David Speaks: Business Continuity

FortiTech continues to spread the word about the importance of Cyber Security and with that,  today David was joined by Matthew See, WatchGuard’s Manager of Sales Engineering – APAC, hosting a webinar in conjunction with the College of Law's Centre for Legal Innovation, focusing on Business Continuity and Backup.

Business Continuity can be a never-ending labyrinth to navigate, but if the current COVID-19 pandemic has taught us anything, is that a Business Continuity Plan (BCP) is critical for any business to ensure that it can operate effectively when faced with uncertain times, such as any of these scenarios:

David ran through the key components of a Business Continuity Plan, which are outlined below:

A large focus of the presentation was on the Risk Management Planning, the key guidelines in this planning included: 

  • Listing potential risks
  • Listing the likelihood of those risks
  • Listing the consequences of those risks
  • Ensuring you have a process to monitor those risks and evaluate any new risks
  • Committing to undertake that process at least annually

A Business Impact Analysis was covered as another key area, it is important to identify your individual business activities and systems and rank them by criticality along with the Restore Time Objective (RTO) and Restore Point Objective (RPO) for each, such as:

  • Telephones – RTO of 4 hours and RPO of 0 hours
  • Email – RTO of 24 hours and RPO of 1 hour
  • Practice management system – RTO of 24 hours and RPO of 15 minutes

To explain RTO and RPO a little further they are:

RTO - Restore Time Objective - how long it takes to get up and running again i.e. how long can your business last without these systems – find the right balance of restore time vs money spent

RPO - Restore Point Objective - how much data do you lose and have to re-enter if needed?

An Incident Response Plan is next on the list, it needs to cover these key areas:

For the Plan Activation Criteria you will need to cover such things as:

  • Who makes the decision to activate the plan?
    • Is it a committee
    • An individual
    • Internal/External 

and what the triggers are for activation?

  • Government declaration
  • Suspicion of a data breach
  • Power outage
  • Human Resources impacts

Next comes the Incident Response Team, the team needs to have the necessary attributes:

  • Authority to make decisions that affect the entire business
  • Operational knowledge to understand how decisions will impact the business
  • Technical knowledge to implement the changes
  • Financial authority and knowledge to spend money in an emergency
  • Communication skills and authority to notify parties as per the Communications Plan
The Communcations Plan needs to cover off:

  • Who is responsible for communicating (and who isn’t)
  • What information are they communicating
  • To whom
  • and where

And of course everything needs to be tested regularly to ensure that in the event of a real disaster your team is well practiced and ready, some tips are:

  • It is important to test your incident response against a variety of different disaster scenarios and to do this regularly.
  • Just like a fire drill, disaster scenarios ensure that you are prepared if any real disaster strikes and allows you to fine-tune any areas for improvement before the real thing.
  • Ideally a full disaster scenario should be run every 6 months
  • Make sure to test with critical personnel unavailable, this will really test the reliability of your plans.

Of course, we would all love to never have to deploy our BCP,  but if we ever do it is important to know you are prepared and the subsequent disruption to your business is minimal.

If your business doesn't have a BCP in place or your current one needs a refresh and you aren't sure where to start FortiTech can help you get on the right track. Why not give us a call on 1300 778 078 and we can book in a time to discuss the best path for your team.