The Ministry of Defence released an ‘Industry Security Notice‘ to “remind readers of the importance of having an effective and up-to-date Business Continuity Plan (BCP)”.
These notices are generally aimed at organisations connected in some way to the Defence sector, but the message is vital for every organisation, regardless of sector.
This isn’t the first time we have covered the importance of having a BCP, an IR Plan and a Crisis Management Plan in place in your organisation, but you can never have too many reminders for something that is vital to mitigating the impact on your operations if there is a disruption.
If there is an incident—it could be a cyberattack, a natural disaster…a pandemic—your people need to know how to respond in order to ensure your operations can and will recover quickly. Going back to the notice, it makes an excellent point: “If you have not planned for the ‘what ifs’, should something go wrong it’s easy to tip into crisis and panic mode, then battle your way to get going again – which can be frustrating, stressful and impact” your bottom line, reputation, and people.
If an incident happens, what’s your plan B?
The last thing you want to be doing is trying to handle an emergency without any planning or training, so we strongly recommend that you:
Put a plan in writing. And make sure you brief all the relevant stakeholders. You should consider what incidents or disruptions are possible for your organisation, as a whole and in specific roles and working environments. This would include undertaking a risk assessment and having a risk register so you can prioritise your actions.
Make sure your suppliers have also done this. The supply chain is a one of the channels that criminals use to access your networks and data. And what happens if a key supplier’s operations are disrupted? How does that affect your own?
Keep your plans up-to-date. If your organisation invested in planning three years ago but hasn’t revisited the outputs since, they are likely to be out of date and not useful for an incident that happens today. Have a review cycle in place so you don’t get caught out.
Test your plan. Regularly. A lot of things look good on paper but putting them into practice is a very different experience. That’s why it’s important to test the plans so you can work out any gaps and review any changes that may have been enacted since the last review. Make sure that all relevant stakeholders are involved and a debrief is included in the exercise.
Follow the plan. It’s very easy to panic when something goes wrong, but if you have a plan and you’ve tested it, you’re not starting off on the back foot when it needs to be rolled out for real.
Prepare, prepare, prepare
If you would like support in developing, updating or exercising your BCP, IRP or CMP, our team of experienced cyber security and information assurance consultants are available. Contact us to talk about how we can help you prepare for any situation that may arise.
Insights
A guide to payment compliance ahead of the March 2025 PCI DSS changes
With the approaching deadline for PCI DSS 4. 0.
Arrested development - Digital Threat Digest
I am firmly of the opinion that if Google had fired all their feature developers around 2013 then their 2024 offering would be far superior to the unfortunate guff it has become today.
The election spectacle - Digital Threat Digest
Tuesday night saw the celebration of a major political event, a commemoration of political stability and continuity: Guy Fawkes Night.