Everyone knows you need a Business Continuity Plan (BCP). But is your organization testing the plan regularly or is it sitting on a shelf gathering dust? At the Cooperative Technologies Conference and Expo, Greg Manson, VP of Security, Audit, and Compliance for Tego, was part of a panel discussion on business continuity and disaster recovery.
As Manson brought up, a silver lining of the recent pandemic is that virtually every company figured out how to work remotely. This was a real-life test of a critical part of any BCP. But there are other aspects of business continuity that need addressing. Here are some key takeaways from the panel:
Humans are the most essential part of a Business Continuity Plan
“This thing we see in audits is failing to address personnel. And not just your employees, but also suppliers and third-party people,” Manson says. “We see failure in communications.”
You need to know who to call and who will manage communications internally and externally. And every critical person in a backup plan needs – backups – to adapt when people may not be available due to illness, vacations, etc.
It’s useless to plan without testing
Testing should not be confined to the incident command team. All stakeholders need to understand the business continuity plan and how it works, who will be in charge, and how long it will take. And they need to be engaged in extensive tests that aim to replicate what it is like for multiple systems to go down and come back up.
Manson says that while incremental testing is important (e.g. conducting a test restore on one system), it can’t replace full-run tests.
Those full-run tests (and even some smaller ones) will result in downtime. That can be a tough sell to upper management. It’s essential to explain that productivity losses could be much worse without testing.
Not all data is equal
As part of business continuity and disaster recovery plans, triaging which data is the most important and must be available immediately is critical. That process can be facilitated by a thorough Business Impact Assessment (BIA). Also, educating your IT staff about data and how to protect it, back it up, and replicate it is vital. Our panelists pointed out that “80% of data loss is related to human error.”
The BIA helps organizations decide what data needs to be available immediately and what can be brought back online much more slowly. Panelists noted that rarely used archived information doesn’t meet the urgency requirement like payroll or key supply chain data. Whatever data is prioritized, make sure the security center is up and running first.
In addition, review your geolocation plans. Backup and replication are components of a solid BCP, but you need to consider where your backups and replication reside to manage natural disasters and geographic network failures.
For more information on how to build and/or test your BCP, Disaster Recovery and Incident Response plans, contact us today.