Is ensuring business continuity truly a problem?
Consider this scenario: What happens if the property where you provide your services becomes unavailable (at this level, we are not analyzing the reasons), you lose a key supplier, or you lose access to electricity or water, etc.?
… „in turbulent times, the first task of management is to make sure of the institution’s capacity for survival, to make sure of its structural strength and resilience, of its capacity to survive a blow”. („Management in turbulent timas” Peter Drucker, Londyn)
The COVID-19 pandemic, the 2021 data center fire in Strasbourg, or the recent global operating system outage caused by an antivirus software update are all excellent lessons for organizations not to trust that stable growth conditions are guaranteed once and for all. These are well-known events that impacted thousands of business entities. Negative events on a smaller scale occur much more frequently. Although they may not echo as loudly, it does not mean they have no impact on the operations of the organizations they affect. The pandemic demonstrated that such critical situations can happen unexpectedly; consequently, organizations should be prepared for an almost immediate and total change in their mode of operation. This also applies to the way data is processed. By not having a tested Business Continuity Plan (BCP) for conditions alternative to the standard ones, we risk exposing the data processed within the organization to compromise, which in turn can generate further “costs” in the form financial penalties and reputational collapse. A seemingly unlikely stroke of fate can harm an organization but also affect stakeholders to an immense degree.
NIS2 and the National Cybersecurity System (KSC) on business continuity
The NIS2 Directive, as well as the amendment to the KSC Act being implemented in Poland on October 17, require that organizations within their scope implement an Information Security Management System (ISMS) and a Business Continuity Management System (BCMS) based on European standards (though other standards can also serve as guidance). And while there are rumors in the corridors about moving away from strictly specifying that documentation must be prepared according to PN-EN ISO 27001, complying with the provisions of these standards will nonetheless bring many benefits to organizations in the areas of information security and business continuity.
Furthermore, the already well-known GDPR requires ensuring:
- the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
There are also other specific regulations that oblige entities to ensure business continuity, such as: the Crisis Management Act, Banking Law, Telecommunications Law, and Energy Law.
Much is said today about IT security or cyber hygiene. In the rush build layered security based on antivirus software, UTM/NG firewalls, backup software, SIEM/SOAR software for log analysis and incident response, and all kinds of physical or presonnel security (such as training), we frequently find that even the best of these safeguards mentioned above are highly desirable; hover, building a fully secure, layered environment also requires ensuring the continued funtioning of these very safeguards and the services we provide.
Examples of business continuity safeguards are built through:
- Personel and their competencies regarding business continuity;
- Backup, testing the ability to restore them for accuracy and speed;
- Testing the availability of resources and services;
- Contractual SLA (Service Level Agreement) or OLA (Operating Level Agreement) provisions, specifying the restoration of service availability or guaranteeing resource availability within a specific time;
- Compliance with Health and Safety principles;
- Detection with early warning (IT/fire/flooding);
- Redundant power and equipment;
- Dual power lines;
- Power generators;
- Dual suppliers.
There are many more measures of this type, and their application depends on the results of a risk analysis based on the organization’s context and its stakeholders.
Returning to the question asked in the title of the article: Is ensuring business continuity a problem? The question should rather be: Can we afford to delay the solution to this problem indefinitely? An analysis of the costs an organization may incur due to penalties, low reputation, and threats to its very existence… etc… leads to the conclusion that this should be a priority task for every organization.
In practice, however, ensuring business continuity in an organizations is a problem that requires attention at every organizational lever – from top management and executive staff to regular employees. Organizations that neglect or disregard this aspect expose themselves to serious operational and business risks, while those that care for the reliable assurance of business continuity gain a significant competetive advantage – a fact perfectly demonstrated by reality during the pandemic.
Looking to enhance your cybersecurity?
Contact us!
Leave your details – we’ll call you back
Our specialist will get back to you no later than the next business day. You don’t have to fill in the message field, but a brief note about the topic you’re interested in will be a valuable hint for us.
