Why you need a business continuity plan and how to create one

A business continuity plan is like a parachute. You hope everything always goes smoothly, but if there is an emergency, it will help you land on your feet safely. Here’s how to create a business continuity plan in your organization.

What is business continuity planning?

Business continuity planning (BCP) is a documented and tested plan to prevent potential business threats and to recover in the case of emergencies. The goal of a BCP is to help everyone at the company respond to an emergency calmly and ensure the company can continue operations even after a disaster scenario. In the current threat landscape, a major part of a BCP is being ready to respond to digital threats like data leaks or ransomware.

Why is business continuity planning important?

A business is a lot like a tower of blocks. At the bottom is the founder. Then you add your first employees and customers. The tower grows. Now it may support more employees, investors, clients, and even large parts of a country's economy. The bigger the tower gets and the more it supports, the bigger the impact would be if an unexpected disaster took it all down.

That’s where business continuity planning comes into play. It helps the organizations to recognize threats and prepare for them in time.

The importance of business continuity is increasing because in addition to their products, companies now manage troves of sensitive data. You may operate from a location where hurricanes and earthquakes are not a problem, but most businesses are vulnerable to digital threats. Whether via an environmental disaster or a malicious attack, losing access to a company's assets will impact its revenue and ability to remain competitive and will result in loss of customers.

What should a business continuity plan include?

One of the misconceptions regarding business continuity planning is that it is the same as disaster recovery planning. The former encompasses a variety of different preventative and reactive strategies, while the latter focuses on restoring lost assets. We’ll leave data recovery for next time and focus on the overall business continuity plan structure.

A business continuity plan should include:

• Risks and damage

Think about and list any potential risks and the scope of damage your company could sustain. In other words, you must determine how different risks could impact the company’s operations.

• Preventative measures

Make a list of measures that can be taken to prevent damage to the company's assets.We encourage having several measures for each issue because their effectiveness will be tested and compared later.

• People

Now that you know what measures to take, you should assign people who are responsible for executing those measures. Do not forget that as your employees change, new people will have to be assigned and trained.

• Response plan

This part includes the steps your company should take in different disaster scenarios. What will internal communication look like? How can you effectively restore data from backups? The response plan is important because disasters don’t leave much time for contemplation. You will make fewer mistakes if the plan of action has been approved in advance.

• Testing measures

We won’t dwell on testing much because we go over it below. In short, you have created a plan and should test it to make sure it works. Also, you must train your employees to expect and be ready to respond to unexpected situations.

Example of a business continuity plan

If you’re going to write your business continuity plan, you need to remember that it's a process. It’s best to start with a real-world scenario, evaluate the damage your company would have suffered, and then come up with ways to prevent them. Below, we’ll go over the hypothetical case of a ransomware attack.

Example case: Ransomware

An employee comes to your office and says that they have a strange message on their computer. They think that it’s a ransomware message. You call your IT department and analyze the situation. It turns out that a hacker group has breached your network and infected several computers with ransomware. They demand a payment or all your company’s data will be deleted.

• Risk analysis

Determine what kind of data has been stored on infected devices. Does the company keep backups? How much damage would the company suffer if the hackers were to delete the data? What if the hackers were to release the data to the public?

• Solution

Disconnect infected devices from the network as soon as possible. Continue analyzing the network for any signs of hacker activity. Prepare to restore stolen data from backups. If client or user information could be stolen, prepare a statement and inform those everyone who was affected.

• Prevention

Consult specialists and heads of departments to analyze how the cyberattack could have been avoided. Are employees aware of cyber threats? Discuss ways to strengthen the network and implement cybersecurity features like multi-factor authentication. List people who will oversee the improvements.

• Testing

After the preventative measures have been implemented, prepare to test them. The company will assess employee awareness by sending monthly “phishing” newsletters. Every quarter, those responsible will organize a sit-through to go over the scenario again.

How to test your business continuity plan

In order to know your company is ready to face different threats, you must test your business continuity plan regularly. Testing helps uncover planning blind spots. How you do it depends on the threats themselves and your company’s resources, but here are a few ways.

• Coordinating your plan with different departments

After creating your business continuity plan, call the stakeholders from other departments to get a fresh look. The most important parts to coordinate between departments are the key contacts, communication channels, and steps of recovery.

• Talk through an event

Based on the risks described in your plan, create a scenario and go through it with everyone involved. It may be useful to involve people who weren’t familiar with your BCP before.

• A drill

Some things can be missed just by sitting at the table, so a walkthrough can offer more insight into navigating a stressful scenario than a talk-through. Here, everyone involved should be present and go over the steps physically.

• Full-scale test

The highest level of testing is a full-scale walkthrough. If the scenario concerns data loss, you should have to actually restore data from backups. It can take a lot of time, but this method will reveal anything you’ve missed previously.

With different types of testing, the question is which ones should you use? A good rule of thumb is to walk through the plan with new employees every quarter or at least twice a year. But your case may have completely different requirements.

Also, do not forget that training your employees is as effective as testing your continuity plan. Different seminars, workshops, and internal preparedness testing may be the best way to prevent data leaks and cyber attacks.

Where does NordLocker fit into your business continuity plan?

NordLocker is a secure, end-to-end encrypted cloud you can use to sync, back up, and share all your company documents. It allows your company to work in a secure environment and control access to company data, and in cases of ransomware or damage to devices, it can help you restore your data.