Cyber attacks can happen to any business. In this blog, East Midlands Special Operations Unit (EMSOU) outlines the steps firms can follow in the face of disaster.
Critical files encrypted by ransomware, denial of service attacks, hardware failures, human error and even adverse weather can bring any organisation to its metaphorical knees.
During such times of trouble, a Business Continuity Plan (BCP) will not only keep critical functions running, but will also address how to deal with customers, the press, suppliers and even the workforce.
In this blog post, EMSOU - a collaborative venture between the five East Midlands police forces - looks at how to implement a Business Impact Assessment. Part 2 will follow next week.
Business Impact Assessment (BIA)
Step 1: Fire up a spreadsheet and in column one, for each department, list all business activities. What tasks do your employees perform day in, day out? Helpful Tip: Many organisations will distribute the spreadsheets to departmental managers in the first instance or ask a knowledgeable member of the BCP team to conduct interviews. The latter gives us consistency and also allows those being questioned to 'show and tell'.
Step 2: In the next three columns, record What hardware is needed to perform these jobs (look around the office) What software is needed to perform these jobs (look on the computers staff use) What data is needed to perform these jobs and where this data is stored (sometime called a vital records programme) Helpful Tip: Have an I.T bod around when performing this part of the analysis to clarify the names of the systems and applications in use.
Step 3: Consolidate and refine - is there scope to collapse discrete activities under bigger 'functions' to make our list more manageable?
Step 4: We now want to rate the importance of each activity against our Mission Critical Functions (MCF). So, we might develop a yardstick like this:
If the activity stops, what is the impact on:
MCF1: Employee welfare and safety
MCF2: Enterprise reputation
MCF3: Compliance with legal, regularity or even contractual obligations
MCF4: Operating costs
MCF5: Our competitive edge
For each activity, we can then assign a 'subjective' ranking of:
Very High (5 points), High (4 points), Moderate (3), Low (2), Very Low (1)
If we repeat this process for other activities we will eventually have a prioritised list of departmental activities or business functions.
Step 5: In the next column, specify how long we can go without each business function before irreparable harm is done. Is it minutes, hours, days or weeks? This time limit is known as the 'Maximum Tolerable Downtime' (MTD). Many organisations compliment this figure with another: The Recovery Time Objective - this is the amount of time in which you can feasibly recover the business function in the event of a disruption. As you can imagine, the goal of Business Continuity Planning is to ensure that your RTOs are less than your MTDs. In other words, you do not want a situation where a business function is unavailable beyond the maximum tolerable downtime.
Putting it all together:
Our spreadsheet is starting to build a picture of what activities and functions are mission critical and the systems, applications and data upon which they rely. Once we know what is most important, we can prioritise our resources protecting them.
For example, perhaps we need:
Alternate premises / reciprocal agreements or support for mobile working
Redundant data stores (aka backups)
Redundant supply chains
Redundant support services / supply chains
Cross training or succession planning for staff
Work arounds - such as using paper based systems.
Better security controls
* This advice has been collated by EMSOU and is intended for wider distribution within the East Midlands region to raise awareness among businesses and the public. If you require any further information, assistance or guidance please contact the EMSOU Protect Team EMSOU Protect Team.