A Business Resumption Plan, or BRP, is a document that outlines the steps a business will take to resume operations after a cyber event.
Insider Insight: A business resumption plan is useful for any event that occurs that may shut down business operations, this can include natural disasters, systems failures, or as we will cover in this article; cyber-attacks.
This document is critical for businesses of all sizes, as it serves as your roadmap to get back to an operating state following an incident.
Important: Developing (and maintaining) a business resumption plan is particularly important for businesses in “cyber-sensitive verticals”. If your business has access to confidential information, you likely are in a cyber-sensitive industry.
Insider Insight: As I’m sure you have gathered, this is not a trivial process. Developing an effective business resumption plan that is consistently tested is a large undertaking.
The best way to approach business resumption planning is to work with an expert team. For smaller businesses, a business resumption plan will be considerably less complex. You can likely create your own simplified business resumption plan if you are a very small business.
An effective business resumption plan will likely involve your entire team in some capacity. To properly utilize your team to their highest potential, you will need to have key members from each department contribute to your BRP.
A historically effective setup is:
Important: It is vital to ensure that your BRP does not rely on a few individuals, your plan should be able to be realistically executed by a multitude of different parties. This ensures continuity in case those few key individuals are inaccessible.
Insider Insight: Exceptionally complex plans with mountains of documentation often get ignored. Be precise when writing documentation and exclude everything that is not necessary. Remember, this needs to be executed in the event of an emergency. Time will be of the essence.
This analysis will help you understand the potential impacts of an incident on your business.
Here you will be identifying critical business processes and prioritizing those processes according to operating importance. When determining the importance of any given critical business process, it is important to remember to include the impact that this business process has on staff, equipment, and your systems. If this particular process has many high-dependency processes attached to it, it is a high-priority item.
Here you will also consider the impact of various emergency events. Remember, critical business failures can occur as a result of a variety of events.
For example, if a ransomware event occurs, how will you deal with your business network being inaccessible? How will you do payroll for your employees? How will coordinate with your partners? How will you ensure your invoices are paid on time? How will you manage the reputation impact?
Common business disasters include:
Insider Insight: You should make educated assumptions of which emergency events are going to occur and the amount of time that critical business processes will be affected. Prioritize these events according to their likelihood of occurrence.
It is important to have this information before developing your plan, as it will help guide your decision-making process.
A comprehensive cybersecurity assessment is a critical component of determining an organization’s cybersecurity posture.
The goals of an assessment are as follows:
You then can use your findings to make informed decisions about how security strategies can be implemented in your business.
Insider Insight: An effective assessment will likely vary quite significantly from one organization to the next. Your business industry, location, and regulatory requirements will change your specific process. The core foundation of an effective cyber security assessment does however remain the same, regardless of the aforementioned complexities.
1 .Figure out the scope of your assessment.
This will be a lesson in thoroughness. You will need to identify every asset that will be evaluated to accurately determine the full scope of the project. We would recommend starting small with a single asset type and moving systematically through in that fashion.
Once you have chosen your asset type, you will need to determine the assets dependencies.
Take your time on this step of the process as this will ensure you are getting a comprehensive look at your entire network. Cutting corners here could mean critical vulnerabilities being unintentionally ignored. The likelihood is that you will find that your network is a complex spider-web of information.
2. Determine the value of each asset
For each asset, gather specific information where applicable such as software, hardware, end-users, purpose, criticality, and any security policies in place.
Insider Insight: It’s important to remember that the value of an asset likely extends beyond just the cost of the hardware/software. Consider the intangible cost of an asset and the cost of the loss of an asset to your business.
Typically we find most assets’ actual value extends well beyond the expectation. We live in an interconnected world and your business is no different.
3. Identify gaps in your security
This is where a lot of the complexity comes in. It is nearly impossible to do this without having a background in cyber security or information security.
What you are going to want to do is calculate the likelihood of various business loss scenarios. Essentially you are looking to identify security holes, calculate the impact that an exploit would have on your organization, and mitigate those risks.
The most common threats that affect every organization typically include:
Unauthorized access: from attackers, malware, or employee error.
Misuse of info by authorized users: data may be altered, deleted, or used without approval.
Leaked data: identifiable information being leaked intentionally by attackers or unintentionally by poorly configuring systems.
Business disruption: loss of revenue/reputation damage due to business downtime.
I have oversimplified the process here. I would recommend visiting the NIST framework page to get a much deeper dive into cyber security practices.
4. Perform an info value vs cost of prevention analysis
This is the way you figure out what to prioritize first and what is most immediately beneficial.
What we are looking for is to assess the importance of securing a category of your data compared to the relative cost for your company to do so.
To do this, you take the likelihood of a threat and its potential impact against the cost of preventing it and compare them against each other. We can then produce a plan for which holes need to be patched first.
Important: Something to remember is that the impact of a cybersecurity incident extends beyond just money. It is common for a brand’s reputation to be negatively affected after suffering from a cyber incident. Take this into consideration when performing your information value vs cost of prevention analysis.
5. Document your findings.
This report doesn’t mean a lot if you cant reference it later. This report will serve as an invaluable tool you can use to complete the rest of your business resumption plan. It is critical that you meticulously document your findings.
You can also use your report as a training tool for new hires coming into your organization.
Quick Tip: Take your time here. Meticulously organize your findings, you won’t regret it.
The objective of a recovery strategy is to reduce the impact that an outage will have on your business. Your recovery strategy should determine how each of the critical assets we defined in our Business Impact Analysis will be recovered.
We will determine:
The recovery process will consist of 5 key stages:
Determine the vital records required to maintain critical business functions determined previously by the Business Impact Analysis. Verify those vital records and develop procedures to recover/reconstruct those vital records. You should also take the time to develop procedures for building and/or maintaining your offsite backups. Review all procedures & procedure language to ensure they are functional in case of an emergency.
Insider Insight: In the event of a critical business failure, your offsite backups become your most valuable asset. A properly configured network should make it nearly impossible for a threat actor to encrypt properly segregated backups. Even then, procedure failures have caused these seemingly impenetrable backups to fail. It pays to be careful and meticulously follow the best procedures, especially when dealing with critical business data.
Now that we have all the pieces in place, we can get to creating our business resumption plan. If each of the previous steps were completed as directed, creating the plan should simply be a matter of organizing documentation and maximizing efficiency.
Important: Remember to specifically document how every critical business function will be restored. Focus on the highest dependency functions first and work your way down. It is important to be caught in the minutia while developing these plans but it’s just as important to take a 1000ft view and ensure that each moving part moves together cohesively and efficiently.
To fully uncover every possible hiccup, you have to rigorously test your plan for the entire life of the plan. To be prepared for all contingencies, you need to test your plan frequently (and to the fullest extent) possible.
As your business environment changes, your plan must change as well. This is why it is so important to appoint a coordinator. As the champion of your business resumption plan, they will be responsible for recognizing when changes need to be made to your BRP and then facilitating those changes.
It also pays to occasionally audit your business resumption plan to ensure that it still aligns with your organization’s requirements.
There you go, you are well on your way to creating a more secure business that is substantially more prepared for an emergency.
This is a complex topic, if you have more specific questions please reach out to our team here at Techfive.
Techfive focuses on what is called “digital transformation”. Meaning we partner with organizations that recognize the power of technology in their business. We use technology to drive businesses towards their long-term goals (and protect them along the way).
Our advisors would love to have a chat with you.
Marketing Manager @ Techfive | Working to make B2B brands more personable & human.
Let's upgrade your tech game
Get great tips, answers to big questions, and expert advice right to your inbox 2x a month.
"Always prompt on response whether in person or by phone! Very nice and friendly employees and very helpful!"
2022 Techfive, LLC.