During this difficult time, DGC provides you with coronavirus updates and resources here.
In the event of a cyberattack or a natural disaster, every second counts. Business owners and their employees have to be ready to react quickly and efficiently. Every organization should have disaster recovery and incident response plans so they can minimize risk. However, the vast majority of businesses do not have these plans in place.
In this episode of “Unique Perspectives – The DGC Podcast,” our guest is Brian Banda, CISSP. Brian discusses the importance of policy development for businesses.
You can listen to the episode by using the Soundcloud player above or click here.
We wanted to find out what’s true and what’s false about developing plans like these. Brian looks at some statements and separates fact from fiction.
Most business owners already have plans in place.
FALSE - “I would probably say about 25% of businesses already have something in place, but it’s probably more likely that 25% of them haven’t actually revisited their plans in a significant amount of time.”
Writing and maintaining plans requires commitment from the high-ranking members of the organization.
TRUE - “It does take a significant amount of time to go through this stuff. But it does have to start at the top. It’s usually assumed that you’ve got some sort of data protection in place, but the business owner is the one who really has to dictate which specific sets of information may be more critical to business operations than others.”
Focus on yourself before worrying about external factors like possible penalties.
TRUE - “A lot of people are focusing on what’s in the news and that’s pretty natural. They’re going to look at how they can comply with GDPR so they can avoid these kinds of penalties. What they’re failing to focus on is its plans for a disaster-type situation. Typically, companies will write some sort of plans early in the inception of their businesses, but they fail to go back and look at them. The kind of plans we’re talking about are going to be your business continuity, disaster recovery, incident response plans, written information security plans, those kinds of things.
Conducting a business impact analysis is a good first step for business owners who have nothing in place.
TRUE - “You’re not going to put the same level of protection on every single system. It’s just not going to make sense. You need to start with prioritizing what data you can’t live without and what systems can’t be down for what amount of time. What is your maximum tolerable down time? What is your recovery point objective? How far back are you willing to go in a case where you’ve lost a certain amount of data? What amount of time are you willing to dedicate to getting these systems back online? You are definitely going to start there, and it should come from the business owners themselves. They should be the driving force for helping you decide the priority order of these systems”
Having one plan that covers everything is best.
FALSE - “The reason why you wouldn’t want to have one overarching binder of information is because it becomes particularly hard to follow. We’re not looking to have a specific plan for every scenario. These need to be semi-flexible but it’s also going to be carried out by different teams. If we look at a handful of different plans, your cyber incident response plan is most likely to be headed by your information security officer but likely followed through with your technical staff. This is going to be your viruses, trojans, ransomware, anything mitigating some sort of cyberattack. Your business continuity plan, on the other hand, is more about what you’re going to do in a situation while you’re still recovering from a significant disruption. That’s more going to be where your employees are going to work if they can’t go to their regular facility. This is mostly going to be your office administrators or office managers determining those types of mediation plans. The last one, disaster recovery, that’s probably going to be again, the more technical side but this could be anything from a full-scale data center loss to just an individual system. This should be a little bit more flexible than a full-scale disruption and more about specific information system recovery. Essentially, you need to decide which ones are going to make sense for your business but also keep in mind that one is unlikely to get the job done.
DGC’s IT Risk Assurance & Advisory Team can help you put together a tailored plan to safeguard your organization from cyberattacks or natural disasters. For more information, contact a member of your DGC client service team or Nick DeLena, CISSP, CISA, CRISC at 781-937-5191 / email@example.com.
If you would like to get alerts and insights like this sent directly to your inbox, sign up here.