uncertainty. For example, listing contact personnel (along with phone numbers and contact information) and providing specific details, such as how to document transactions manually, gives your team direction. You may need to reassign staff or even bring in temporary assistance if systems fail. How will you do that? Plan it all out now in your business continuity plan.

  1. Keep data on the cloud

The best way to ensure your business can continue to run, is by backing up all your data on the cloud. A cloud service ensures that an organization’s critical data and processes are secure off-site. An organization can then quickly ramp up their systems in the case of a disaster. If you’re not already on the cloud, check out our earlier posts, 12 Reasons to Move Your Business to the Cloud and 9 Facts to Know About the Risks of Moving to the Cloud, and How to Manage Them.

  1. Ready crisis communication efforts

How prepared is your organization to quickly and effectively respond to and communicate with the public—and each other–during or after a cybersecurity incident? If you are hit by a breach, you may need to issue statements to the press, customers, partners, vendors and staff. We recently posted an article about emergency communication preparedness, in which we stressed the importance of drafting some templates that cover various scenarios. As we wrote: “it’s faster and easier to tweak a message than to write one from scratch for a multitude of mediums, and even multiple languages, if needed.”

  1. Test your business continuity plan

The time to ensure your business continuity plan is effective is before you need it. Is it comprehensive? Are there gaps? For example, are contact phone numbers correct? Are you able to restore data from the cloud without significant barriers or challenges? Since the network may be down, are there hard copies of the business continuity plan, and are they distributed to all the members of the team?

As suggested by CIO magazine, testing options for your business continuity plan include a table-top exercise in a conference room with the team looking for gaps, a structured walk-through or “fire-drill,” often with a specific disaster in mind, and disaster simulation testing in which an actual disaster is simulated involving all the equipment, supplies and personnel (including business partners and vendors) that would be needed.

  1. Call Single Path

While all the steps above are important there’s a seventh step that may be just as vital: call an outside partner like Single Path. As experts in cloud services, IT security solutions and more, Single Path works with businesses, schools and other organizations to protect them from cyberattacks and help them recover when they’re hit. Planning, monitoring and adhering best practices go a long way to protecting your customers or clients, team members, vendors and your own business. Calling a partner like Single Path, and getting your business continuity plan published, are important first steps.

Ask us how to get started!

After Hurricane Maria Hit, We Helped One School Fight Back

Hurricane Maria was the worst hurricane to hit Puerto Rico in nearly a century, with winds reaching almost 200 miles per hour amid torrential rains and flooding. The disaster left millions of people without power, hundreds of thousands without access to basic necessities and 10,000 people homeless. The world watched with concern and compassion.

But when School Superintendent Jim McKay and Single Path’s Bill Spakowski saw the news, they decided to make a difference.

As superintendent for School District 117 in Antioch, Illinois, Jim McKay had helped send supplies to Houston after Hurricane Harvey. But he knew, this time, supplies were not enough. He needed to do more.

Jim knew the devastation would impact families and children most, and he also understood the vital role schools play in a community. “My mind is with kids,” said Jim McKay. “It’s with helping. When I heard kids in Puerto Rico were not being served, and maybe not being able to attend school for months, I knew I had to do something.” Jim reached out to other area school districts and business and community leaders. Jim had worked with Single Path to set up his own district’s 1:1 learning environment just a few months earlier, so Bill Spakowski of Single Path was near the top of his list of people to call. As Jim suspected, Bill jumped at the chance to help.

Puerto Rico already had considerable education challenges. An estimated 30 percent of Puerto Rico’s students receive specialized education, twice the average on the U.S. mainland. According to the New York Times, only 10 percent of seventh, eighth and 11th graders achieved proficiency in a standardized math test in 2017. Escuela Rafael de Jesús, an elementary school in Rio Grande, Puerto Rico, was faced with similar challenges, even before the hurricane. This district serves 300-400 students of mostly low-income families (86% of them receive a free or reduced lunch) and a great number of special needs kids. They didn’t have the funds to recover from the hurricane on their own, at least not without a miracle. Jim, Bill and the group they named “Relief Through Leadership” became the school’s angels.

The amount of money and equipment Relief Through Leadership raised was impressive, and reflects the environment of caring and giving that both Jim and Bill advocate in their respective organizations.

Donated supplies and technical assistance from Single Path were married by similar efforts from other organizations. The group solicited no tax dollars. Volunteers who went to Puerto Rico paid for the trip out of their own pockets. And the amount of donations, work, and organization, was staggering. For example, local schools donated desktops and notebooks. CDN logistics trucked four pallets of computers from Lake Villa, Illinois to Miami. Carnival Cruise Line shipped those pallets to San Juan. The Mayor’s Office delivered the equipment to the school. And everything was donated. “We were one of the few volunteer groups that were able to crack the sea-transport challenge,” admits Jim McKay.

Jim, and his group of volunteers, which included two people from Single Path and eight school superintendents, flew down to Puerto Rico and got to work. Bill and his colleague not only helped set up two hundred computers, including desktop classroom computers and Chrome Books, but they joined the team spending time (and sweat) scraping paint from ceiling and walls and repainting the school building with paint purchased by Single Path.

Before the hurricane, their school library only had two computers. Now, Rafael de Jesús has its own computer lab. Said Jim McKay, “These computers changed their world. Literally.” He added, “In the world of education, the opportunities are significantly less if you don’t have access to the Internet. With technology, kids today are able to learn and grow so much faster. And we were able to go in and give them the chance to learn and grow in way they couldn’t have before.”

Jim McKay remembers how surprised the mayor, local leaders and the school’s staff were when he and his group arrived in Puerto Rico. “Honestly, when I talked to their principal back in February I don’t think she believed me,” he said. “Talk is cheap. But when we showed up she, and other faculty members, were nearly overcome with emotion.”

Neither Jim nor Bill feel their job is done. Today, Puerto Rico is still impacted by the lingering effects of Maria. While travelling through the island, Bill noticed the blue tarps still covering the roofs of many homes, and the debris of destroyed or damaged buildings that may never be replaced or restored. More than a quarter of Puerto Rico’s schools have closed since the storm and many were without electricity for months. Hundreds of thousands of people have fled the island permanently, including many doctors and educators. Much of the relief the island has received, including a significant percentage of its educational funding, has been lost to waste, corruption and questionable spending practices. That’s why Relief Though Leadership plans to continue donating directly to the school, visiting annually, providing equipment and even new classroom furniture. Both Jim and Bill feel that acquiring and donating two thousand computers a year is a realistic goal. They also hope to set up a connected learning environment between local Illinois schools and Escuela Rafael de Jesús.

The time and energy provided by Relief Through Leadership is about more than making a difference today. It’s about the kids who will be the future of Puerto Rico. Said Bill Spakowski, “It’s about giving back and helping to develop the next generation of leaders. We’re a company that cares about making a difference, and truly cares about students.”

You can view a video showing some of the before and after images of Puerto Rico and Escuela Rafael de Jesús, and the relief efforts by Relief Through Leadership here. To learn more about Single Path, contact us.

Don’t Forget to Include These Six Things in Your Disaster Recovery Plan

So, you discover you’re the victim of a security breech or a malicious cyber attack. Your first instinct is to panic. Tear up your servers. Trash the system. Start fresh.

Slow down. Count to ten. If you’ve developed a plan you just need to trust it. That’s why developing a road map now is crucial to help ensure your team takes the smartest and shortest path to recovery. By taking steps today, disruption can be minimal, or at least minimized.

Not if. When.

As we’ve pointed out in previous blog posts, such as our post about three recent Cyber Attacks, security breeches, malware and other cyber attacks are not ‘if’ you’ll be hit, but ‘when.’ Per Information-age.com, citing a report by SailPoint, 60% of all companies expected to be breeched in 2017 “with 29% believing they won’t even know they were breached when it happens.”

There are plenty of things you can do to protect your data and minimize threats and we’ve detailed many of them in earlier articles. These include citing the importance of keeping regular backup data offsite, such as in the Cloud, and ensuring email security.

You will not only need to create a Disaster Recovery Plan but be able to execute it. So if its indecipherable and overly complicated, with multiple layers that may or may not be relevant, it will only slow and bog you down. Your Disaster Recovery Plan should include a full list of your assets, databases and more … but here are some things you should think about, too.

  1. Pre-approve spending
    Things can get pricey. So create a Business Impact Analysis (BIA) now that evaluates all the expected costs, including the loss of cash flow, replacement of equipment, renting new office space (in the case of a natural disaster) and even the salaries paid to catch up on a likely backlog of work. Attacks might happen on the weekend, or late at night, but pre-approving spending on various solutions can quicken decision making when the times comes to make them.
  1. Name the team
    According to the website disasterrecovery.com, “The organization should form a Disaster Recovery team that will assist in the entire disaster recovery operations. The team should be composed of core members from all departments with representatives from the top management. The team will also be responsible for overseeing the development and implementation of the DR plan.”Team members should attend meetings and remain up-to-date regarding company policies. Individual responsibilities should be well-defined. Contact information should be available for every member, including how to reach them if all business systems are down (such as with personal phone numbers and home addresses).
  1. Find vendors
    Full recovery may take more hands than you have on staff.  What external help will you need, such as lawyers or PR experts? A list with names and approved partners will be one less thing to worry about later.
  1. Ensure you keep things current
    Policies change. Inventory changes too. If your DRP isn’t up to date, it’s insufficient. Your Disaster Recovery Plan should include procedures for maintaining and updating the plan, with regular review by the Disaster Recovery team.
  1. Develop testing protocols
    According to Milind Kulkarni, VP of product management for network resilience company Veriflow, as quoted in a recent article on CSOonline.com, “Just having a DR plan isn’t enough. The plan needs to be regularly tested, and people need to practice procedures, just like a school prepares its students for fire and emergency drills on a regular basis. If not regularly practiced, the plan is ineffective.”
  1. Act Now
    Making a plan can be a lot of work, and we all know that time is valuable. That’s why Single Path partners with companies like yours to analyze, plan, educate and protect. We can put the processes in place that will minimize any damage, and protect you from many attacks. But we’re also there to help you when you need it. For example, among our many comprehensive offerings is Malware Outbreak Services. Like a trauma team in the ER, our Malware Outbreak Service Team has the processes and tools in place to clean up a breach. Our sophisticated software can identify what happened. Our team will also perform vulnerability scanning to see what data might be compromised.

Learn about our comprehensive security services here or ask us how to get started!