Information Security and Business Continuity Both Protect Your Business
Cybersecurity and business continuity are usually handled by two teams that don’t talk to each other very much. The security team is driven by technology, driven by concerns about the technology that creates risks and the technology that provides protection. The business continuity team is driven by non-technical business issues.
Except the two teams really should be talking to each other. Business continuity isn’t just about recovering from natural disasters. Manmade disasters, like a cyberattack, can also lead to a need to invoke your business continuity and disaster recovery plans. It’s important to make sure cybersecurity is part of your thinking about how to avoid disaster and how to recover from disaster.
Any cybersecurity threat that results in exposure of data also exposes the company to a significant reputational risk that threatens the company’s ongoing operations. Because many businesses suffer repeated attempts at hacking, cybersecurity risks may in fact be a bigger threat to the business than events like a 100-year flood.
This means that your business continuity and information security teams need to be able to collaborate in response to a data breach or other cybersecurity incident.
Integrating Continuity Into an IT Outage
IT outages can be limited or can have impacts that extend beyond the immediate business users and require input from the continuity team. To make sure these larger incidents receive the appropriate attention:
- Integrate the continuity and security leadership. There needs to be at least one point of overlap in the staffs assigned to these issues. Ideally, at least organizational leader will have formal responsibilities on both teams. If not, there should be a regularly scheduled meeting to ensure challenges are raised and addressed by both teams.
- Even though security and continuity will have separate incident response plans, conduct a review to ensure that the two plans work together to provide the necessary coverage the business needs. This means, for instance, that the security plan needs to identify triggers for bringing in the continuity team in response to incidents such as a large breach that threatens the business’ reputation.
- Ensure that a crisis doesn’t lead to a breakdown in communications. If an incident shuts down corporate systems, regulators or the media may begin raising questions about the outage and the corporate response. It’s important that the communications team has accurate information about the technical, legal, and business impacts of the outage.
Integrating IT Into Business Continuity
Every business continuity plan should have a large technology-based disaster recovery plan. Security considerations need to be baked into the plan, and access control and information security at any secondary site needs to be at the same level and provide the same controls as at the primary site. This means certificates and security tokens need to be installed, along with user identify information.
There should also be a clearly defined process to inform IT that a business continuity event has occurred and needs their support.
Information security, disaster recovery, and business continuity are difficult challenges to address. Help your IT and business continuity teams work together using strategies developed by Prescient Solutions. Our team of experts has been solving Chicago-area IT challenges for 20 years. Contact us to start making sure your business continuity and information security plans support each other in protecting your business.