Is Your Business Ready for the Storm after the Storm?
Do you know where your supply chains end? Who stores your data? If an employee has a problem with their paycheck, who do they call? When a hacker breaches your network, how do you respond?
Resilience. Risk Management. Business Continuity. Disaster Recovery. Incident Response. Crisis Management. These are not just buzzwords or blocks to check on a compliance matrix. Getting these right can mean the difference between staying in business or not.
The bottom line is that doing business today is a complicated undertaking that often relies on external parties and factors outside of your control. This “extended enterprise” allows a number of benefits, but also exposes companies to greater risk such as critical supplier business failure or accountability for third party actions.
Understanding your own critical business processes, supporting and interdependent IT systems, and physical vulnerabilities (including those of your partners, subcontractors, and supply chain) is critical. The simple fact is that companies with robust, established Business Continuity and Incident Response programs are better able to identify, respond to, and recover from incidents and data breaches more quickly, with less downtime, and at lower cost than companies that lack these programs.
According to the 2015 Cost of Data Breach Study, conducted by the Ponemon Institute for IBM, the average data breach cost companies $3.8 million, or $161 per compromised record in 2014. This cross-sector survey involved 350 companies across 11 countries and 16 industry sectors from IT and Finance to Retail and Education.
Companies with established and robust Business Continuity Management (BCM) processes were able to reduce that cost to $147 per record. More importantly, companies with established BCM were able to reduce their mean time to identify a breach by 27% (178 days instead of 234) and reduce their mean time to contain a breach by 41% (55 days instead of 83). Furthermore, 74% of companies responding to the Ponemon study without BCM processes reported a material disruption to their IT or other corporate operations as a result of a breach. With BCM involvement, that decreases to 52%. Even with these findings, only about half of the companies in the Ponemon study currently involve their BCM team or processes when confronted with a data breach.
In his most recent book, Cyber Crime and Cyber War: What Everyone Needs to Know, Peter W. Singer states, “As long as you are online there will be threats. A company’s real focus should be on resilience, which is the idea of powering through the breach and getting up quicker after you’ve been knocked down.” One of the keys to successfully ‘powering through’ is robust incident response and effective BCM.
Results are similar on the physical side. From Hurricane Katrina to the city-wide hunt for the Boston Marathon bombers to more local events like structure fires and broken water pipes, companies with robust BCM are the first to get back to business. 25% of businesses do not reopen following a major event, and yet a survey by Traveler’s Insurance found that 48% of small businesses are operating without any kind of business continuity planning.
In the public sector, continuity is guided by FEMA, Homeland Security Presidential Directive-20 (focusing on National Continuity Policy), and Federal Continuity Directive-1. For Federal Information Technology, continuity is mandated by the National Institute of Standards and Technology Special Publication 800-34 and specific continuity “controls” in NIST SP 800-53. In the Financial Sector, continuity requirements are outlined in Sarbanes-Oxley. ISO 23001 and BS 65000 provide best practices for the business world.
To be effective and achieve the kind of resilience discussed above, Incident Response and Business Continuity has to be more than “shelf-ware.” It has to be more than a few plans in binders, or a call-tree, or email distro-list that is reviewed and updated annually.
Business Continuity must be a holistic process that integrates with the company’s existing plans and policies for incident response, disaster recovery, risk management, public affairs and crisis communications, severe weather, procurement, and human resources. It must work from both the top-down, and from the bottom up. And it must be trained, understood, and practiced by all employees.
Not all organizations are prepared to tackle BCM efforts without guidance. Consultancies like MindPoint Group can help private and public sectors alike by:
- Reviewing and revising existing policies, strategies, and procedures
- Conducting Business Impact Analyses and Risk Assessments to help companies better understand their own interdependencies and vulnerabilities
- Developing new policy
- Developing and conducting training and exercise programs
- Serving as an impartial, 3rd party observer/evaluator for exercises
Contact MindPoint Group today to ensure that your business continuity and disaster recovery plans prepare you for the storm after the storm.