Business Continuity Planning: 5 Actions CISOs Need to Take Now

Organizations around the globe are engrossed in one of the major network revolutions of all time. The COVID-19 pandemic forced organizations to quickly adapt to different challenges over the past six months. With the sudden transition to working from home, organizations were required  to rethink their digital strategy in order to deal with the new normal.   
Remote work policies are changing the way we work. As new remote technology is introduced into the organization strategy, it’s important for the entire organization to understand the importance of how it affects their daily work routine. 
With the changes in technology and the location of the working environment, the organization’s management team needs to think about the different challenges facing them. One of the more important but less headline-grabbing threats that all businesses need to think about is their business continuity plans.
Business continuity is coming up with a plan for a company to deal with serious incidents and disasters in order to ensure the business can continue functioning within a reasonably short period. In the case of COVID-19, most organizations were unprepared for this unprecedented shift to remote work, something they had not previously considered and therefore not included in their business continuity plan. Too often we see business continuity plans to be over technical or high level for the casual employee which usually results in the lack of actual actionable items to implement. 
Now that we are currently over six months into the new reality and remote work is inevitable for the foreseeable future, organizations should be updating their BCPs. Chief Information Security Officers (CISO) and Chief Information Officers (CIO) have invested time and responsibility in the effectiveness of their business continuity plans. In today’s day and age, a cybersecurity strategy is an integral part of keeping businesses running while workers are remote. 
In order to gain insights into actions that CISOs can take to improve their organization’s business continuity plan, we spoke with experts who gave us their top tips. 

Be Involved In the Process But Delegate

Business continuity is an essential part of the survival planning for every business and organization. Too often it is erroneously assigned to the Information Security leader when in essence it is a business project and process that involves the key decision-makers in the C-Suite. Of course, a good CISO needs to be involved in the process, but should not own it.
“Any viable Business Continuity Plan must be tied and coordinated with a Disaster Recovery Plan. Essentially, a business must go on regardless of any type of interruption. If that requires manual systems to be brought up and be put into place, which is sometimes the case, then a good contingency plan to do this must be well-thought-out and everyone needs to know their part. Building a Business Continuity Team is the important first step and as it must include sponsors at the decision-making level. Additionally, the CISO, CIO, CFO, Legal, Human Resources, and Risk also need to be on this team.” – Richard Greenberg, Founder and CEO of Security Advisors LLC.

Make Sure Recovery Locations Are Useable

One of the biggest lessons people have learned during the pandemic is that business continuity planning needs to account for the fact that the recovery location(s) might also not be usable. The option of working from home was always viable but it was assumed by business continuity planners to be only a few employees and not the entire business. 
COVID totally put that idea out to pasture. The idea that everyone would have to work from home was a total game-changer. Organizations were caught without equipment to make WFH viable thus having to rely on bring your own device (BYOD) which brings a lot of potential risks as well as finding ways to minimize and manage those risks. Some had to re-engineer multi-factor authentication (MFA) to allow for use of Google and Microsoft Authenticator solutions by their employees. They found that their infrastructure was unable to scale, even in the cloud.” – Jeff Hall, Senior Manager of Auditwerx.

Don’t Forget Security

An effective business continuity plan enables employees to continue their work safely and effectively, no matter the circumstances. When working from home, cybersecurity should be one of the main aspects of the continuity plan. 
“To make security stringent your company should follow basic and advanced cybersecurity measures. Always prefer using a secure remote access solution as it provides you with security and privacy over the internet. Similarly, always encourage using systems issued for office work only. Additionally, make sure that your official documents are only shared with the restricted persons this way no irrelevant person will be able to open it even if it’s shared over email. “- Shahid Hanif CTO and Co-founder of Shufti Pro.

Educate Your Employees

Educating your employees about the new security protocols and technology being implemented is an integral part of business continuity. This requires more than just a single briefing, but instead, a regular and ongoing plan of educating employees. 
“With everyone working remotely, it’s a mistake to suggest that the business security only falls on the IT and security teams. Organizations should schedule a virtual security session to prepare employees with the new tools and protocols that the business has implemented. Additionally, security teams should educate employees about the different security risks and attacks that are on the rise with everyone working from home. By educating your staff you will be one step ahead of potential attacks and risks inside your organization.” – Sivan Tehila, Director of Solution Architecture of Perimeter 81.

Test Business Resiliency Capabilities

Given the new and possibly unique user requirements working from home under the current circumstances, are real-time operating systems and a recovery point objective and determined in a pre-COVID world still reasonable, logical, appropriate under the current operating conditions?
“By continuously testing your ability to recover critical business processes with your entire recovery team not being physically in the same location you will be more as a business. I suggest that you check if you can effectively coordinate your recovery team and individual assigned duties via communications tools such as Zoom and Webex. Additionally, you need to check if individual recovery team members have, at their home locations, sufficient Internet capacity to coordinate recovery activities (with multiple other company employees), while at the same time competing for local bandwidth with other in-home Internet capacity demands.” – Al Marcella, President of Business Automation Consultants.

Moving forward 

While COVID-19 will pass, the different actions and experiences can help businesses moving forward. With the right business continuity plan in place, you can provide transparency with your business in the case of recovery should another pandemic or emergency occur. The stronger the business continuity plan the fewer future headaches.