How Financial Organisations Can Maintain Business Continuity in the Face of Challenges

By Mark Adams, Regional Sales Director, Northern Europe at Cohesity

Mark Adams, Regional Sales Director, Northern Europe at Cohesity

Financial organisations take a great deal of calculated risks. They evaluate the positives and negatives, making decisions accordingly. However, not every eventuality can be controlled, even with planning and preparation. And during a period when downtime is unacceptable, business continuity is vital.

Setting up a business continuity framework and plan

It’s easy to put some risks aside as either ‘too unlikely’ or ‘simple to solve if it happens’, and one that can easily be put to one side is setting up and then managing a secure business continuity policy and framework. This will cover a lot of ground such as what to do if the phone lines go down, if the supply chain suddenly breaks, or if your IT network is subjected to an external cyberattack such as a ransomware threat.

Drawing up a plan for such eventualities involves almost no risk and will inevitably deliver a high reward. We only have to observe the continuing rise of ransomware, which Sophos has acknowledged in its The State of Ransomware 2021 report was responsible for 79% of its rapid response engagements in 2020/21.

The case may be that some financial organisations don’t address the problem because they are already covered with cybersecurity solutions or see it as too arduous. But in reality, developing a business continuity framework or plan is a matter of working through a series of processes, gathering information, and making sure that you have covered all the bases. With a framework in place, the task is then one of regular revision and review.

When setting out a cyber-related business continuity plan the first step revolves around understanding what it should include – and that’s every single aspect of technology that’s used within the business. A key part of the plan is an inventory of every element of your technology setup. Don’t just list items, but make sure you know the suppliers, the service level agreements (SLAs), and any arrangements for alternative provision due to outages. If there are no arrangements for such provision, ask why not, and if you think such arrangements should exist, put them in place.

Make sure that all the contact information needed to invoke any special measures is recorded and can be accessed if the computer system goes down.

Be prepared that the worst might still happen and ‘business as usual’ could be a few days away, or even longer. So the plan should include some practical measures for keeping going in this kind of situation.

Disaster Recovery

Inevitably for many businesses, a central pillar of getting up and running post-crisis will be recovering IT services and systems. So central to the business continuity plan should be a highly competent disaster recovery process.

You might need a specific incremental recovery system which brings critical systems and data on stream first, and ancillary ones later. You will certainly need assurances from your provider that disaster recovery can bring systems back online as fast as possible, and that any malware which can facilitate ransomware and other cyberattacks isn’t simply restored with everything else.

CIOs and others responsible for business continuity planning face challenges because such plans are often only tested when they are required. By then, if there are faults, it is too late to put them right.

There are two ways to address this issue. The first is to set a rule that every time a new piece of technology is added, or any changes or upgrades take place, the business continuity plan is revisited so that both internal procedures and any SLA commitments can be checked. In addition regular complete reviews should be built into the board’s general review schedule.

The second way of ensuring a business continuity plan is fit for purpose is to do dry runs. Paper exercises are one thing, but trying a plan out for real is something else. Once the business completes a test, it should review how it went and update the plan accordingly. It’s likely that some parts of the plan will go well but other actions will require more work. A regular schedule for testing is useful, especially if the organisation changes its operations, vendors and staff frequently.

A solid business continuity plan can help your organisation continue with business as usual in the face of challenges, and feel confident that the challenges will be dealt with in the shortest time possible.