Can your business function without IT? IT is the nervous system of modern business, moving data up and down the backbone of every concern of any size. From enterprise resource planning (ERP) to payroll to word processing and spreadsheets, computing is ubiquitous and second nature to the workforce. As part of a network, backed up to remote servers, or operating in the cloud, IT is pervasive and necessary to the successful function of commerce worldwide. IT has become entrenched in the business universe because it increases productivity and reduces costs while enabling worker collaboration, sales support, automation, and more.

And yet, for decades now, cyber operations have been vulnerable. Originally a moth was enough to gum up the works, but software bugs have existed from the first written program. Viruses have been with us since the early days of ARPANET. For years, data has been protected through backups and encryption, and, with the prevalence of networks and the internet, firewalls and intrusion detection systems.

Cyberattacks often end badly

This sort of protection is necessary because cyberattacks often end badly. According to the Cyber Readiness report by the British insurer Hiscox, nearly half of all companies reported a cyberattack last year, with one in five saying those attacks threatened their solvency. Sixty percent of small businesses won’t survive one. A network that can be managed remotely can be accessed by bad actors.

Threats don’t even need to be the result of evil intent. Many are, from last year’s Colonial Pipeline ransomware hack to the automation software provider Kaseya. Most recently, a Russian denial-of-service attack hit 13 US airports. But there are hackers who are hobbyists, too, who can cause trouble without intending to. If they can get in, so can someone else. What a hobby hacker might find could also have been found by a bad actor; IBM famously discovered that it can be 206 days before a security breach is found on an organization’s servers.

Your employees can be a cause, too. They may not be using the system properly, or have more access than they should have and cause problems accidentally. “You’ve got mail” might as well be subtitled “you’ve got malware.” Employees can be trained to avoid the obvious issues, such as easy-to-hack passwords, but that isn’t enough. The pandemic put more workers at home with access to company systems from home networks that are often less secure — as is any environment where workers can bring their own devices.

A cybersecurity violation may be unavoidable even with constant attention and staying abreast of the latest news. The ability to handle these problems quickly is not certain, and they are many. Downtime can affect every system or department that relies on company computers, servers, and networks. Operations can grind to a halt without the ability to control production, which can incur costs from missed delivery dates to the expense of solving the cybersecurity problem and the overtime for catching up. Compromised data — identity theft, corporate secrets, and more — can be the heaviest burden of all. Any of these can metastasize from the original small problem.

Business continuity to the rescue

With the stakes so high should cybersecurity be violated, planning for business continuity and disaster recovery is necessary. Updates should be kept abreast of, security software used, and a reliable backup plan implemented. Most operations are already doing this.

Business continuity (BC) is the process of keeping the company going after a disruptive event. Cyberattacks are definitely disruptive. Disaster recovery (DR) planning identifies and delineates the steps to take to overcome a disruptive event. Undertaking a BC/DR plan should be a high priority for any company with any reliability on digital technology at all.

Business impact analysis

The process should begin with a business impact analysis (BIA). Companies can do a BIA for their entire organization, but it would make sense for a CTO or IT manager to conduct one strictly for IT. Nonetheless, it will involve every department in the company that works with a computer. That’s because how they function will affect the plan — and might also reveal worrisome unanticipated practices.

The BIA should identify all systems and functions. Any computer or node is a risk, even the digital camera that uploads photographs for employee ID badges. When you’ve inventoried everything, build a plan for securing those devices, networks, and systems in the event of an attack. Organizing the plan into a checklist will make it easy to follow when disaster strikes — whether ransomware or a denial-of-service attack. Test the plans with a tabletop exercise with a third-party facilitator; have representatives from each department walk through the recovery process and who does what. This will find flaws and omissions in the plan that can be reworked and retested. It’s finished when every department signs off, but don’t stop there. Repeat the process often; it’s the shampoo that will keep the business running as safely as possible and bounce back from anything anticipated.

BC In The Cloud

Infinite Blue’s BC in the Cloud handles this. It provides an easy-to-learn-and-use relational database that users can plug most of their assets and concerns into right out of the box. It’s customizable, letting a CTO or IT manager (or a marketing manager) enter data, assess the risk of each item, and access the latest data from a desk or half a world away. It scales, too, so a division can use it or an entire global enterprise.

Ignore BC/DR for IT, and the bad things discussed above can and will happen. In fact, they’ll be worse. Don’t overlook the slightest possibility. An employee’s personal Google password compromised Cisco! With the entire company at jeopardy, half-hearted solutions must be avoided. A systematic plan will provide the resilience necessary to withstand intrusions and errors, and a commitment to implementation and revision will keep that plan fresh. Any company with a BC/DR plan should be working toward its next revision; any company without a BC/DR plan should start now.