What is a business continuity plan?

Although Business Continuity Plans should be specially tailored (in consultation with your cybersecurity partner) to your organization's needs and abilities, most IT BCPs should include the following 3 sections:

Disaster Recovery: This will focus on recovering any IT resources and infrastructure that may have been compromised. Unlike natural disasters, cyberattacks are not constrained by geography, offering the attackers a distributed attack surface. DR for cyber breaches should prepare for targeted simultaneous outages.

Business Impact Analysis: Not all breaches are created equal. A good BIA will account for interdependencies to ensure that resources are being deployed effectively and efficiently. While disaster recovery is usually focused on IT, BIA is more general and applies to all aspects of your business. For instance, your BIA should include an alternative work location, while DR will detail how to pull backups from storage in the event that something goes south.

Cyber Incident Response Plan: This will include a forensics unit composed of IT personnel (dedicated to tracking down and patching the breach), a regulatory unit of legal analysts (to identify and remediate compliance gaps), and a public relations team (to communicate with customers, the media and shareholders).

Why is a business continuity plan important?

The actions taken in the first few hours following a breach will continue to have large ramifications throughout the remainder of the recovery, for better or for worse. It is therefore critical to have an up-to-date and comprehensive BCP in place early on.

While the average data breach costs close to $4 million, Ponemon's latest Cost of a Data Breach Study estimates that having a Business Continuity Plan will save you $365,000 on average. On a per-file basis, the savings comes down to about $15 per compromised file. Simply put, investing in a high quality BCP today is one of the best investments you can make for tomorrow.

In addition, depending on your industry, creating a BCP may be mandated by existing regulations. For example, in the medical industry, HIPAA requires organizations to plan for data backup, disaster recovery, contingency operations, among others. FINRA requires the same for financial institutions.

Accordingly, business continuity planning is not only recommended, but can also shield your organization from liability in the event of a compromising incident.

If you would like help developing your Business Continuity Plan, come and talk to us. Don't wait until you've been breached.