Business continuity and information security

Business continuity as well as recovery plans are essential for every company. They enable a company to continue to operate in exceptional or unfavorable circumstances when one of its core business processes is compromised.

A current example of a surprising and acute issue affecting business continuity is the Covid-19. The epidemic has increased risks for companies, for example, of the availability of labour, regardless of the industry. If the number of infections continues to increase in Finland, more and more people will also be on sick leave or in quarantine set by the authorities, in which case they will not be able to enter the workplace either. As this risk increases, it is a good idea to remind companies of business continuity management and their ability to operate in adverse or exceptional circumstances.

In current acute situations caused by epidemics, every company should ensure that remote work solutions work, and that staff are enabled to work remotely whenever possible. Today, a good starting point should be that work should be possible from anywhere, unless there are clear obstacles to it – such as mandatory employee attendance, safety issues or equipment physically located at certain premises. Workers should also be given this emphasis on remote work during the flu season whenever reasonably possible.

On a larger scale, every company should have a business continuity plan. This means that a company has designed how it will be able to cope with situations where one of its core business processes has been disrupted in one way or another. This can mean, for example, a significant shortage of staff, a downtime of critical systems, or a fire at a critical site. For these identified exceptional circumstances, a recovery plan should also be created for how the company seeks to return to normal with the least possible losses. Of course, in all situations, such as in the context of various epidemics, recovery is not just a matter of the company itself. In the example situation, the company’s ability to implement a minimum number of functions should be verified so that the core business processes continue to operate – even if they do not operate as efficiently. The business continuity plan, in turn, generates recovery plans for different systems and resources according to criticality. These enable the organization to recover from adverse conditions as effectively as possible.

The importance of information security in business continuity

It is also good to plan business continuity with security in mind. Alternative processes during emergencies should not jeopardize the organization to new threats. For example, it should be ensured that the remote work opportunities offered to employees are sufficiently secure and do not expose the organization to new threats. This in turn means, for example, technical solutions, such as the possible introduction of a VPN, if the necessary systems are in the organization’s intranet or if employees want to be provided with a secure gateway to the public Internet via the organization’s network. In addition to this, employees must be instructed, for example, on the safe use of work equipment outside their own premises and what the potential threats are. Similar issues need to be considered for other emergencies if alternative procedures are used during emergencies.

In connection with the use of cloud services, in addition to the recovery plan, procedures must be planned which can be used if a critical service for the company is not available. The challenge with these services is that availability is not always up to the company itself, as the service provider might be multinational cloud service provider. In that case, one should consider how the cloud service can be replaced temporarily or completely. This can be, for example, an alternative application or even a manual process. Companies should always remember that, although for cloud services, maintenance and management are often outsourced to the cloud service provider, the potential risks of, for example, downtime or hacking are carried out by the company using the service itself. For this reason, alternative approaches should be considered, as the company itself can rarely influence the management of the cloud service. If your company needs help planning a business continuity plan or making recovery plans, please contact us, we will be happy to help.

Does your organization need help with business continuity and information security?