Organizations have been rocked by a wave of business crises over the past two years. Data breaches, natural disasters, economic turmoil and the COVID-19 pandemic have many people worried about how they will weather other events in the coming year.
In the recent FTI Consulting Resilience Barometer survey, German business leaders cited a long list of scenarios that they believe could hurt their business in the short term. Nevertheless, preparedness efforts for such events continue to be a low priority. The survey revealed that 65% of respondents agreed with the statement that their organization is struggling to adequately plan for an increasing number of crisis scenarios. Only a third said they invest in updated business continuity (BC) plans.
What’s particularly interesting about these numbers is that many organizations are investing heavily in cybersecurity by adding internal and external resources to protect their systems and prevent attacks. This is significant progress, as cyber threats present some of the greatest financial, regulatory, operational and reputational compliance risks to organizations. However, no system can be 100% secure 100% of the time – intrusions will always happen. Additionally, aside from cyber risk, there are countless other crisis events that can disrupt and cause significant damage to a business.
The key to reducing these risks is investing adequately in business continuity plans, as well as updating and modernizing IT infrastructure. Unfortunately, many decision makers within a company see IT as a cost center and a priority target when budgets need to be cut.
Keep systems up-to-date for reliable continuity
Many companies are content to install new tools as they grow, without investing in an overall systems update. This creates a heavy IT landscape that can be very difficult to restore if systems are shut down or powered up during a major incident. This is a common but serious misstep, as IT resiliency is key to keeping everything up and running within an organization, especially during a crisis.
For example, an FTI Consulting client had an IT landscape that hadn’t been updated in over 40 years. As the company grew organically and through acquisition, the IT infrastructure was never integrated or updated. Instead, more and more systems have been added over the decades. When the company faced a large, high-stakes investigation, it had no map of internal applications and systems that might contain important or sensitive data. This led to a long and costly investigation and exposed the company to unnecessary risk.
In another case, a client’s business was completely shut down for more than three weeks following a cyber incident. The attacker encrypted all of the customer’s systems, and since the organization did not have a functioning BC plan, it was impossible for business operations to continue until the incident was fully resolved. For this customer – and many organizations like him – a long downtime has had serious business consequences, including potential insolvency.
These examples illustrate that surviving a major crisis requires a robust business continuity plan and up-to-date countermeasures supported by a sophisticated IT infrastructure. Business leaders need to rethink their IT strategy to ensure that their organization’s systems are modernized and resilient enough to withstand a wide range of disasters.
5 Ways to Strengthen Business Continuity
Businesses can take five steps to close gaps in their IT infrastructure to ensure that operations can quickly and fully resume following a major cyberattack or other major disruption.
1. Map the entire environment.
Organizations need to know what IT systems are used, how they are used and accessed across the enterprise, and what type of information is stored there. Creating and maintaining an up-to-date IT environment will inform teams of which functions depend on existing systems and which parts of the internal landscape are likely to be hardest hit during a crisis.
2. Perform a risk analysis.
IT and cybersecurity teams can work with other business decision makers to assess the risk levels of each system. This involves comparing the organization’s business model to the IT infrastructure to determine which systems are critical to operations. During the risk analysis, key considerations — such as the organization’s ability to survive without email for a week, regularly backed up systems, and cloud-based or on-premises systems — should be weighed and processed. Organizations may want to assign tiers to each system to define which ones need to be restored the fastest.
3. Consider roommates.
This is often the safest way to collocate critical systems or keep certain backup systems offline. Ensure that the colocation is not connected to the corporate network through Active Directory and is segmented from other systems, as trade-offs can occur if the colocation is the primary data storage environment and has a connection to the corporate network. Colocation allows organizations to bring their most critical systems back online and continue operations, even if core systems have been breached or otherwise disrupted.
4. Evaluate and update the backup and recovery strategy.
Many organizations keep backups, but backups are not always frequent enough to allow for efficient recovery. The backup and recovery strategy should be closely evaluated and updated to ensure business continuity. Key considerations include frequency of backups (daily, weekly, monthly), resources needed to enable rapid recovery in the event of a problem, and external vendors that should be engaged to provide servers, other hardware, and recovery services. case of emergency. In addition to these considerations, best practices should include protecting access to backups through multi-factor authentication, storing backup copies offline or offsite, and regularly testing the integrity of backups.
5. Review BC plans of target companies.
One of the most common ways to compromise security, governance, and business continuity is when the IT practices of acquired companies are not properly controlled or integrated. During an acquisition, it is important to assess the target’s BC plans and IT landscape and create a detailed integration or remediation plan once the transaction is complete.
Business risks are becoming more frequent and severe, and no organization can ever be completely immune to a crisis. A business continuity plan is essential and starts with IT support. IT teams are often under immense pressure to deliver results, but with limited resources. Organizations need to understand that strong security measures are only part of the puzzle and that it is equally important to invest in a modern IT infrastructure that allows a plan to bounce back quickly after an incident.
About the authors
Renato Fazzone is Senior Managing Director at FTI Consulting and has worked exclusively in technology since the early 2000s.
David Dunn is Senior Managing Director and Head of Cybersecurity EMEA at FTI Consulting. He is an expert in data privacy and cybersecurity resilience, prevention, response, remediation and recovery.