Business continuity and information security

Business continuity and disaster recovery plans are necessities for every company. These strategies enable companies to operate in sudden or unfavorable circumstances, when some of the company’s core business activities is threatened.

A current example of a sudden and acute crisis which affects business continuity is the Covid-19 virus. The epidemic has increased risks for companies, for example on workforce availability despite the company’s industry. If the number of infections keeps rising in Finland, there will also be more people on sick leaves or in a quarantine set by the government officials, which means that employees can’t come to their workplace. When this risk increases, it’s good to remind companies on business continuity and what is needed in order to operate in unfavorable circumstances.

Companies should prepare for acute crises caused by an epidemic like the current one by making sure they have secure and functioning remote work conditions. These remote work conditions should be available for employees whenever needed. A good starting point is to enable remote work from wherever possible, if the work tasks don’t present any barriers for it. Examples of these type of barriers of work tasks could be the need for presence at work premises, security factors or technical equipment located at certain premises.

In a larger scale, every company should have a business continuity plan. This means, that the company has planned how it will survive in circumstances where one or more of its core business processes is threatened in some way. This can, for example, mean a significant lack in available workforce, critical system error or a fire in company premises, such as factory or head office. These recognized situations should have a disaster recovery plan, which tells how the company will try to recover and reach normal situation with as small losses as possible. Of course, not in all situations, for example in different epidemics, recovery isn’t only in the hands of the company. In these situations, the company should secure its ability to keep the core business operations running, even if they wouldn’t be running as effectively as possible. Business contingency plan in turn brings recovery plans for different systems and resources based on their criticality. With the help of these plans, organization is able to recover from unfavorable circumstances as effectively as possible.

The importance of information security in business continuity

Information security should be taken into account when doing business continuity planning. Alternative processes during crisis times shouldn’t create new threats to organization. For example, the organization should make sure that remote working conditions are secure enough for employees to use and don’t create new threats for the organization. This in turn means that for example technical solutions, such as deployment of VPN:n. Along with this, the employees need to be instructed on the safe use of work equipment outside organization’s premises and what type of threats there are in this type of situation.

When planning the use of cloud services an organization should plan the policies, which can be used if a critical service is not available. The challenge of these services is that availability isn’t always in the hands of the organization, since the service provider is a global cloud service provider. For these situations, an organization should plan how the service can be replaced temporarily or completely. An example of this is an alternative application or even a manual process. Companies should always remember that even though the cloud service’s maintenance and control is outsourced for the service provider, possible risks are carried out by the company itself. For this reason, alternative policies should be planned, since the company can rarely affect on the control of cloud services.

Does your organization need help with business continuity and information security?